December 14, 2018
Event Tech, GDPR compliance
The Event Tech Landscape is rapidly growing. The Cramer EventTech Landscape 2019 lists more than 444 different events tools that perform some sort of data processing: registration platforms, badge scanning, event mobile applications, surveys, lead capture tools and much more, all tools that help event organisers to collect data about attendees, exhibitors, speakers, and sponsors.
Although GDPR already came into force in May 2018, at Blendr.io we still get questions daily on how GDPR affects the Event Tech space. As a data-driven industry, it is essential for Event Organisers and Event Technology companies to understand their responsibilities under the GDPR.
You definitely fall under GDPR when your company or organisation is located within the EU, or if you offer goods or services to EU residents, regardless of your actual location.
So if you organise an event in Europe or your event attendees are European Citizens or residents (regardless of where your event takes place), then GDPR applies to you. In case you use any Event Tech platform (e.g. an event management platform, a registration app, badging systems…), you almost certainly capture and process personal data, so GDPR applies to you. Note that GDPR applies to your technology providers too, even if they are located outside of the European Union.
For example: your organisation is located in Dubai, you organise a conference in Singapore and you promote your conference within the EU. As a result EU citizens register for your event, using an event reg platform located in the US. During registration, you ask for a name and email address. This means you are processing personal data and GDPR applies to you.
‘Data subject’, an identifiable natural person, is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In the events space: event attendees, exhibitors, speakers, sponsors and other people whose personal data is processed.
‘Personal data’ means any information relating to an identified or identifiable natural person.
This includes attendees’, exhibitors’ and speakers’ names, companies they work for, their email addresses, phone numbers and any other data that can identify them.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Applying it to the events industry, a ‘Controller’ is an events organizer.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
A ‘Processor’ can be a registration platform, event management system, event app, and any other tool which an Event Organiser uses and which collects, stores or uses personal data.
‘Sub-processor’ is any business or contractor customer data may pass through.
A ‘Sub-processor’ is typically a platform used by the Processor. For example, your Processor is an event registration platform, and they use a mailing platform to allow you to send out emails. The mailing platform is a Sub-processor.
An Event Tech company (Processor) must have a DPA (Data Processing Agreement) in place with its Controller (the Event Organizer) and with all its Sub-processors (e.g. software applications used as part of its own service).
An Event Tech company (Processor) and its sub-processors may not use the data for anything outside the scope of the DPA. This means that an Event Tech company may not decide to start using data from attendees for the purpose of for example “user profiling”, if this is not allowed by the Event Organizer (Controller).
If an Event Tech company (Processor) needs to work with e.g. an integration platform (Sub-processor), the Event Tech company needs to inform the Event Organizer (Controller) about the Sub-processor they are going to use.
A Controller (Event Organiser) needs to obtain consent from Data Subjects (e.g. Attendees), in order to be able to store and use their data. Consent must be active, using an affirmative action by the Data Subject, instead of passive acceptance through pre-ticked boxes or opt-outs. This means you need to have a checkbox on your registration page, that attendees actively check, in order to provide consent for the processing of their data. Attendees must be informed of the type of processing.
So, as an event organiser, you cannot simply collect and profile personal data of your Data Subjects (attendees, exhibitors, speakers…) if you do not have consent for this type of processing. Of course, not only the Controller needs to be compliant with GDPR, but also a Data Processor (this is handled in the DPA, see above).
Once the Controller receives consent to process personal data of its Data Subjects, the Controller does NOT need to inform Data Subjects (attendees, exhibitors…) when a new Processor or Sub-processor is going to be used, assuming this does not change the type processing.
In other words, an event organiser does NOT have to send emails to attendees, to ask a new consent, when switching from one software platform to another. For example, using Blendr.io, an Event Tech integration platform, does not require new opt-ins from attendees, because the type of processing does not change.
Are you an Event Tech SaaS company? Supercharge your integration capabilities with Blendr.io, an open event technology integration platform which is GDPR compliant and which helps you to manage your PII (personal identifiable information) and which helps you to comply with GDPR. Find more information here.