Data ownership has quickly become a hot topic amongst organisers, and Douglas Emslie at Tarsus said it best during the UFI Live session: "This is the Amazon moment, going into the bookstore, this is Facebook coming after media companies ten years ago, the barbarians are at the gate!"
What sparked the topic to take centre stage was a session during the UFI Conference in Europe where our Founder & CEO, Tim Groot, was featured. Tim advocated for changes in how event technology platforms manage customer data and compared event tech today and Facebook, Amazon and other large tech companies. Event organisers need transparency and clarity over the management of their customer data.
The Data Ownership Checklist
To help event organisers, we have created a checklist to review when speaking with technology suppliers to help digital leaders understand the processes and management of their customer data and select providers that best suit their present and future needs.
Controllers and Subprocessors
Two terms that it's essential to understand when we consider customer data are Controllers and Subprocessors.
In GDPR terms, while the event organiser remains the 'controller' of event and personal data, they will often use services or technology to process this data – known as 'Data Processors'. If the Data Processor then subcontracts some of the services required to do the processing, then these companies are 'subprocessors'.
This passing of data can result in complex issues regarding the ownership of personal data. While using suppliers as Data Processors is a necessary part of working with any vendor, organisers must maintain their position as the sole Data Controller. Some platforms will end becoming a co-controller or the sole owner of some of the Customer Data.
In short, event organisers should retain the Controller status of customer data and understand who can process or sub-process this data.
All suppliers will structure their contracts slightly differently, but you'll typically see three types of data documented, and it is crucial to understand the differences:
- User Identity Data - This is simply the email and password that an event participant uses to sign in to your event. Suppose you don't own and control the Identity of the event participant, but the platform does. In that case, another organiser will benefit from using the platform as the event participant can jump seamlessly into a competitive event.
- Personal Identifiable Data (PII) - This goes beyond the identity and typically involves information such as the job title, company name, phone number, gender and other PII data. The main point to consider with PII data for organisers is whether the platform is a sub-processor for the organiser or a co-controller.
- Anonymised Usage Data - An example of anonymised usage data might be someone in banking who requested a meeting with someone in technology, and this meeting is accepted.While this data can be owned by the organiser or by the supplier, in either case, it's useful for machine learning algorithms to improve their performance. Using this data safely will enhance platforms without any risk to the organiser losing control over their customer data. At Grip, we use anonymised usage data to improve our machine learning algorithms without impacting organisers and their control and ownership of the User Identity Data and Personal Identifiable Information.
To dive deeper into this subject and for a comprehensive checklist on data ownership, download our full white paper. You can expect to learn:
- Detailed definitions of the differences between data controllers and processors.
- Clarity around the different types of user data (Identity, PII and Anonymised Usage Data)
- 5 Helpful questions to ask event technology suppliers as part of your evaluation process