By now you’ve likely heard of the General Data Protection Regulation (GDPR), the new law going into effect on May 25, 2018, that regulates how organizations collect, use, and process the personal data of citizens of the European Union.
Even if your company is not based in the EU, you’re likely still impacted. Any organization that has contacts or customers who are European Union citizens needs to ensure that they’re GDPR compliant.
In case you’re unfamiliar with the new law, here’s a high-level overview of what it entails:
- The data of EU contacts must be processed in a transparent, fair, and lawful manner
- Data must be collected for purposes that are specified, explicit, and legitimate
- The data that is collected must be relevant and limited to what is necessary
- Data must be kept accurate and up-to-date
- Data should be held only for the time necessary and no longer
- All data must be securely processed
Event Farm is committed to privacy and security, and we’re giving you the tools you need to ensure that your events are in compliance with the new law. Take a look at the information below about how you’ll be able to use the Attend platform to comply.
Sending invitations to contacts who have previously opted in
If you’re uploading guests and sending event email invitations to contacts located in the European Union, you’ll need proof that they’ve previously, actively, and explicitly opted in to receiving email communication from your organization.
As long as your primary marketing or email automation system is GDPR-compliant, it will have features that allow you to capture this information, which will ensure your compliance when sending event email invitations to those same contacts through the Attend platform.
As always, Attend is intended to be used to contact only those potential invitees with whom you have an existing relationship or reason to contact. Do not use Attend to send invitations to purchased lists, rented lists, or third-party lists of any kind.
Getting consent from new contacts with GDPR-friendly event registration forms
Under the new law, organizations are required to obtain explicit, opt-in consent when collecting a contact’s data, and to clearly state how that data will be used if and when a contact does give consent. This means you’ll need to obtain consent from anyone whose data you’re collecting during the event registration process, and you’ll also need to include messaging about how you plan to use the data they provide.
To collect opt-in consent for data processing through your Attend registration form, follow these steps:
- Sign into Attend and open the Plan for the form you would like to edit.
- Select the form you are editing within the Forms section.
- At the bottom of the form page, under Form Settings, check the Terms and Conditions option.
Practicing data minimization
GDPR requires that personal data collected and processed is limited to data that is relevant and necessary for the purpose for which it is being collected. This practice is also called data minimization. To practice data minimization, limit the questions you add to your registration form to those that are necessary for your event guests to answer in order for them to participate in your event.
You can also make question responses optional, so registrants can choose whether or not to respond to them, while still being able to attend the event.
To make a question optional for your registration form, click Show Option next to the question on the Forms page, then change the Required dropdown to “Optional.”
As always, for guests in and outside of the EU, our terms of service do not allow collection of highly sensitive personal data, such as driver’s license or ID numbers, social security numbers, passport numbers, passwords, security credentials, or similar types of personal data.
Handling contact data requests
GDPR states that EU contacts have expanded rights when it comes to the use of their personal data. For example: users have the right to request that their data be deleted, moved, or corrected at any time.
If a contact reaches out to you with any of the above requests regarding data stored in Attend, please submit a support request here.
Ensuring data security compliance
The EU data regulation outlines a set of parameters that data processors must follow in order to meet compliance. The data processing procedures for Attend are compliant, and there is nothing more you need to do within the Attend platform to ensure that your contacts’ data is being processed in a lawful manner.
Disclaimer: This article is neither a complete documentation of EU data privacy nor legal advice for your company to use in complying with GDPR. It provides general background information about the law so you best understand how to use Attend to ensure that your event-specific campaigns are compliant.