On 25th May 2018 the laws surrounding data protection changed when GDPR (the General Data Protection Regulation) came into effect.
Under the GDPR, all organisations processing the personal data of EU residents regardless of the organisation’s location or size must comply. Therefore, it is essential that all event organisers understand what GDPR means to avoid breaking the law.
If you’re using TicketSource, chances are you do have EU customers purchasing tickets. This means you are a Data Controller. This brings a number of new obligations and TicketSource have launched a range of new features that will assist in fulfilling them. But before we cover your account’s data privacy settings, let’s take a closer look at the new regulations.
If you haven't already considered the impact of GDPR on your organisation the best place to start is with the Information Commissioner’s Office (ICO) who have a range of guides and checklists which will help you with your planning. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR.
GDPR: Your data protection questions answered
BBC Radio 5 live presenters Sean Farrington and Rachel Burden put listener's questions on GDPR to Deputy Information Commissioner Steve Wood.
Your Guide to The New General Data Protection Regulations
The new General Data Protection Regulation (GDPR) takes over from the old Data Protection Act 1998. Data Protection is no longer just about who you email and sharing contact details with a third party. Anyone who sells tickets for an event and collects personal data will have obligations under the GDPR. As a result, all Event Organisers will need to undertake some work to ensure their compliance. The good news is that TicketSource will be able to help you meet them!
Data Controller vs Data Processor - What’s the difference?
Responsibilities under GDPR are split between two parties that are described as Data Controllers and Data Processors. The controller decides how and why data is collected. A processor is the party that processes and stores this data on behalf of the controller. To explain how this applies to you event ticketing:
TicketSource is the Data Processor: a platform for processing and storing personal data.
If you’re using TicketSource, you are a Data Controller. You decide how to handle collecting customer data during purchases. This will mostly be stored for the purpose of taking payment and fulfilling ticket orders but you might want to consider other use cases such as marketing or sharing data with a 3rd party.
How will GDPR affect event ticket sellers?
Many of the GDPR’s requirements are much the same as the those under the old Data Protection Act. However, there are several new requirements and enhancements that you will need to consider as a Data Controller. The GDPR is all about how you use and safeguard your customer’s personal data so it is important that you understand:
The personal data you hold
How the personal data is stored
Why you’re keeping personal data
What you do with the data
Who you share data with
All of these answers need to be documented to demonstrate your compliance. The fines for non-compliance have risen significantly so it’s important you can prove in the unlikely event of a data breach that you’ve done everything reasonable to safeguard the personal data you control.
What is TicketSource doing to protect customer data?
As a Data Processor, TicketSource provides the framework in which your customer data is stored. This includes the tools to access, update and delete that data. TicketSource takes this responsibility very seriously and maintains high software standards to ensure the safety of your customer data. In regards to this, we are:
Registered with the Information Commissioner’s Office
Monitoring compliance with:
The existing Data Protection Act
Payment Card Industry Data Security Standards (PCI DSS)
Industry standards provided by the Society of Ticket Agents and Retailers (STAR)
Storing personal data and backups with trusted UK based servers.
Providing a Data Protection settings page for account Admins to set their policies
Reviewing and signing Customer Data Privacy Policies uploaded by Event Organisers
We are constantly reviewing and improving our security standards. If you have requirements that need to be met for your event, get in touch with our Support Team.
How is TicketSource offering to help Event Organisers?
There’s 5 aspects of GDPR that we’ve addressed with our Data Protection settings:
Granular marketing consent
Named third-party consent
Customer data retention period
Customer data export
As with all of our best features, these are completely free to use and suitable for all events. To follow along with this article, login or create an account, and navigate to ‘Account’ -> ‘Data Privacy Settings’ in the navigation.
1. Granular Marketing Consent
GDPR sets very high standards for marketing consent, giving individuals real choice and control over precisely what marketing communications they receive. No longer will vague, confusing, blanket terms suffice. The new regulation requires marketing consent to be clear, specific and granular.
All marketing consent options are now presented to the individual specifically on an opt-in basis. If an option is not selected then marketing consent will not be sought and you will not be able to market to that individual via that method of communication. To prove compliance, TicketSource keeps an audit log on granular consent for all your customers.
2. Named Third Party Consent
All third parties who intend to contact your customer are now required to be clearly named when requesting marketing consent. Within each individual event, there is now a third party marketing option, allowing you to name the third party and offer specific, positive opt-in marketing options. TicketSource keeps an audit log on granular consent for third-parties for all your customers.
3. Customer Data Retention Period
Under the new regulations, people should only hold on to personal data for as long as there is a legitimate reason to do so. If there is no longer any legitimate reason that you should have an individual's data, you will be required to erase it from your database.
TicketSource have now made it possible for event organisers to set their own data retention periods, automatically purging personal data from the servers when it falls outside of the specified retention period.
This retention period is calculated from the date of a customer's last booking. Following the retention period, customers' historic booking details will remain but their personal details will be purged and anonymised.
Being open and honest with your customers regarding how you will use their personal data is one of the main elements of GDPR. The most common way to provide this information is in a privacy notice/policy at the time you obtain personal data from them.
5. Customer Data Export
Enhancements to the existing customer data exports have improved functionality to report on your customers based on the new granular marketing consent options. Additionally, named third-party filters have been added allowing event organisers to export customer data based on their own privacy options or event booking details.
Similar changes have been made to the customer import process allowing you to import customer data from external sources whilst retaining their existing consent.
If you are taking advantage of the TicketSource integration with MailChimp, then the granular email consent level has been been mapped to a two-way synchronisation. Meaning, your customers' details and their marketing preferences will be automatically updated to your MailChimp account when they complete a booking.
If you would like more information and guidance on the new data protection changes please do not hesitate to contact our free customer support team, as they will be happy to talk you through the features. If you would like to try out these exclusive new features, under no obligation, you can sign up for a free account via the button below. The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR.
Sign up for a free account now