Discover the impact of GDPR and how you, as an event organiser, can remain compliant to ensure your customers’ data remains safe.
This time last year, the new General Data Protection Regulations (GDPR) was prominent in the press threatening fines to companies for non-compliance of up to €20 million. Each and every one of us was bombarded with emails from companies that we once signed up to or purchased from, seeking new consent for their marketing activities. One year on, from what was perceived as potentially the new ‘Y2K bug’, how has GDPR impacted both business and individuals, and how compliant are Event Organisers?
GDPR was introduced across Europe to provide a standardised approach to the protection of personal data. Within the first nine months of these new regulations, there were 206,326 cases reported across Europe including 65,000 reports of a potential breach and 95,000 complaints from Data Subjects. The total number of fines for non-compliance is currently €55.96 million, although €50 million of this figure is made up from one fine by the French Authority against Google.
Although the Data Commissioners have been focussing on improvement and rectification rather than big fines for non-compliance, it doesn’t mean that Event Organisers can get away with not undertaking their own due diligence when it comes to GDPR. If you sell tickets for an event, you are a Data Controller and responsible for the personal data of your Customers. Irrelevant if you are part of a registered company, self-employed or even acting in a voluntary capacity in organising an event. You are accountable under GDPR.
The UK’s Information Commissioner, Elizabeth Denham, is clear on the requirement for accountability stating “if a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation”. But if you haven’t yet undertaken any work to meet your own obligations under GDPR to safeguard your Customer’s data, it’s not too late to get started.
We present eleven steps to help you on your way to compliance and ensuring your Customers' data remains safe.
- Visit the ICO website
Our recommendation as a starting point is to visit the ICO website where there is a wealth of information and guidance for small business on GDPR compliance.
- Appoint a GDPR Champion
You must take GDPR seriously and appoint someone in your organisation or team to take responsibility of GDPR compliance. This person needs to be someone who can take the time to understand your GDPR obligations and what sections of the legislation will/won’t affect you. They also need to be someone who can implement change to ensure compliance and have the support of the wider team. Some organisations may need to appoint a Data Protection Officer – refer to the ICO guidance as to whether this is a requirement for you.
- Understand the data you collect, process and store
Undertake a data mapping exercise to identify all the personal data that you collect, process, share and store. This may not be limited to your Customers' Data but that of your Employees, Volunteers, Suppliers or Partners. This will provide you with a comprehensive record of your activities and start to identify security concerns, gaps in policy or procedure, failures to securely delete data and data that is no longer relevant and therefore should not be stored.
- Identify the data your share
Identify the third parties with whom you share personal data. This could be TicketSource or other organisations such as MailChimp, your own merchant services, CRM systems or even another Event Organiser. Have you been able to ensure the compliance of these third parties with GDPR and are Data Processing Agreements or Data Sharing Agreements in place?
TIP: If you share Customer Data for marketing purposes with third parties such as other Event Organisers or Venues, TicketSource enables you to seek consent from Customers to share this data and can be found in the Event Designer feature.
TicketSource is fully compliant with GDPR and will always act to safeguard your Customers' data and only act in accordance with the Data Processing Agreement which is in place.
- Know why you are processing Personal Data
You can only process Personal Data if you’re able to establish a legal basis for processing. This may be delivery of a contract (e.g. for ticket bookings), legitimate interest or consent.
TIP: Obtaining consent to be placed on a marketing list must now be granular (e.g. the Customer presented with separate options for postal, email or text marketing). You can select which marketing options to present to customers via your Data Protection settings in your TicketSource account.
- Undertake Data Protection Impact Assessments (DPIA)
DPIA is a process to help you to identify and minimise risk during your processing activities. If you undertake processing that is likely to result in a high risk to Individuals, you are required to undertake a DPIA. The ICO also recommend that it is good practice to undertake this process for any major project that requires the processing of personal data. The ICO has a checklist to help you decide if a DPIA is necessary and can be found here: DPIA Checklist
- Understand Individual’s Rights
Ensure you understand the new Data Subject’s rights under GDPR and make sure you have policies and procedures in place to deal with these rights as they arise. This may range from Subject Access Requests (a Data Subject’s right to see the data that you hold on them), Right of Rectification (correct personal data) and the Right to be Forgotten (this will be dependent on your retention policy and if you have a good reason for holding data for a prolonged period of time, beyond the event date).
- Review your GDPR Policies
Review your existing policies and procedures to see if they comply with GDPR. The key policies that you should have in place include (but are not limited to):
- Data Protection Policy
- Data Security Policy
- Data Retention Policy and Procedure
- Data Breach Policy and Procedure
- Subject Access Request Policy and Procedure
- Make data privacy part of your ongoing process
Develop a process to ensure that GDPR compliance is an ongoing focus for you and your team. When you start a project, implement an alternative technology, introduce a new third party processing partner or share data with a different organisation, the above steps should be considered and implemented from the start of the process to ensure you are doing all that you can to maintain the safety of the data.
- Document everything!
Above all else, as you work through this process to meet your GDPR compliance, ensure you document everything. This would include minutes of meetings, reasons for key decisions such as whether you need (or don’t need) a Data Protection Officer, all processes such as Data Mapping, DPIA, etc. Should you be in the unfortunate situation where you experience a data breach or a complaint is made to the ICO, this will go some way to demonstrate your accountability and intent to meet your obligations under GDPR which will place you in a much stronger position compared to doing nothing at all.
If you have any questions regarding the Data Protection features within your TicketSource account, please contact our Support Team on 0333 666 4466 or email@example.com
The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR.
Free Online Ticketing System
Sign up and set up an online box office for any event in any venue within minutes.