Apr 28, 2018 by Susan Morrow

The ABCs of Privacy by Default for Better Events

The privacy stakes are high for events. Managing events is all about people and data, and guests have high expectations for the personal data they entrust. That’s why event teams need to understand Privacy by Default, and how it can protect sensitive guest data.

Although some privacy violations are due to purposeful attacks or poor software design, some privacy violations are also accidental.

This is especially true in the world of events.

Take the case of the G20 Summit in Brisbane, Australia, in 2014. The Australian Immigration Department accidentally sent passport and visa details of all G20 attendees to the Asian Cup football tournament committee, bringing to life a nightmare for any event planner. Accidents happen, which is why the concept of “Privacy by Design and Default” came about and is crucial in privacy control for event teams.

Privacy by Design (PbD for short) was originally described by Ann Cavoukian, the ex-Canadian Privacy Commissioner, who listed seven principles of PbD. It is also used by the GDPR to “bake” privacy into every part of a process involving data.

As evidenced by accidental data leaks like the G20 example above, unless the entire process across the data lifecycle is built with the importance of privacy coming first, leaks can easily occur.

When you consider that this data may well represent guests with very high profiles and public personas, the stakes are high for event teams to get it right. And so are the rewards: guests will grow to trust event organizers who do the best job of implementing better data privacy practices, and those organizers can enjoy the benefit of more engaged and trusting guests.

Here are a few ways to rethink your data processes for the new data privacy norms and build trust with your guests.

The ABCs of Data Privacy

Being respectful towards your event attendees’ privacy isn’t just about making sure your brand stays out of negative news headlines. Under the current poor climate of “throwaway privacy,” demonstrating to your attendees that you take the protection of their personal data seriously shows that you care. Caring about customers creates an environment of trust and builds relationships. And, to complete the circle, you also get to tick the GDPR compliance boxes too. The ABCs of privacy begins with this:

Consent. The GDPR is built upon the ethos of consent. It sets out that consent is the great leveler in the privacy playing field. When managing invites, consider the following:

  • Make sure that your invites take explicit, unambiguous consent that is freely given.
  • To help with the collection of consent, and with the tenets of the GDPR in terms of “data minimization,” only take the data that you truly need and no more.
  • Make sure you have consent, even for existing contacts.

Respect. From the moment you send out the invites you are collecting personal data, whether that’s an email address, name, photo, gender, and so on. And as soon as collection begins, so must respect for the data now in your possession.  In the case of data, respect takes the form of protection.

Data protection laws across the world specify various levels of data protection, but it can be helpful to think of data as having a lifecycle. This lifecycle covers data at rest, in transit, and in use. Security measures including encryption, clear and well-defined access permissions, and robust data control tools in your event management software will provide the tools to ensure your attendee data is safe. To ensure compliance in your event planning, take the following steps:

  • When you do process data, make sure you use the right protection measures, including controlling access, encryption of data in storage, and using only secure and vetted tools.
  • Carry out a Data Privacy Impact Assessment (DPIA) to identify any gaps in your data protection strategy.
  • Don’t forget that demonstration of compliance is half the battle in meeting GDPR and other data protection regulations – document your efforts.

Trust. Once you have mastered the basic tenets of data privacy, you will find that trust naturally follows. “Trust by Design” is a natural outcome of the application of Privacy by Design and Default to your event management process. Having an ethos of trust baked into your systems will create, in turn, trusted relationships between your brand and your guests. Consider these elements when establishing trust with your guests:

  • The creation of a trusted relationship is something that we all strive for both in business and in life. Showing your attendees that you provide a Trust by Design service is a way to create great relationships with your attendees that will last.
  • Make sure your privacy policy is in plain language understandable by all – consider whether you yourself would want to read your policy if it were presented to you by another company.
  • Be transparent with guests about what happens to their data and allow them to access and update it themselves wherever possible – be data inclusive.

A great event will leave your attendees talking about it weeks later. If you do it well, you’ll create a memorable, interesting, fun occasion, that will leave people wanting more. In a world where data is valuable and under threat, you need to add something extra, in the form of Privacy by Design and Default, to your event management program. Making sure that your guest data is protected and respected will allow your event to stand out from the crowd and tick the data protection compliance checkbox too.


Susan Morrow has spent the last 20 years working in cybersecurity and online identity. She focuses on balancing usability vs. security and endeavors to understand how the human being fits into it all.