Enforcing Data Privacy of Event Attendees

If you’re an event manager, you know that ensuring the privacy of your attendees is a top priority. After all, you don’t want their personal information falling into the wrong hands. So here are a few tips on enforcing data privacy at your next event. 

GDPR and Events

GDPR is a new data protection law that impacts companies that collect, use, and maintain the personal details of EU citizens. In light of GDPR’s implementation on May 25, 2018, event managers should know how this affects their organization and attendees at their events. 

Suppose your company handles sensitive attendee information such as name, address, or email. In that case, you’ll want to evaluate whether or not your current processes are in line with GDPR guidelines for data privacy. If they’re not – get ready to make some changes!

Here are ten steps you can take right now toward ensuring an efficient implementation of GDPR across your organization:

  • Segment Participation – Have a different signup flow for each channel of communication
  • Personalized Landing Pages – Create one landing page for each event. Next to the button includes a list of all channels people can sign up for, including email, online forms, and social media. In addition, include an option for attendees to unsubscribe from any communications they do not want to be sent to them in the future. This gives them agency over their emails and other personal information.
  • Consent Management – Clearly state how you will use attendee data when collecting it on your website or while at events. 
  • Data Capture Security – Never ask for financial information such as credit card numbers while collecting email addresses or other personal information via registration forms or events. Instead, only collect what is required to complete the transaction at hand (i.e., name and email only).
  • Privacy Notices – If you need to collect sensitive data such as credit card numbers, have a consent page for your visitors to accept these terms before going further with their registration process. Give clear explanations of how this information will be used transparently and comprehensively. 
  • Data Subject Rights – Be prepared to answer questions about an individual’s rights when reviewing, updating, or removing their details from company databases.
  • Post-Event Data Removal – If your organization manages the data collected during an event after it takes place, you need to take steps so that this information does not violate PR guidelines. Ensure all attendee information is deleted or anonymized after the event has taken place.
  • Data Protection Officer (DPO) – If your organization processes sensitive data regularly, you will need to appoint someone on your team who knows what needs to be done to ensure this information doesn’t fall into the wrong hands. Ensure they are up-to-date with GDPR guidelines and can train other employees in how best to implement these changes.
  • Data Security – Make sure that any personal attendee details are securely stored using encrypted technology across all channels where that data may travel. This includes third-party software used for registration, volunteer management, etc. 
  • Educate Employees – Communicate with all employees about the changes that GDPR will affect and need to ensure compliance. Please give them the tools necessary to answer questions about data privacy & security, as well as uphold GDPR guidelines for your organization.

Facial Recognition vs. Data Privacy

What about facial recognition technology? GDPR does not prohibit the use of facial recognition; however, it is likely to come under stricter regulation in Europe than it has been so far. According to GDPR, an organization must inform individuals of the existence and use of such technologies and obtain explicit permission from them before they’re used (Article 4(11)). 

This means that unlike CCTV cameras which can be installed throughout a city with no disclosure or direct consent given by citizens – companies will now need to explicitly inform customers their faces will be scanned and recorded if they wish to do business on those premises. With such strict regulations surrounding how face-scanning technology is deployed within the EU Member States starting May 25 – many companies may decide to avoid this technology altogether.

GDPR is not the end of facial recognition for businesses in Europe and elsewhere – but rather, it’s just the beginning of how to deploy this technology within the EU ethically. As legislation continues to improve over time – we will likely see facial recognition software become more widely used in everyday life (business, tourism, etc.). But only when consumers are made aware and given choice to make an ethical decision about whether they wish to be identified or not – will this technology truly take off in a responsible way that benefits all parties involved.

Management Software for Data Privacy

For your organization to support GDPR guidelines, you will need internal software that can help monitor and control user access to all sensitive personal data. There are several options on the market for this type of management software. Still, it is essential that you choose one developed with strict GDPR compliance in mind – otherwise, you may find yourself unable to meet these new regulations.

Some good options include:

  • Adobe Pass (Adobe Experience Cloud Services)
  • OneTrust Enterprise Edition
  • TrustArc OneTrust Enterprise Edition – This web-based platform from TrustArc is explicitly designed with GDPR in mind, giving organizations granular control over who views what information within the system.

List of New Privacy Laws in the United States

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was approved in June 2018 and is scheduled to effect in 2020. The CCPA will apply only to collecting personal data, including video surveillance captured in public spaces such as stores and shopping malls where at least 50 people can be identified by name, image, or another unique identifier.

It does not include security cameras in private residences or other locations not open to the public. In addition, under this new law, companies that collect personal data will need to disclose their privacy practices, including whether they share information with third parties and provide a link for a consumer to opt out of having their information sold.

Massachusetts Data Privacy Law

This law, which went into effect in 2020, states that personal data means “any representation of information that identifies an individual,” including video surveillance. In addition, the law will require companies to tell individuals what data is being collected and why, take reasonable security protections, and make sure the information isn’t sold or used for unauthorized marketing or otherwise exploited.

There are exemptions for small-scale closed-circuit television (CCTV) systems operated by private entities such as businesses that monitor their premises, such as factory floors and shipping docks.

New York Privacy Act

The New York State Senate passed a bill in May 2019 that would require companies to disclose what kind of data is being collected, provide an opt-out right for individuals whose personal data is collected or used, and set security protections for the information. This law also exempts small-scale surveillance systems run by private entities.

Hawaii Consumer Privacy Protection Act

The Hawaii law, which went into effect in early 2020, requires companies to tell individuals what data is being collected and why; disclose any third parties with whom the information will be shared or sold or who will market products based on this information; and provide an opt-out right.

Maryland Online Consumer Protection Act

Maryland’s law, passed in 2018, requires notification when personal data is collected from online users and also when it is sold or shared with a third party. However, the law does not apply to small-scale cameras in private homes.

View All The Stories