EXPERTS ARE advising festival organisers and suppliers to ensure they comply with General Data Protection Regulations (GDPR), due to become law this May, and warn that regulators may seek prosecutions after it comes into force.
Although described widely as an evolution of existing statutes rather than a revolution, the regulations require organisers to ensure customers give active consent to store their data, tighten conditions around sharing data with third parties and place stricter security constraints on data storage including data breach reporting.
However, organisations can still share data for security reasons.
Every area of festival activity is affected, says Paul Reed, general manager of the Association of Independent Festivals (AIF). “It’s not just about ticket holders. It affects artistes, traders, local authority contacts and workers. All organisations must understand that personal information is the property of the individual and they must collect and use data responsibly.”
Consultant Tom Crellin advises that festivals should update their consent procedure before tickets go on sale. A document published by AIF says, “Where information processing is necessary for the safe operation of the event (such as CCTV, searches etc), contracts should be clear that processing is based on legitimate interests rather than consent.”
Festivals taking place shortly after the 25 May implementation date will be the first to be affected. Meanwhile, July’s Henley Festival (cap. 7,000) re-contacted its customers inviting them to sign up to its marketing last year.
“Our digital agency advised us that our marketing cycle required us to get on top of GDPR sooner rather than later,” says festival CEO Charlotte Geeves. The festival invited everyone on its marketing database either to confirm they were happy to stay on or ask to be removed. “About 30 per cent asked to be removed but it means we have an actively engaged database who will respond to our marketing materials.”
Dave Newton, CEO of WeGotTickets, which handles the data of one million customers, says GDPR will eliminate grey areas in UK law.
“We’ve done our research and are ready for May,” he says. “Issues to address include whether you’re collecting more data than you need to; how that data is passed on and used by the event organiser. Companies will have to visibly comply and we document all our processes and demonstrate our compliance.
“The regulator will want to enforce GDPR and it’s likely there will be high profile prosecutions within the first 12 months of the legislation coming into force,” he warns.
Newton points out there are benefits to the overhaul. “The industry isn’t yet using data intelligently and the fact it has to be more careful about what data it collects might mean it uses it better.”