Now is not the time to be yawning about GDPR. Sanctions for non-compliance with GDPR are severe and a surprisingly high number of corporate hospitality programs are still managed on spreadsheets, which means there’s a high chance GDPR compliance is inadvertently falling short somewhere.
Worryingly, a review of the biggest GDPR fines in 2023 concluded that some companies receiving fines have forgotten that GDPR exists! This should raise alarm bells in corporate hospitality, as vast amounts of personal data get processed and stored. Data privacy and security are, therefore, critical business considerations.
Here, we consider the scope of GDPR in corporate hospitality, the challenges in ensuring compliance, and how workflow automation can help avoid the common pitfalls associated with spreadsheets.
GDPR and The Data Protection Act: A Brief Recap
GDPR (General Data Protection Regulation) is an important component of EU privacy laws providing data security guidelines for collecting and processing personal information from individuals.
Though drafted by the EU, it imposes obligations onto organisations worldwide that target or collect data related to people in the EU. Those who violate its standards risk harsh penalties, reaching tens of millions of euros.
The fundamental principles of GDPR are:
• Data collection and use must be lawful, fair, and transparent
• Data can only be used for its original purpose
• Only data that is necessary should be collected
• Data should not be kept indefinitely (i.e. post-event deletion is critical)
• Data must be kept secure (so spreadsheets can be problematic)
Understanding the Scope of GDPR in Corporate Hospitality
Corporate hospitality may seem to have less need for stringent GDPR compliance than other organisations, such as banks and hospitals. However, personal information gathered while arranging a corporate event will often be categorised as the most sensitive type.
As well as basic contact details such as name, email, phone number, company, and job position, additional personal information is often required.
For example, the organiser will need to know individual dietary requirements for catered events, such as kosher, halal, vegetarian, vegan, gluten-free, and dairy-free.
Dietary preferences are considered sensitive personal data under GDPR since this information may allude to ethnicity and religious beliefs (e.g., requesting halal food). Dietary requirements can also expose health conditions, such as diabetes.
Access requirements may reveal further health particulars, such as information about disabilities.
When handling sensitive data in corporate hospitality, you need:
1. Higher standards of consent for your event guests
2. More rigorous risk assessments
3. Stringent management of data due to the potential for increased fines
4. Your team to clearly understand the limits for data processing
5. Strict access controls to data
Pitfalls of Using Spreadsheets or Multiple Systems for Guest Data Management
Once corporate hospitality becomes a regular business activity, the number of guests increases, and the limitations of spreadsheets and disparate systems quickly become apparent.
Here are the top five pitfalls of using spreadsheets or multiple systems to manage corporate hospitality data that threaten GDPR compliance.
1. Inconsistent data retention
With so much data, retention needs to be thought about carefully in corporate hospitality. How long should a client’s data be kept for GDPR compliance? Should some or all data be deleted straight after an event?
While there are no statutory retention periods, legislation states that a business should not keep information longer than necessary and that data can only be retained for use in the manner it was first collected. With data in multiple places, inconsistencies in retention can quickly develop.
Some or all data on attendees must be deleted or anonymised after an event to ensure GDPR compliance. With spreadsheets, this must be done manually. This task is susceptible to accidental error and relies on someone remembering to complete it.
2. Unreliable manual data deletion
There is unlikely to be much legal justification for keeping potentially sensitive guest data (such as dietary requirements, access requirements, passport details, travel arrangements) much past the date of an event. Therefore it is critical that businesses have a way of deleting or anonymising this data reliably.
Relying on manual data deletion from spreadsheets can be a major risk to GDPR compliance as it relies on individuals remembering to perform the task regularly and reliably.
3. Duplicate data sources and lack of version control
Without a secure and unified system, guests’ personal data often gets stored in more than one place. Guest list data goes in one spreadsheet, feedback survey responses in another, and so on. Data gets duplicated and security is much harder to control.
Using spreadsheets can also cause issues with the data versions when files are shared among teams, creating a weak link for GDPR compliance. If just one person isn’t working with the latest version of a spreadsheet, data accuracy degrades.
4. Lack of data security
Critical information cannot be encrypted with spreadsheets, immediately exposing data to security breaches. Sensitive data needs additional protective measures and stricter access controls. If something goes wrong, admitting that data is stored unencrypted in insecure spreadsheets exposes the business to greater risk.
5. Third-party involvement and lack of access control
In corporate hospitality, inevitably, data gets shared with external vendors, parties, and venues. Third-party involvement risks the security and theft of sensitive client information.
If working with third parties, it is essential to have a software platform where user access is controlled at an individual level and can be based on audience segments. A key pillar of good information security practice is ensuring data is only accessed on a need-to-know basis.
Automate your way to GDPR compliance with Sponsorworks
Sponsorworks is the most flexible and easy-to-use software platform for brands and rights holders to automate the operations and evaluation of their sponsorship, corporate hospitality, and event programs.
Automating workflows and email communication saves time and money, but equally important, Sponsorwork’s platform helps to mitigate GDPR compliance risks. Our automated data management policies eradicate human errors and duplicate data sets and ensures sensitive data is deleted within acceptable legal timeframes.
Don’t leave GDPR compliance to chance
Never underestimate the importance of GDPR in corporate hospitality. One slip-up could result in catastrophic business consequences. Automating your corporate hospitality with Sponsorworks saves enormous time and mitigates GDPR compliance risks so that you can sleep easy at night.
Why not book a demo? We are here to make your GDPR fears a thing of the past.