Following our recent webinar on GDPR, we thought it would be useful to extract and summarise some of the responses to the audience questions. These were received via our Glisser LIVE platform throughout the session, then addressed by our guests at the end. We've also included a transcript for ease of use.
Featured in the webinar was Arvi Virdee (AV), co-founder of Fileom and Ian Webb (IW), Sales Manager at Eventsforce, in addition to Glisser's founder Mike Piddock (MP).
Here we go...
Can you share delegate lists with sponsors post event?
MP: So the highest voted question is regarding sharing delegate lists with sponsors post-event, I think we've discussed this. Is there a way that you could do it? I guess, Arvi, it's that point about, what doesn't fall under legitimate interest needs to be under consent, and that's the way to do it?
AV: Sharing delegate lists, or responses... yes, there's got to be consent if it's with sponsors.
MP: Would you need to name the sponsors, or would it just be 'The Sponsors'?
AV: You have to name the sponsors
IW: And one question on that, that I'm getting asked a lot from our clients in terms of how they're capturing that consent - at a large event I may be sharing data with sponsors, I may then share that data with exhibitors, because I'm from an exhibitor data retrieval capture service, do you need to split those items and actually allow the delegates to say "actually I would like to opt in to my data to be shared with the exhibitor but not the sponsor'? How explicit do you need to be?
AV: Yes, granular. That's what 'consent' says, if you look at the details it says you've got to be granular, it's got to be opt-in. So per-event you'd need to think about: how many people are actually going to have access to that data. The other thing you'd need to think about is for example, during the registration process there is a hotel accommodation booking involved then you need to take the data and give it to the hotel. That’s part of what I mentioned earlier fulfilling the contract. Whereas, if you only give the data to anyone else for any other purpose then you need consent from the individuals.
MP: So even one piece of data depending on where it goes can have different reasons for it being passable.
IW: An alternative conditions check box is unlikely to be enough anymore.
AV: It has got to be yes, that’s right. It has got to be practical, you have to think about what is practical. The way I always look at it, look at it from the delegates. You have all been to events as delegates so we now have to ask ourselves what would I want to do.
If you use Eventbrite, do you have to delete all historical events and the data held for each event?
MP: The second highest voted question says I use Eventbrite, does that mean I have to delete all the historical events and the data held for each event? Ian, is Eventbrite probably the largest event tech company in the world?
IW: Yes, I think lots of people use that for various reasons. I think that you’ve got two sides of it though. I think you’ve got the deleting of data which really comes down to your data retention policy as an organisation. So what is your basis as Arvi mentioned for keeping hold of that data, so that may vary depending on the type of organisation you are. Then you’ve got more of the side of, taking Eventbrite as an example, how would they store your data, under what circumstances and the whole security aspects around it. So I think you’ve got to split that question into two areas to ensure what the supplier is doing, how they are managing your data and what your policy as an organisation is for attaining the data.
MP: I assume Eventbrite would be storing the data in the United States, outside of the EU?
IW: I certainly think that there are other things that you need to check and if they are, then in your contract with Eventbrite you need to make sure that’s all covered and that’s all documented and that relationship and transfer of data is clear.
AV: I was looking at their privacy for notice recently and yes, they like most companies are in the process of becoming GDPR compliant. They can keep data outside of the UK but under certain conditions and outside of the EU and DEA. Look at the Ts&Cs but very important point is yes, there is a policy notice for Eventbrite but if you are using Eventbrite to capture registration information, you’re also capturing that delegate data, so you also need to have (you as in your company) your own privacy policy, which is different to Eventbrite.
IW: I think a key thing to be clear on there is the ownership of the data, who ultimately has the ownership of the data. So do you as the event organiser retain that ownership or does your tech provider have some element of ownership of that data in terms of what they can do with that data and how it can be used. Technically one thing to look at is more of the infrastructure of the organisation, are they providing one database for your data or are they providing one technology platform where all the data is held because that is two very different technical environments.
MP: Dive into the detail of the provider.
Do we have to worry about our suppliers’ suppliers?
MP: Interesting question there, do we have to worry about our suppliers’ suppliers? So there is a whole chain of people involved in technology.
