When the European General Data Protection Regulation came into force in May 2018, it had far-reaching consequences for event planners. This change was noticeable, particularly in participant management, where guest data is collected and processed: data processing procedures had to be reviewed and adapted. Even today, there are still or again uncertainties regarding compliance with the EU-GDPR. The corona-induced boom of virtual events has raised new questions: What about data privacy for virtual events? Which tools and providers can I use to conduct GDPR-compliant online events?
The General Data Protection Regulation comprises 99 articles. We have compiled a brief overview here with the most important points on data privacy for events.
Data minimization and purpose limitation. So-called data economy means that as little data as possible should always be collected. Only the data that is necessary for the purpose is collected. For example, organizers should ask themselves whether they need the private addresses of their participants. Are goody bags being sent out? Then the private address can be collected. Is the event purely virtual? Then name and email address will probably suffice.
Self-determination. The little box that waits for the consenting tick has become an integral part of any registration process. Personal data may only be stored with the consent of the persons concerned, and registration forms must always obtain the participants' active consent.
Transparency. Participants have the right to know which of their data is stored and how. For this transparency, organizers need an overview of the data stored and where it is stored. If they have to provide information, the data overview should be readily available. The right to know also goes hand in hand with the right to be forgotten. Participants can demand the deletion of their data. Therefore, it is advisable to design a deletion concept that can react quickly to such requests.
Encryption. The first step is the secure transmission of personal data, and data must be protected. Websites where participants' data is collected via registration forms or during virtual events, must therefore be sufficiently encrypted and always up to date.
Double opt-in procedure. In order to document the active consent of the participants, the double opt-in procedure is recommended. This means that after registration, a confirmation email is sent asking for active consent to data processing via a link. Only when the participants actively confirm that their data may be processed by clicking on the link is storage permitted.
Server locations and storage sites. To benefit from the EU GDPR, the data must also remain in the EU and be processed and stored here. Services that store their data in the USA, for example, are therefore a problem for organizers. AirLST, for example, hosts all data stored via the participant management tool in Frankfurt. The data are in Germany and are not sent via the USA or other non-EU countries during processing.
At virtual events, all participants register on the event platform via their computers. Even the IP address is defined as personal data. Even if the event is an open one and no registration is necessary, the consent of the participants is required. Even if interactions, videos, or shared virtual whiteboards are used, it is essential to obtain the consent of the participants in advance.