The 12 Step Plan for GDPR Compliance

Steve Jenner leads business development in the UK and Ireland for PlayPass, one of the world’s top providers of RFID solutions for cashless payments, crew accreditation & management and access control at live events. This summer sees more UK events than ever before adopting PlayPass’ technology, including We Are FSTVL, British Summer Time, Standon Calling, 2000Trees, Neverworld, Southbeats and over 200 events worldwide.

May 25 2018 is the day that the most significant legislation of the digital age takes effect, giving individuals enforceable rights over the collection, processing and distribution of their personal data. Data is the lifeblood of the live events industry and everyone involved in the sector will need to actively adapt their working lives around GDPR’s new parameters or risk heavy reprimand.

But don’t panic. The new legislation – much of which is still to be defined – only requires organisations to take reasonable measures to uphold their registered users’ rights and is not intended to be heavy handed, impose onerous restrictions or make it any more difficult to capture or process personal data. It just lays down some fair, best practice rules and enforces these to limit fraud and abuse.

There is a lot of overlap between GDPR and the existing Data Protection Act (DPA) so if – like us – you are already complying with the current law, many of your processes will remain valid under GDPR and you are in an advantageous position. However, some changes are unavoidable, due to some new elements and enhancements being introduced now by GDPR.

At PlayPass we welcome GDPR and look forward to the reduction in online scams and exploitation it pledges, accompanied by a surge of public confidence in compliant digital platforms like our own.

To support you on your GDPR journey, we have compiled this handy 12-step plan to becoming compliant:

1. Create awareness within your organisation

This involves ensuring that everyone in your organisation – especially decision makers and key staff – is mindful of:

  • The changes you’re going to make around collecting, storing, managing and moving personal data
  • The specific implications for the way their department works with data
  • The risks of non-compliance (which can include fines of up to £16 million / €20 million or 4% of turnover)
  • Any areas that could cause compliance problems under GDPR

2. Run an internal data audit

This is to establish what personal data you already hold in your various systems and whether it is compliant.

  • Find out where it came from and if adequate consent was granted by the individuals (pre-ticked boxes and soft opt-ins are no longer acceptable)
  • Identify where the data is stored, when it was last used and what it was used for. If it is stored outside of the EU, is the host GDPR compliant?
  • Was it shared with other suppliers and partners?
  • If so, was it with the individual’s consent and are these third parties GDPR compliant? (see next point)
  • Destroy all data that does meet GDPR standards – from hard drives, email archives and backup – and ensure that any third parties you shared the data with does the same

3. Review your privacy policy

Previously, your privacy policy would need to inform people of your identity and how you intend to use their information. GDPR adds some new requirements, including:

  • Explaining your lawful basis for processing their data
  • Your data retention periods
  • That they can complain to the ICO (Information Commissioner’s Office) if they think there is a problem in the way you are handling their data

For more information on this see the ICO’s Privacy Notices Code of Practice. To reduce our clients’ legal overheads PlayPass now provides GDPR-compliant Privacy Policy templates to events using our technology.

4. Get to know your data subjects’ rights

GDPR does not significantly alter the rights that individuals currently have under the existing Data Protection Act but it does enforce them. If you are already geared-up to uphold these rights, your transition to GDPR should therefore be relatively straightforward.

Under GDPR, people now have the following rights over their personal data:

  • The Right to Be Informed – via an accessible privacy policy made available at the point of registration and written in clear, concise language (no more 25 page legal documents to ‘accept’)
  • The Right to Access – on request, you must provide users with information on the data you hold on them within 30 days (unless there is a reasonable reason for needing longer)
  • The Right to Rectification – on request, you must update users’ data records (for example changes to their address, email or phone number) within a month (or two months if it is a more complex change). You must also inform any third parties that the data has been shared with of the update
  • The Right to be Forgotten – on request, you must erase all records of an individual’s personal data that you hold – unless there is a legal reason to deny the request. You must also instruct any third parties that the data has been shared with to do the same
  • The Right to Restrict Processing – Similar to the Right to be Forgotten, but in the case where it’s necessary to keep storing the data, albeit it cannot be processed further. For example you may need to retain someone’s email address to send them essential information about the event they are attending, but not any marketing emails
  • The Right to Data Portability – Less significant in the events industry, this means you must provide, on request, a person’s data in a format that allows them to reuse this data for another purpose. For example, in the banking industry, standardised data formats are in place so customers can export their bank statements into third party accounting software applications
  • The Right to Object – on request, you must stop processing a person’s data for the purposes of direct marketing without exception

5. Prepare for access requests

When GDPR first takes hold, a swell of public interest and curiosity is inevitable, so brace for a surge of access requests. As data controllers and subjects fall in line with the new protocols, we envisage that the resulting increase in best practice by organisations and confidence from end users will result in a sharp reduction in complaints and access requests over time, however.

Bear in mind, you will need to reply to access requests within 30 days (rather than the current 40 days) and, if you cannot comply with the request, you must explain clearly to the individual why not.

