Last updated: 23rd May 2018
We care deeply about data privacy; for both our customers and your attendees. New legislation comes into force on May 25th 2018 regarding data protection within the EU - General Data Protection Regulation ('GDPR'). This affects anyone who collects, transmits, analyses or stores personal data of EU citizens.
Much has been discussed about the implications of GDPR on businesses however, it need not be something to fear. The legislation has been created to better ensure that the data of individuals within in the EU are better protected. It is not designed to harm businesses and the last thing that the legislators wish to do is to scupper the efforts of legitimate organisations.
Here at Line-Up, we're taking measures to make sure that not only are we compliant with the new regulations but also that you, our customers, have all the tools and information you need to make sure that when it comes to using our services, you are compliant too.
The below outlines:
- what GDPR is
- why it is relevant for your business and some pointers towards some resources to help you understand your requirements to be compliant
- how GDPR affects the services provided by Line-Up
- the steps that Line-Up are taking to be compliant and the impact this will have for you as a ticket vendor
The below will evolve as we get closer to May 25th and we will be making regular updates on our progress.
Should you have any questions, please do not hesitate to contact us.
Disclaimer
The below is not legal advice, nor is intended to be interpreted as such. As much as we're here to help you be prepared for GDPR, we strong recommend taking legal advice before making any changes to your internal/external processes in light of the new legislation. As much as Line-Up will do as a data processor to assist with your efforts to be compliant, as the data controller, you have a responsibility to ensure your own compliance.
What is GDPR and where can I find out more details?
The General Data Protection Regulation, or GDPR as it is more commonly known is a new set of data privacy regulations which will replace the current EU Data Protection Directive (and 1998 Data Protection Act in the UK).
Broadly, GDPR aims to improve the way organisations handle, secure and protect the personal data of individuals.
In the UK, the Information Commissioner's Office (ICO) are responsible for overseeing and enforcing GDPR rules. Much more can be read about GDPR on the ICO website.
To whom does GDPR apply?
GDPR applies to all organisations operating within the EU and processing 'personal identifiable data' of EU residents.
As far as someone who is selling tickets is concerned, as long as you have customers who reside within the EU, you will need to be compliant. You will also need to take steps to ensure that to the best of your knowledge, all of your third party data processors are compliant too.
How does this affect my business?
GDPR will affect your business in numerous ways; related to both internal and external processes, associated with data processed related to both customers and employees.
We would suggest that you seek legal advice and read the ICO's guidance on Preparing for GDPR to understand exactly how the legislation is likely to affect your business.
As a business who sells tickets and who practices marketing, what should I be most concerned about?
The answer is; all of it. A discussion with a legal professional will help you identify what the key areas of the legilation are for your organisation though, given the processes that are currently in place in your business.
That being said, as a part which will arguably require more input from you is your decision around your selected legal basis/bases for processing customer data.
According to article 6 of the GDPR guidelines, there are six legal bases for processing someone's personal information:
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the Confidentiality exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In terms of selling tickets, the customer data that you capture is related to a purchase and therefore, your legal basis for processing this data is covered by b). At Line-Up, we have always favoured asking for as little data as possible from the customer when they wish to purchase a ticket. Not only does this improve conversion but it also raises few eyebrows from the customer as they are not being asked all sorts of seemingly irrelevant questions about themselves. In light of this, the data you hold with regards to previous orders will be compliant. As and when we introduce the ability for you to ask for more data as part of checkout (e.g. Postcode, full address, telephone number), GDPR ramifications will be at the forefront for us.
In light of GDPR, what we will be introducing though are features which enable the editing of personal data; should you be contacted by a buyer who wishes to do so.
A bigger question for your organisation may be around your selected legal basis for processing data when it comes to marketing.
Traditionally, most organisations who practice marketing have operated on a 'consent' basis, point a) above. The rules surrounding consent are changing somewhat drastically when GDPR comes into force; meaning that as an organisation, you may wish to consider whether you want to continue a consent-only approach or whether you want to select another legal basis, when it comes to your processing of data.
In terms of how consent is changing, the benchmark for what is a GDPR-compliant consent is high; it must be granular, affirmative and demostrable. This means that if you intend to continue a consent-only approach, the marketing consent that is provided to your customers must:
- List every way in which their data is going to be processed
- Be opt-in, not opt-out
- Be recorded - you must be able to point to the date and time that the person opted-in and also the wording that they saw when they did it.
