GDPR in events
As we have already pointed out, events deal with a massive amount of personal data, it is part of its essence; for that reason, we reiterate that the GDPR not only has impact on the technological part, it is essentially an initiative with fundamental impacts on how we do business, namely by paper, telephone or video.
For this reason, it should not be addressed solely by IT, legal or operations departments, but it should be a concern at the moment Zero of any business (Privacy by Design and Privacy by Default.
A large part of the actions that event organizers do or are faced with on a daily basis may put the organization/agency/company in severe financial risk, , if they ignore the data protection compliance obligations to which they are subject.
In this article we alert you to some examples of actions that can put your company at risk of administrative offenses and fines, among others:
- Do not regulate data processing responsibilities with customers, partners and suppliers;
- Do not ask for consent when required by law;
- Communicate or give access to personal data to other entities without a contract and without the knowledge of the data subject;
- Using forms with marked pre-filled consent boxes without making explicit the way to opt out;
- Failure to ensure a consent storage process (if applicable);
- Freely sharing lists of participants with sponsors, venues and other participants in the event, without a written contract with these companies and without the knowledge of the data subject;
- Making registrations on paper and leaving them on registration counters;
- Not creating rules (through written agreement) to the access of personal data given to temporary collaborators or service providers (only those who unequivocally need to should access the data, and should do so in a regulated way);
- Sending via email non-secure lists;
- Send emails to those who have not given their consent to receive them and do not need to receive them under a contract;
- Do not store information with personal data in encrypted form;
- Not having a data erasure mechanism when there is no longer any legal basis for maintaining them.
Return to our GDPR index: Are your events ready for the GDPR?
Still have questions about this? Talk to us!