GDPR for Event Managers: An Expert Opinion
Time is running out: On the 25th of May, the GDPR European General Data Protection Regulation will be coming into force. What will this really change for event managers? We discussed the matter with an expert.
Is it possible to develop a passion for data protection?
Those of you who refuse to entertain such a notion should take the time to listen to Dr Ralf Schadowski’s take on the matter. An expert in data protection and IT security, he can speak about the GDPR with a passion that has to be heard to be believed!
Whether at the FAMA Trade Fair Symposium, the Eventtech Alliance Symposium or, most recently, at the DLG Marketing Day, he encapsulates his audience with his high level of expertise and entertaining presentation. It truly makes data protection a fun experience!
Against the backdrop of the DLG Marketing Day, we spoke to him about the effects of the GDPR on the event industry, hoping to ease some of the panic surrounding the legislation.
Data is money
Event organisers usually form part of small and medium-sized companies. Even an industry giant such as Messe Frankfurt, with 2,500 employees worldwide and an annual turnover of over 660 million Euros, falls under this category. Many associations organise business events, but there are very few event organisers who have an extensive team, or even a comprehensive legal department, at their disposal.
It is therefore no surprise that a number of event organisers are only now starting to get into gear when it comes to the new legislation. They are also definitely thinking about what real impact the European General Data Protection Regulation (GDPR) will have on them, and what they will need to address first if they want to avoid running into difficulties.
“(Participant) data is money, and we have to think very carefully about what we want to do with this data – and this process starts even before the event,” says Dr Ralf Schadowski. “We need permission, the consent of the participants, so that we may continue working with the data afterwards and effectively reach out and appeal to those participants when it comes to promotions and advertising.
Organisers must, upon request from a participant, be able to verify where they obtained this personal data from and what it will be used for. They must be able to prove the consent of the participants, along with the date that this consent was given. If the organiser is unable to do so, then the participant can bring this to the attention of the data protection supervisory authority.”
This means that each organiser is responsible and liable for what happens to the data they acquire.
Where does the data go?
In the digital world, it is becoming increasingly difficult to efficiently reach the target group for an event. It has been a long time since organisers have been able to rely solely on (expensive) brochures; nowadays, they need to pull out all the digital stops as well. This includes advertising offers like those offered by Google, Facebook, or other service providers under keywords such as Re-Targeting, Facebook Pixel, eTracker, or Webtracker.
All these services are characterised by the fact that they track a customer’s “customer journey”, after which they will then display targeted online advertising. One example of a popular advertising medium used on Facebook are the so-called “custom audiences”. This involves using Facebook advertising to reach out to target groups who either visited the event website earlier or are identified by the process of matching up personal data (e.g. available e-mail addresses) on Facebook.
Dr Ralf Schadowski: “When I collect data on websites using tools such as Google Analytics, eTracker, Facebook Pixel, or similar, there are some things that must be implemented. For one, I need to have implemented order processing contracts with these service providers.
If I haven’t, then I will be at risk of a large fine in the event of a data breach. Also included under this umbrella of service providers are, for example, local service providers who take care of registration or participant management. There are a number of legally sound templates that can be used for such data processing contracts, such as the templates that can be obtained from the German Association for Data Protection and Data security (GDD).
Fundamentally, the participant having their data collected must always know where an organiser is sending their data. This is the data path companies must follow. Unfortunately, many companies do not possess this level of transparency.”
Data processing company or service provider?
In the concrete example of remarketing on Facebook via the use of a Facebook Pixel on the event website, Facebook becomes a data processor – because Facebook will be receiving data from users of the event website.
There are two consequences that arise from this fact: The event organiser must enter into a data processing contract with Facebook (which is thankfully settled online, see details here) AND the organiser must include information in its privacy policy that explains to its customers what happens to their data and for what purpose it is transmitted to Facebook. If you use Google Analytics, for example, you can download the agreement with Google here; print out two copies, sign, and send to Google in Ireland.
Ralf Schadowski defines the requirements of the GDPR as follows: “Organisers do not, however, need a data processing contract with a service provider such as Facebook, XING, or LinkedIn if they are just placing ads without using “custom audiences” or other personal data.”
What to do next?
Don’t worry: all event organisers are feeling the same way as you, so there’s no need to panic. Here is a quick to-do list:
1. Check who is receiving data from you and arrange appropriate contracts.
2. If you are a data processing company, get legal advice and draw up an appropriate contract that includes the TOMs (technical and organisational measures).
3. Review your privacy policies on your website with regards to the services you use. The following tool allows you to find out which services are currently in use on your website and block services on other websites: https://www.ghostery.com/
4. Start with the CS (Common Sense) method to analyse your internal processes and to create so-called process directories.
5. Agree on obligations of confidentiality with your employees.
6. Don’t let it drive you crazy. Just get started.
There are a number of checklists available online that you can use as a guide.
Converve also acts for you as a data processing company, and we meet the requirements of the GDPR. Your data, and that of your participants and exhibitors, is safe with us.
