Everything you need to know about event app security, privacy, and data

App privacy and security are challenges event organisers face, as the risk of data breaches and increased awareness around individuals’ privacy grows.

To ensure compliance with relevant privacy laws such as GDPR and Australian Privacy Law here are some tips and best practice suggestions.

App privacy and access options

How will attendees access the event app? The type of content and event you are running will guide you to best configure your app access.

Privacy Option 1: Public Access

Public events are those that have no profile data pre-event and do not need to be hidden from the public. Upon downloading the app, all content and information will be accessible with no login details required. Public access is generally used for events that are open to the public, where attendees can arrive on the day and freely access the event App.

Public access can be set-up with an event code and no profile login, meaning a user’s data is not identifiable.

Rockhampton river festival app
The Rockhampton River Festival app is a good example of an event app with public content and no profile login

 

Privacy Option 2: Private Access

A private event app is used when the contents of the app should not be shared with the public. 

The app will be closed off to the public and only accessible using unique profile login information. For additional privacy, content pages can have passwords set to allow for extra security.

A Private Event status can be setup to use unique profile logins. This method can be used to capture attendee login data and force attendees to log into the app before they can access it.

Alternatively, a Private Event can be setup with a Shared Password, rather than profile login. This shared password can be distributed among attendees so they can access the app. This is typically used when there are no profiles, but app content cannot be publicly accessible.

Private Access can be setup with:

  • Profile Login
  • Shared Password
  • Shared Password and in-app registration form

app access

Privacy Option 3: Partially Private Access

A Partially Private event app is a Public Access app with some features or pages that are not open to the public.

Partially Private Access can be used when attendee engagement features such as the activity feed or messages are an additional feature, while the rest of the event app is publically available. For example, these features might only be accessible to registered attendees versus those who arrive on the day. When using this option, be aware that profile login is not forced, and login stats will only reflect those who have logged in, not the full list.

GDPR compliance

On May 25 2018, the European privacy law, the General Data Protection Regulation (GDPR) took effect. Designed to strengthen and unify personal data protection for European Union (EU) citizens, GDPR places obligations on all organisations that offer goods and services to people in the EU regardless of where your business is located.

GDPR compliance is a shared responsibility amongst data controllers and data processors.  A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Entegy is the data processor and Event Organisers are the data controller. This graphic outlines the key principles of GDPR and who is responsible for each aspect.

GDPR principles infographic

What can event organisers do to be compliant?

  • Accurate – let attendees know how they can update their information if required. Validate and keep data error-free.
  • Clearly communicate what data will be used for and obtain consent – gain consent during the collection of data phase (registration) and outline what the data will be used for. If you intend to share data with sponsors, you must obtain clear, freely-given consent from the attendee to do so.
  • Specific and relevant – ensure data collected is only what’s required for it’s intended use. If you only require attendees email and phone number for communication purposes, don’t collect their address.
  • Accountability of controllers – ensure your data is stored in a secure database, an encrypted system. Be aware who has access to the data, other employees, external contractors? Everyone who has access to the data should understand GDPR and your organisation’s privacy policies.

As the software provider, Entegy is responsible for ensuring our software includes functionality to support our partners and event organisers to comply with the regulations.

Features of the Entegy Suite which facilitate the above requirements:

  • Implement two-level authentication for your event app and unique event code.
  • Capture consent with your terms of use and privacy policy upon login to the app. If you change these, attendees who have already logged in and accepted will need to re-accept.
  • Let attendees know they can update their details and privacy settings at any time from within the app.
  • Give attendees the ability to opt-in when it comes to sharing personal information such as name, email address and contact numbers. The default option should be to only share with connections only.
  • Any messaging between attendees is 100% confidential and not be visible to any other attendees, conference organisers or anyone associated with the event.

app account settings

Further reading

Entegy Knowledge Base guide to App access

More information on GDPR:

https://www.eugdpr.org/
https://www.eugdpr.org/gdpr-faqs.html


DISCLAIMER This article is neither an overview on EU data privacy nor legal resource for your company to use in complying with GDPR or other EU data privacy laws. The contents of this article are not the same as legal advice. We encourage you to consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In short, you may not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.