Simon Clayton, chief ideas officer at RefTech, on how long data can be kept, what can be kept and how to determine what’s safe to retain.
Two of the core principles of European data protection law, under both the old and new regimes, are that the data you collect must be relevant to the ways you are using it and that it must not be retained for longer than is necessary. Exhibition organisers should consider these two standards together.
Because every exhibition’s circumstances are different, there is no set rule on the length of data retention. Some data is only relevant for the duration of your exhibition, but other data may be relevant for years – if you can properly justify it as such. It is important for you to have a clear and considered policy and a rationale to defend the terms of that policy. You can, however, devise an acceptable policy by asking these questions about your data:
Under the GDPR (General Data Protection Regulation) you will need to explain your data retention rationale in your privacy notices and terms and conditions. It is not enough to simply guess what a good data retention policy, or its length, should be. You have to prove that you have created a valid policy through the appropriate evaluation process.
Organisers wishing to retain data for future use should remove sensitive personal data - information pertaining to health, disability, ethnicity, or religion - from those records. For example, you may retain the contact data for this year’s visitors in order to invite them back next year. However, you should not retain data such as requests for a kosher meal, a wheelchair ramp, or a prayer room, as associating these requests with individuals is retaining sensitive personal data.
The retained data must be also be used solely for its original intended purpose. For example, the list of attendees should not be sold to third parties after the exhibition if this was not explicitly consented to at the time of registration.
You should also consider where your data is kept. Leaving data on the internet is far less secure than storing it on an internal server that is properly protected and secured. But even then, don’t be complacent; only last week, it was reported that a data breach at large UK software company Sage may have compromised personal information for employees at 280 UK businesses. The breech is thought to be as a result of an “unauthorised access" of data held on an internal server by someone using an "internal" company computer login.
What should you do with data concerning a Code of Conduct violation at an exhibition? Unless litigation ensues, the identifying details of both the victim and the perpetrator should be deleted after a reasonable period of time. For example, it is acceptable for the organisers of an industry exhibition to maintain a secure list of individuals banned from future exhibitions for unacceptable behaviour at previous events, but it is not acceptable for the details about those incidents, or who they were directed against, to be retained with that list.
Following the deletion of personal data, an account of the incident, anonymised to persons X and Y, can be retained securely and indefinitely for the purposes of institutional memory.
For more information and advice on data protection within the events industry, download our free white paper: