Online Event registration and Ticket Software - Blog

GDPR Update – An event organizer’s perspective

By now, you must have heard in one form or another about the term GDPR. If you are someone that uses a number of online services, then chances are your inbox might have been inundated with updates about it over the past few weeks. If you are still unsure about this very important acronym, read on.

The General Data Protection Regulation (GDPR) is designed to give EU citizens more control over their data and aims to unify a number of existing privacy and security laws under one comprehensive law. GDPR comes into effect on May 25th, 2018 and it contains the strongest set of regulations till date in the areas of privacy and data security. And since the law is applicable to any business having a connection to EU citizens, this law has a significant effect on any business operating anywhere.

How does GDPR impact organizers?

GDPR is primarily about transparency. It’s about letting your attendee know in simple language what you intend to use their data for. We believe it’s a good thing, as it puts the privacy of the attendee first. This post, alongside listing steps taken by Eventzilla so far, will also attempt to talk about your (organizer) obligations as a data controller when collecting and managing your attendees’ personal information. GDPR means organizers will have to take additional effort to gain consent to hold, use and share people’s data.

Key GDPR Principles

GDPR focuses on the rights of individuals. It gives EU citizens more control over how their personal data is used, the right to know what data is being stored and shared and the ability to opt-out at any time. Here’s an overview of the key principles:

  • Asking for consent clearly
    You can’t use automatic or passive consent when someone registers for your event. Be very clear as to what you will use their personal information for. Also, note that an attendee has the right to withdraw consent at any time.
  • Transparency about how you use a person’s data
    If an attendee needs to use their email to purchase a ticket to your conference, what do you plan to do with their email? If you want to let them know about future events or contact them for other future marketing communications, then it’s good practice to state that clearly on your event page with a consent.
  • Transparency about the retention period for someone’s data
    The length of time to retain data must be assessed on a case-by-case basis. It is a good practice to put data retention information into a privacy policy and make sure that you stick to it.
  • Provide access to user’s personal data upon request
    If an attendee requests details of the information you hold on them, you must be able to provide them with electronic copies of that data within a period of 30 days.
  • Portability of user’s personal data upon request
    If requested/authorized by an attendee, you may have to give them or even a competitor service a copy of their personal information in a commonly used, machine-readable format such CSV, XML etc.
  • Provide access to the user to update/rectify their personal data
    If you’re holding incorrect personal information on an attendee you need to be able to correct it at their request or provide them with the opportunity to update it on their own.
  • Delete user’s personal data upon request
    In certain situations, an attendee has ‘the right to be forgotten’, or, in other words, removed. You need to be able to delete their information at their request. Note however that there are some genuine grounds including legal and financial, where you may refuse a request for removal.
  • Use secure data handling practices
    Best practice Data security must be built into your processes from their inception. Decide and keep track of who has access to attendee data and restrict transmission of this information. Don’t share with third parties like sponsors or hotels unless the attendee has consented for you to do so. Put in place a system to revoke access to former employees and consultants to your database. And probably the most obvious one. Don’t share passwords.
  • Notify users and authorities upon a data breach
    With GDPR in effect, you will need to report any data breach to the relevant authority and to the user(s) concerned, when you discover the breach within 72 hours.
  • Ensure GDPR compliance of vendors and other third parties.
    Vendors and third parties come in all shapes and sizes. They could include hotels, sponsors, event registration platforms like Eventzilla, CRM software, etc. You should find out if they are GDPR compliant. Then make sure that you have a contract with them in place reflecting their GDPR compliance.

Eventzilla’s obligations and how we can help?

As part of our compliance with GDPR, we have undertaken a number of platform updates to fulfil our obligations both as a data controller as well as a data processor. Be sure to read our updated privacy policy and terms of use for full details.

Below is a quick rundown of some useful tools we provide, that can assist you with ensuring compliance as the controller of your attendees’ personal information.

  • Eventzilla’s “Consent” tool
    Eventzilla allows you to create questions and require responses from attendees. By default, attendees will be asked to provide their name and email address to facilitate completion of their registration. You can, however, add custom questions to the form to collect their personal information. We also provide a “Consent” question that you can use to obtain electronic consent from your attendees. You can also include links to your privacy policy and any other terms as part of the “Consent” question.
  • Allow Attendees to edit their data using self-service portal
    When attendees register for your event, we also provide them with the opportunity to register for the “Attendee portal” to manage their event registrations, re-print their tickets etc. This portal provides a convenient mechanism for an attendee to review the personal information they supplied at the time of registration. In the event of an inaccuracy, they can be enabled to update and rectify this data themselves. It is, however, your prerogative to enable or disable this capability. If you chose to disable this capability, you will be solely responsible for updating information on their behalf or to request the same through us.
  • Export attendees data to extract personal information
    The comprehensive export facility provided by Eventzilla will allow you to export all of the information provided by attendees to you with a single click. You can then use this to extract a particular attendee’s information and/or passing it over to another service if the same was requested/authorized by your attendee.

Reach out to us

We are here to help and to navigate this journey alongside you, so please do not hesitate to get in touch should you have any questions.

Eventzilla Team