Data protection and privacy: A guide to avoid event privacy pitfalls
In the advent of the new adage that ‘data is the new gold’, entities are increasingly relying on data to drive their business decisions and as the basis for profit optimization. However, the collection, handling and storage of data must align with international standards on data protection and privacy.
One area that entities have grappled with for a long time, and is now revealing itself more brazenly, is how to navigate data protection and privacy concerns during events. Recently, the Office of the Data Protection Commissioner in Kenya slapped some entities with hefty fines for unlawfully processing personal data. Consequently, it is imperative that entities be reminded of standard or good practices on how to process data during events.
To begin with, almost all if not all data collected during events are personal data. Consequently, such data must be handled and processed within the dictates of the Data Protection Act (DPA), 2019. The DPA provides for the protection of personal data by requiring organisations to obtain consent from individuals before collecting, using or disclosing their personal information, emphasising the fundamental human right to privacy.
The implementation of data protection in events is essential as it not only protects attendees from unauthorised access and use of their personal data but also protects entities from the reputational and litigation risks that are likely to arise due to the unlawful processing of data.
Key considerations on data protection for events
From the onset, businesses should ensure that they collect minimal data in the course of their events as this will reduce the risk of data breaches, and respect the attendees’ privacy rights. Further to it, event organisers need to put in place mechanisms to inform the attendees on why their data is being collected and how it will be utilised before obtaining consent from the attendees. It’s also key that sensitization of staff and suppliers on data protection policy is key to embedding it into the engagement contracts.
Essentially, event managers handling events on behalf of corporations should take the following into consideration:
- Consultation on the legal requirements to educate and understand the obligations and responsibilities as the custodian of attendees’ data.
- Obtaining explicit and signed consent from the subject to be photographed or recorded.
- Creating awareness signages or verbal announcements by the MC that photography or recording will occur during the event.
- Data minimization and retention timelines, limiting the collection of personal information to what is directly relevant and necessary. Retaining the collected data only for as long as is necessary thereafter deleting or archiving.
- Protecting the data collected from unauthorized access, alteration, or deletion.
- Appointing a data protection champion at every event to oversee the needful during the event.
In order to effectively handle data protection and privacy concerns that may arise during events, it is advisable to align the concerns into three categories — pre-event, during the event and post-event.
(a) Pre-event
Before an event, the following essentials are key:
- Assessment before the event to identify potential risks. This should be conducted in collaboration with the internal data protection office to ensure full appreciation of the potential risks that may come with the event.
- Teams or staff involved in the event should be adequately sensitised on key data principles of data privacy and how to handle them. Part of the MC’s briefing at the start of the event should be data protection policies.
(b) During the event
In the course of the event, some innovative measures include:
- Designated seating spaces for those who have consented and those who haven’t.
- A digital disclaimer displayed as guests walk into the event space.
- Consent forms to be physically signed at the entry point.
- Colour-coded wristbands to identify those who have consented and those who haven’t.
- Signages for photography designated seating spaces.
- Ushers to guide guests to their respective seating spaces.
- Photographers should dress in t-shirts, reflectors or caps printed with disclaimer warnings to create more awareness as they interact.
- Data champions to ensure all data measures have been implemented during the event.
- Virtual events should allow participants to enter a meeting with a pseudonym and/ or without video.
In today’s digital age, photography and videography are popular methods of capturing data during events. Entities desire to have photos to help boost and sustain their brand awareness whilst also showcasing their products and services. The following are suggested procedures for obtaining media content:
- During all events, the photographer/videographer must capture the notice that informs guests that they are entering an area with photography and videography to ensure transparency.
- Upon arrival at an event, the crew must inquire with the host about the measures taken to safeguard the attendees’ data protection and adhere to them. E.g. are the attendees tagged in different colour codes and in different zones clearly indicating which data subject is to be photographed and who is not.
- At all events, record the MC constantly reminding stakeholders of the notice that photos/videos/audio will be taken and for what purpose.
- When and where possible, have the subjects sign media/model release forms (MRFs) on either a physical or online copy before taking the images/videos. This can help to safeguard against any legal issues that may arise later.
- MRFs should be shared with the client as hard copies or scanned copies to ensure that they have access to all the necessary information
- In events like concerts/rallies the crowd shots should feature the atmosphere/mood of the event and the brand ambassadors/influencers who have signed consent forms should be used to generate image/video/audio collaterals, to give a complete picture of the event.
- All photos/videos taken after an event should be shared with the CRA, who will then disseminate them to the respective persons/owners of the event.
- Use password-protected machines to download images and video for the purpose of processing deliverables, to keep them secure.
- Delete data that is no longer needed on the camera/laptop/hard disk, and securely dispose of physical media to ensure that you are not holding any unnecessary data.
- Storage — The photographer/videographer must back up his/her work whilst in the field on a hard drive.
(c) Post-event
Post an event, it is imperative that entities do an assessment to ascertain whether the compliance measures they put in place were fully implemented. This also allows the appreciation of emerging gaps so as to ensure they are not replicated in future events.
Fundamental at this stage as well, is how to deal with breaches in case they arise. The DPA has an elaborate system for dealing with data breaches. The key element is the mandatory requirement to report within 72 hours. Entities need to establish internal mechanisms for mandatory reporting of event breaches to the internal Data Protection Officer. A proposal is that such a time limit should be prompt, ideally not later than 24 hours.
A report on the breach should adequately outline:
▪ The nature of the breach.
▪ The kind of personal data mishandled.
▪ The steps taken to mitigate the breach.
▪ The steps taken to ensure such a case does not replicate in future.