The other key thing to address here is that if you do decide to use a consent-only approach, even if your post-May 25th consent is GDPR compliant, if your pre-May 25th consent was not compliant, in theory, you can no longer take it as read that the buyer is still willing to consent.
With the above in mind, there has been much discussion around whether Legitimate Interest, (point f) above) is a suitable legal basis for organisations. The ICO recently (22nd March 2018) published further guidelines around using Legitimate Interest as a basis for data processing and appeared to suggest that this approach is viable for organisations.
As stated, selecting which legal basis you are going to use will be key when it comes to the future of your marketing.
I've also heard about Privacy and Electronic Communications Regulations ('PECR') - what's this?
When it comes to email marketing, there is another piece of legislation to be aware of - Privacy and Electronic Communications Regulations, or PECR for short.
The Privacy and Electronic Communications Regulations (PECR) currently sits alongside the Data Protection Act but will also continue to be in force after GDPR replaces the Data Protection Act. They give people specific privacy rights in relation to electronic communications and there are specific rules on marketing calls, emails, texts and faxes.
More info on PECR can be found here.
What does PECR mean for me?
Your legal counsel will be able to help you here - however as a guide, it depends on your approach to legitimate interest vs consent for marketing going forward.
If you have decided that you're going to use Legitimate Interest as a legal basis for processing data going forward, if you did not plan on ever doing any email marketing, you would no longer need to have a marketing consent opt-in at point of purchase.
Since you will most likely want to do email marketing going forward, with PECR in mind, you will still need to have an opt-in - however the key thing is here that it does not need to be a GDPR-compliant opt in; it can be a more short and straightforward consent to receiving marketing via email. This is know as the Soft Opt In.
We would recommend discussing this further with your legal counsel and making sure that PECR is considered as part of any decision on an approach to consent as part of GDPR.
How is Line-Up going to handle Consent and Legitimate Interest when it comes to my marketing?
We plan to make the following changes to Line-Up to make sure that you can be compliant, whichever legal basis you decide to employ, going forwards:
Editable Consent Messages:
Going forward you will be able to create your own custom consent message(s) - if you've had a consent message drafted that you'd like to use, this can be inserted. You will also have the ability to insert multiple messages, should you wish to also ask for consent for passing data on to third parties (e.g. event producers/promoters).
This will be editable on a per-event basis
Customer Profiles:
We will be introducing customer profiles - which will display editable data for your attendees as well as give details on whether they opted in to marketing and if yes, the date/time and text that they saw when they did.
How does all of this affect Line-Up and what will you be doing to make sure that I'm compliant?
Having reviewed the GDPR guidelines and through working with our legal counsel, we have identified the following list of actions that we are taking to ensure that not only are we compliant but that you have the information and tools at your disposal to help you to be compliant, by the time the legislation comes into force.
The following is our action plan which will be updated as we get closer to the deadline.
- Review Third Party Data Processors - Complete
- Keep track of third Party Data Processors to ensure they are compliant - Complete.
- Identify product feature updates to ensure compliance - Complete
- Launch required product feature updates - Expected May 25th
- Update Privacy Policy - Complete.
- Publish full list of third party data processors - Complete.
Our action with regards to the above will not exclusively make your whole organisation compliant for GDPR. We advise that you take legal advice to make sure that you're aware of any further action that will be necessary for you to take.
What data do you process/store - for me and my customers?
Please see our Privacy Policy and our Data Processing Terms.
What third party data processors do you use?
Please see our:
Third Party Data Processors (Line-Up as a data Controller)
Third Party Data Sub-processors (Line-Up as a data Processor)
What product feature will Line-Up be introducing to help with my compliance?
We will be making the following additions to Line-Up to help you to be compliant:
Editable Consent Messages:
As listed above.
Customer Profiles:
We will be introducing customer profiles - which will display editable data for your attendees as well as give details on whether they opted in to marketing and if yes, the date/time and text that they saw when they did.
Mark customers as inactive:
Whilst we will not completely delete customer records, we will make it possible to mark customers as inactive. This will mean that they will no longer be included in relevant exports of customer data, regardless of whether they originally consented to receive marketing or not.
More:
As we continue to work through the GDPR guidelines, we may introduce further features and we shall keep you updated on this here.
Comments
0 comments
Article is closed for comments.