6. Define the lawful basis on which you are processing data

You should identify the lawful basis for your processing activity under GDPR, document it and update your privacy policy to explain it. In most cases, this will be that the user has granted active consent, but GDPR does allow other legal grounds for processing personal data, including:

  • That it’s necessary fulfil your contractual obligations to them
  • Because they have asked you to do something before entering into a contract (eg. provide a quote)
  • In order to comply with a common law or statutory obligation
  • To protect their ‘vital interest’, such as looking-up medical information linked to an RFID wristband in an onsite emergency or parental contact information for a lost child
  • If it is in the public interest, as set out in law

7. Update your consent boxes

Refresh existing consents now across all platforms (websites, apps, mailing lists) if they don’t meet GDPR guidelines which include:

  • Consent must be freely given, specific, informed and unambiguous – no automatic newsletter sign-ups if they register for something else and the user must know clearly what they are consenting to
  • There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity
  • Consent must be separate from other terms and conditions (such as using the website or app)
  • It must be simple and easy to withdraw consent at any time
  • Consent has to be verifiable, for example using a two stage opt-in with email or SMS verification
  • Where your legal basis for processing data relies on consent, any existing data that was gained without the above consent guidelines will have to be destroyed and you will need to get these users to re-opt-in in order to keep them on your mailing lists

8. Think about the children

Less relevant for the event industry which tends to deal directly with parents rather than children (eg. for ticketing, payments and marketing), GDPR is introducing some special protection measures for children’s personal data. For example, they can only give consent for their data to be processed above the age of 16 (although this may be reduced to 13 in the UK) – otherwise verifiable parental consent is required.

9. Prepare for a data breach

This is a key consideration, as failure to comply with GDPR on this point can lead to the heavier fines. Good steps to take here are:

  • Make sure you have the right procedures in place to detect or report the loss or theft of an individual’s data (from online CSV files to printed guest lists)
  • Report data breaches to the ICO (Information Commissioner’s Office) or other such authority if it is likely to compromise the rights and freedom of individuals (for example identity theft or reputational damage)
  • Notify the affected individuals too, within 72 hours

10. Appoint a designated GDPR team member

It is essential to have one key person in your team to take ownership of GDPR and interface with all the moving parts of your organisation that will need to work around the new guidelines.
Larger scale organisations may need to formally designate a Data Protection Officer (DPO)

11. Keep your data safe

From now on, data protection and safeguards must become part of the DNA of all your systems and processes, and at the forefront of all marketing activity (no longer an afterthought).

Define a best practice internal data policy for keeping all personal data as secure as possible, which can be adapted between departments in your organisation that deal with data in different ways. For example, your partnerships team will process more corporate data whereas your marketing team will deal with public visitors.

Items to consider here are:

  • Hardware and system passwords – strength and how often they are changed
  • Firewalls, encryption and anti-virus to protect communications
  • Locks and short time-outs on laptops used at remote locations (such as venues or festival sites)
  • Controls on personal data being transferred externally
  • Encrypting hard drives
  • Restrictions on sending sensitive information like bank details
  • Ensuring all staff are aware of what constitutes a data breach and how to follow best practices

12. Make sure your partners and suppliers are GDPR compliant

Key to the GDPR obligations for any organisation going forward is ensuring that all the partners and suppliers they are dealing with are also fulfilling their legal responsibilities. An event is therefore liable for the non-compliance of its suppliers, just as the suppliers are liable for their sub-contractors.

These are the key areas you should address with your suppliers and partners to ensure they are compliant:

  • Where the Data is Hosted – If your data is stored in servers outside the EU, ask your providers what steps they are taking to make sure your data transfers are compliant and what safeguards they have in place to protect your data at all times
  • Who Has Access – Besides storing the data, third parties must also be GDPR compliant for how they use and process the data. So you need to find out who inside their organisation has access to it, plus any external sub-contractors, and make sure they’re all handling it in a compliant and safe manner
  • How Consent is Obtained – good practice is to insist they store the date, time and IP address when a user grants consent, to fortify your position if that user ever complains about their data being used
  • How Personal Data Can be Deleted – if requested by a user. Agree the process, timescale, communication chain and check whether it is also deleted from back-up servers. Ensure they confirm in writing when the data has been deleted
  • Their Policy on Data Retention – how long to they keep it on their servers? Is it moved to other locations and/or deleted after a defined period of time?
  • How they comply with GDPR – If they are based in the EU, they will have to be in order to operate legally. But for your own protection we’d still advise that you check their understanding of the new regulations and how they need to help you meet your obligations. How important is data security to them? Do they follow best practices? How do they monitor vulnerabilities? Who has access to your data, how do they handle authorization and what happens when someone leaves? And what about their own suppliers? Answering these questions will protect you from exposure to a third party GDPR breach

The above is not intended as a complete list of everything you need to operate in a GDPR compliant fashion from May 25, but it’s intended as a start to get you up and running in line with best practice.

For more comprehensive GDPR information from the official source please visit the ICO website.

Good luck with GDPR!

Disclaimer: This article is intended for general information purposes only and does not contain legal advice. Please consult counsel for detailed info and analysis. Festival Insights and PlayPass are not responsible for your GDPR compliance.