Simon Clayton highlights the dangers

Event organisers collect a lot of data, but how long can that data be kept, what can be kept and how do you determine what’s safe to retain?
Two of the core principles of European data protection law, under both the old and new regimes, are that the data you collect must be relevant to the ways you are using it and that it must not be retained for longer than is necessary. Event organisers should consider these two standards together.

Because every event’s circumstances are different, there is no set rule on the length of data retention. Some data is only relevant for the duration of your event, but other data may be relevant for years – if you can properly justify it as such. It is important for you to have a clear and considered policy and a rationale to defend the terms of that policy. You can, however, devise an acceptable policy by asking these questions about your data:
• Why do we need this data?
• How much will it cost us to keep this data?
• What value might it have in future?
• What risks are there in keeping it?

Under the GDPR (General Data Protection Regulation) you will need to explain your data retention rationale in your privacy notices and terms and conditions. It is not enough to simply guess what a good data retention policy, or its length, should be. You have to prove that you have created a valid policy through the appropriate evaluation process.

Organisers wishing to retain data for future use should remove sensitive personal data - information pertaining to health, disability, ethnicity, or religion - from those records. For example, you may retain the contact data for this year’s visitors in order to invite them back next year. However, you should not retain data such as requests for a kosher meal, a wheelchair ramp, or a prayer room, as associating these requests with individuals is retaining sensitive personal data.

The retained data must also be used solely for its original intended purpose. For example, the list of attendees should not be sold to third parties after the event, if this was not explicitly consented to at the time of registration.

You should also consider where your data is kept. Leaving data on the internet is far less secure than storing it on an internal server that is properly protected and secured. But even then, don’t be complacent.

Only last week it was reported that a data breach at the UK software company, Sage, may have compromised personal information for employees at 280 UK businesses. The breach is thought to be as a result of an ‘unauthorised access’ of data held on an internal server by someone using an ‘internal’ company computer login.

What should you do with data concerning a Code of Conduct violation at an event? Unless litigation ensues, the identifying details of both the victim and the perpetrator should be deleted after a reasonable period of time. For example, it is acceptable for the organisers of an industry conference to maintain a secure list of individuals banned from future events for unacceptable behaviour at previous events, but it is not acceptable for the details about those incidents, or who they were directed against, to be retained with that list.

Following the deletion of personal data, an account of the incident, referring anonymously to persons X and Y, can be retained securely and indefinitely for the purposes of institutional memory.

For more information and advice on data protection within the events industry, download RefTech’s free white paper: