Event Marketing Under GDPR: Key Points

Background

The new EU Directive on Personal Data Protection came into effect on 25th of May 2018 and it seems one of the most critical issues event marketers under GDPR are currently facing is figuring out which legal basis to implement when contact people on mailing lists. Consent under GDPR is the most popular lawful basis used by companies, but event marketers should consider before all the so-called ‘Legitimate Interests‘. It is a viable legal basis especially for B2B services including event marketing under GDPR. However, before making any compliance steps, marketers should understand the risks of the legitimate interests and whether or not they can use it as a legal basis. This article will provide you with further information to make the right choice.

Learn more about what GDPR for marketing companies means with our guide.

 

Event Marketing Under GDPR: Key Points

event marketing under gdpr - event

Consent or Legitimate Interests for event marketing under GDPR

The Information Commissioner’s Office says that consent is an appropriate option if you can give people a genuine choice over how to use their data and inform them about the data procedures and policies in place. However, if that is not the case, consent might not be a sufficient legal basis. ICO also states that the processing of personal data for  direct marketing could be potentially regarded as legal if there is a legitimate interest behind it:

“As long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest. However, this does not automatically mean that all processing for marketing purposes is lawful on this basis.  You still need to show that your processing passes the necessity and balancing tests.”

You can also check our Guide to Data Protection

 

Event marketing under GDPR and ‘Consent’

The most substantial change for event marketing under GDPR is the new requirement for consent to achieve compliance. All data handling policies and procedures should be explained in a clear and understandable language which is a crucial requirement so that data subjects can come under exactly how their information would be used and processed. Furthermore, you also need to have procedures in place to allow individuals to exercise their right to withdraw consent, make changes or erase any information. Data subjects should also be given a choice to consent if you intend to use their data for a reason different than the initial one.

Notably, consent under GDPR  is also quite confusing in the context of marketing, and it’s only one of the six legal bases which can be used for data processing. In some cases, consent is not the most appropriate legal basis because for instance, if you use it for sending prospects marketing communications around an event, it will be difficult to change to another legal basis. The Information Commissioner’s Office advice that even if a different basis could have been applied from the start, retrospective switching lawful basis is unfair to the individual and leads to a breach of GDPR vital principles- accountability and transparency.

There is also the issue of the Privacy and Electronic Communications Regulations and how it works alongside GDPR because there are fundamental requirements differences between B2C vs B2B event marketing.

Learn more about Consent Under GDPR with our guide.

 

Legitimate Interest for event marketing under GDPR

Legimitate Interest is different to other legitimate reasons for data processing an is not centred around a particular goal(e.g. Signing a contract with the data subject) and is not required that the individual must explicitly agree to (consent). Legitimate Interests is more flexible and could apply to any processing as long as there’s a reasonable purpose for it.

When it comes to direct marketing, LI is not something new as many organisations will have used it as a legal means to process people’s information under the regulations of the Data Protection Act 1998. However, there are two critical differences between the DPA and the GDPR that event marketers need to be aware of when considering LI as a legal basis for their direct marketing activities.

Clear Opt-Outs: As an event marketer, you now need to make sure your opt-outs windows are transparent and prominently displayed, away from other types of information.

Detailed information about data handling: Attendees at your events that you’re collecting personal information on must understand what data you hold and what you’re planning to do with it.  You must have ready procedures in place to let attendees exercise the rights we mentioned. They need to understand why you process their data and what your ‘Legitimate Interest’ behind it.  This need to be outlined in your privacy policy, which should be written in a clear and concise language.

 

Conclusion

Using Legitimate Interests as a way of contacting people is fine as long as your reasons are genuinely legitimate – otherwise, you are likely to have many discussions with the ICO arguing your case. We would advise that if you’re not sure about using LI as an argument, then don’t do it.  It is the most flexible but also the weakest of the other legal reasons for processing.  Either way, whether you decide to rely on consent or LI for your event marketing communications, then you need to do similar things to make sure you are GDPR compliant:

Using Legitimate Interests as a legal basis for direct marketing is fine while your reasons are indeed legitimate. If not, you might find yourself in a position where you’re like to have many discussions with the ICO arguing your case and most like you will be substantially fined. Our advice is that if you’re not sure how to use LI as a legit reason, then don’t it. It is the most flexible but also the most subjective of the legal rights and might not be a good idea. Whether to rely on consent or LI for event marketing, you need to take similar steps in both to ensure that your following GDPR compliance:

  • Give individuals control over their data: Attendees of your events should be able to decide whether they want to share their data with you or not. Give them an opt-out every time you communicate with them.
  • Explicitly state your reasons for data collection: Update your privacy notices and consent boxes on event websites, registration forms etc.
  • Always be ready to demonstrate compliance: This includes recording the legal grounds for processing an individual’s personal data.
  • Use clear and concise language: Make sure you identify your organisation and any other third parties who will be processing their personal information

 

Recommended next steps:

  • Audit your marketing mailing lists and figure out what information you hold and minimise it.
  • Decide between consent or legitimate interests for event marketing.
  • Updated your privacy noticed according to ICO’s guidelines and include as many details as you can on what’s your purpose for processing personal data.
  • Informing your mailing contacts of your update privacy policy with clear information on how you’re going to be using their data. Give them the opportunity to opt-out.
 

Leave a comment