GDPR – event organiser best practice

On May 25 2018, the European privacy law, the General Data Protection Regulation (GDPR) took effect.

Designed to strengthen and unify personal data protection for European Union (EU) citizens, GDPR places new obligations on all organisations that offer goods and services to people in the EU regardless of where your business is located.

Who is responsible?

GDPR compliance is a shared responsibility amongst data controllers and data processors.  A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Entegy is the data processor and Event Organisers are the data controller. This graphic outlines the key principles of GDPR and who is responsible for each aspect.

GDPR principles

What can event organisers do to be compliant?

GDPR Principle: Accurate
Let attendees know how they can update their information if required. Validate and keep data error free.

GDPR Principle: Clearly Communicated
Gain consent during the collection of data phase and outline what the data will be used for.

GDPR Principle: Specific and Relevant
Ensure data collected is only what’s required for it’s intended use. If you only require attendees email and phone number for communication purposes, don’t collect their address.

GDPR Principle: Accountability of Controllers
Ensure your data is stored in a secure database, an encrypted system. Be aware who has access to the data, other employees, external contractors? Everyone who has access to the data should understand GDPR and your organisations privacy policies.

FAQ: Will GDPR affect my existing event data?
Yes, this is the time to clean your data and invite people to re-opt-in. Remove and destroy any individual data you no longer use or don’t need. Review how you seek, record and manage consent and ensure your forms include separate tick boxes for phone contact, contact by email and sharing with third parties like venues, sponsors and speakers. Third parties must be named.

FAQ: Can I share data with my event sponsors?
Unless you have clear, freely-given consent from the attendee to do so as mentioned above, you can’t share their data with third parties. Check any sponsor agreements to make sure you’re not promising the provision of data that you can’t legally share.

person looking at mobile phone

How does Entegy help your GDPR compliance efforts?

As the software provider, Entegy is responsible for ensuring our software includes functionality to support our partners and event organisers to comply with the regulations.
We have introduced some new features to assist event organisers with their compliance efforts including:

  • Login and authentication enhancements
  • Consent capturing with opt in settings, organiser terms and privacy policy
  • Total user control of privacy settings even without an app.

Data and its protection are becoming increasingly important to individuals and society. Entegy is committed to providing our Partners and event organisers with peace of mind through data privacy, security and governance solutions and maintain an ongoing commitment to privacy by design.

GDPR Principle: Lawful, Fair & Transparent
Entegy does not use personal data for any purpose. Personal data is held in the Core (CMS) until the data controller removes the data or requests it’s removal.

GDPR Principle: Securely Stored
Entegy takes security and compliance very seriously. We have existing processes and policies and have undertaken extensive testing to support our global infrastructure. Our processes are continually reviewed and adjusted as compliance needs change and we have been doing the same for GDPR. More details can be found in our Security Profile.

attendees clapping

What we can do together

GDPR Principle: Integrity and confidentiality
It is both the event organiser and Entegy’s responsibility to ensure data is kept confidential and the integrity of data is maintained. Entegy has existing processes and policies in place to maintain the integrity and confidentiality of data, and we ask our partners and event organisers to do the same.

Further reading

DISCLAIMER This article is neither an overview on EU data privacy nor legal resource for your company to use in complying with GDPR or other EU data privacy laws. Rather, it provides background information to help you better understand how Entegy is addressing GDPR. The contents of this article are not the same as legal advice. We encourage you to consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In short, you may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.