AV: So this is the most challenging part that I’ve found, I don’t know about you Ian, the realisation for event planners, for example the DMC, if they use the DMC and the DMC then uses two, three, four suppliers further down the chain, their called subprocessers. Services depends on exactly how they are being used, so you could have controller, processer, subprocesser down the line and there is joint liability, so it’s your responsibility to a) you know what your subprocesser is doing and b) what their subprocessor is doing. The way you do that is to have contracts in place, which give guidance and there is guidance on what has to be in those contracts.
IW: And that relates to the question you asked earlier Mike about some for the documents we’re getting from organisations actually and we’re getting asked to document as a technology provider what that chain looks like. And of course if your technology provider’s primarily within the EU that’s a lot easier than if their managing data in various different locations, then that chain can become quite complex and you end up with quite a lot of paperwork and a lot of contractual agreement that you need to be going through.
If you have a large database, do I have to get consent to send out an invite to the next event?
MP: Top one here, I think we may have covered it but it’s worth bringing up again. It’s about having a large database and somebody wanting to send out invites, I guess to the next event. Do you have to get consent, is that legitimate interests. Is that case by case scenario?
AV: It is, like so many things in GDPR’s context, so it’s just hard to…the example I gave before was that if it was a database of people who attended last year’s event then probably under legitimate… you can contact them but again it depends on what the purpose of that list is and you’d probably need more information.
If an attendee wants to be deleted from our list, do we need to instruct our event tech supplier to do so also?
MP: So lets say you’re an event producer and you’re using ten different event tech suppliers, you’ve got other companies who are perhaps the hotels and so on. At that point of right, I want to be off your list, does that flow through the entire chain in the same way.
IW: I think it’s another one of those really hard things to get in place…is actually what is your process when that happens. So you have the responsibility to make sure that all the different places you hold that data is deleted from the registration system, the event app, the server tool you are using…there’s no personal data residing and so it’s another key thing to be planning for.
AV: So I would say yes that’s key, again look at yourself, if you went through a registration process you gave consent to share your data with various suppliers and then you decided no I don’t want it shared anymore. Then yes you would want it removed from all the suppliers further down the line wherever it’s shared.
MP: Another question has come around the consent. When you ask for consent or receive it, do you at that point do you need to give the timeline, the end point how long you are consenting for their data to be stored or is that the level of detail required.
AV: You need to record when consent is given. How long consent lasts depends like many things on a lot of factors. If you use it for example, if you have consent for marketing purposes and then you record that but if you do market to that person and you don’t hear anything or there’s no contact for a period of time, that’s when your data retention policy comes into effect. How you can actually retain data if there is no comeback from the client.
When you ask for consent, do you need to give the timeline for how long their data will be stored for?
MP: Another question has come up around the consent. When you ask for consent or receive it, do you at that point need to give the timeline, the end point, how long they’re consenting for their data to be stored. Or is that not the level for detail that’s required?
AV: You need to record when consent is given. How long consent lasts depends like many things on a lot of factors. If you use it for example, if you have consent for marketing purposes and then you record that but if you do market to that person and you don’t hear anything or there’s no contact for a period of time, that’s when your data retention policy comes into effect. How you can actually retain data if there is no comeback from the client.
Can you publish for attendees, the attendance list, name, position and organisation?
MP: Can I publish for attendees, the attendance list name, position and the organisation? So I guess a lot of event organisers they’re organising an event for networking purposes, often it’s important to understand who else is going to be there to make the decisions to whether you’re going to attend that event. So often the company name, the job title and sometimes the individuals’ name of the people who are going to be attending. Is that allowed as long as it’s not an email address because that’s a marketing tool that event producers are using and as an attendee I’m interested in knowing who’s going to be there and that helps me make my decision. Where does that fall on the line?
IW: I think with that and things related to that, as long as you’re clear and you’re saying what you’re going to do and you give the attendee the opportunity for that not to happen, then that’s ok. But as we talked about earlier it has to be for every piece of use you’re going to use it for. But certainly, you need to allow for attendees for opt out of that.
If we pass information to a hotel to complete a booking, are they prevented for contacting guest for anything other than managing or processing the booking?
MP: If we pass information to a hotel to complete a booking, are they prevented for contacting guests for anything other than managing or processing the booking? So we’ve asked the hotel to perform the contract, you’re not giving the hotel consent to do anything other than perform that contract.
AV: Absolutely correct and very good point as well
If you found this GDPR related blog useful, why not check out more of our GDPR content.
.png)
