Tech ain’t the answer

 Simon Clayton, chief ideas officer at RefTech, wonders if there are some problems that technology cant fix.

An industry survey has announced that a big percentage of people don’t like networking events and it has been suggested that perhaps technology could help people to interact and enjoy them.

I think that you are either a networker, or you are not. The inherently gregarious sales person may enjoy meeting new people and passing round their business cards but the more reserved person (like me), the ones highlighted in the survey, will never be enamoured by exchanging pleasantries with strangers and are unlikely to get anything tangible out of it. I cannot see how an app could help someone to change their personality and overcome the hurdles in their minds. 

An event app could contain a very limited form and a series of tick boxes that collect information and give you a profile, but no amount of ticking boxes can tell you that the guy you are meeting is an idiot and that you’ll want to get rid of him after 20 seconds. 

Our industry seems to assume that technology can solve every problem we are faced with - it can’t.

Simon on: Why the average exhibition app doesn't work

I’ve said many a time that I don’t believe the vast majority of exhibition apps work well for the visitors. One of the reasons for this is because I think there is a disconnect between what the visitor actually wants and what the show marketing team thinks they want.

The show marketing team wants their app to look flashy – to have every function, every bell and every whistle; to have all of the information it can possibly hold regardless of whether the visitor actually needs it. Surely the visitor must ‘need’ everything in one easy to reach place? But where is the evidence that so many functions are ‘needed’? If you actually stopped to ask your visitors, you’ll find the very opposite is true.

Over the years we’ve looked at the sorts of apps that exhibition organisers have provided and often, they include a lot of social feeds and push messaging that users don’t seem to want but that the marketing department of the event think is amazing. Consequently, app providers are under pressure to be able to show all of these features in order to sell the app into the event.

Yes of course there are niche events where there is a lot of social interaction – perhaps geekier events for example – but the vast majority of the events don’t have that.

Equally, I’ve attended industry exhibitions in the UK where I couldn’t get an educational sessions list without installing their app – why the website couldn’t provide such simple information to a mobile device is beyond me!

I believe the purpose of a good app should be to provide a quick and easy way for a user to get key pieces of information to help them meet exhibitors at the event and get to educational sessions without interrupting the flow of their onsite experience. Visitors also need an app that takes up very little phone memory, because no matter how hard we try to prepare them, most visitors only ever download the exhibition app on their way to the event and they object to having to delete other apps or pictures of their cats and dogs to make space for an app that they’ll only use once for the duration of a show.

When it comes to exhibition apps – I definitely think that ‘less is more’: keep to the key event facts so visitors know where to go and by when; have an intuitive list of exhibitors and show where they are on a map; have access to the diary if your show is appointment led; catalogue the education sessions by speaker, time and topic and make it all very easily searchable and simple but fast to use. And above all just don’t listen to the marketing manager who insists that the visitors ‘need’ more.

Simon on: RefTech Turns 20

As registration and event management system provider RefTech celebrates its 20th anniversary, EN meets founder Simon Clayton to learn more about the origins of the company, creating a bespoke system for IMEX and a run-in with UPS. 

How did you start RefTech?

Reference Technology started out as a company that provided computer networking and web development services. My background is in IT and IT training and I initially started RefTech to pursue this path. For a lot of my life, my father Ken had been a freelance script writer so the idea of running my own business was never alien to me.

How did you become involved in the events industry?

After about five months, Ken then joined me in the business. His background was as an event producer for Rover (back in the day when their events were week-long launches in amazing locations). He knew the events industry and was a well-known figure. A few years later, Ken read that Ray Bloom and Paul Flackett were about to launch a new industry event; he knew them and approached them to see if they needed a website and if so, could we build it for them. They did have a need, but when we met them it transpired that they needed a quite bit more than a standard website!

So IMEX was your first events industry client?

We got on brilliantly with the IMEX team and we listened to their needs, which were unique and very complex so we wrote a bespoke system to manage the hosted buyer management and exhibitor portal along with the appointment system. As we approached the first IMEX in Frankfurt, they needed a badging system and so I offered to write one for them, thinking “how hard can it be?” It was a bit harder than I thought, but I wrote our first badging system in a long weekend and IMEX Frankfurt became our first major badging client.

Has anything gone wrong over the years?

One of my favourite stories is when we sued UPS. We were supplying badges for a big event in Barcelona and we’d prepared two boxes of equipment for a Saturday delivery to arrive a few days before the event, but only one arrived at the venue. After pretty much a whole day on the phone, we discovered that UPS had ‘forgotten’ to put the box on the conveyer belt at the local depot and it was still in the UK. It was a local holiday in Spain and they couldn’t deliver the box to the venue the next day so I drove over to the depot and picked the box up but by then it was 5pm and we’d missed every direct flight to Barcelona. Ken took the box, got the first flight to Alicante (the nearest airport we could get to that evening) and then drove through the night to get the box to the venue for the event. Despite all the small print that says that UPS can never guarantee a delivery, we demonstrated that they had been guilty of gross incompetence and they settled out of court. And we had a very happy client too.

What’s it like to work at RefTech?

I hope it’s great! We are a family-focused company; with lots of married couples, parents and siblings all working for us (which is great until they want to go on holiday together!) We are a Living Wage employer too and regularly hold events for the team to get together and have fun. All of that said, most traditional job interviews are based on whether the interviewer likes the candidate and how similar they are to that person but this is probably the worse way of assessing a person so we also use psychometric testing as part of the interview process to help gauge how good that person would be at the job they’re applying for.

What’s next?

We have two distinct parts of the business; our teams can manage your registration and badging for you, or we can provide you with the tools to enable you to self-manage your events. As our EventReference off-the-shelf management tool gains traction, we will see a shift into a more product focused business, whilst still serving our existing clients of course. IMEX is shifting all of their systems onto EventReference and we see this as the ideal opportunity to tell the world that EventReference is powerful enough for IMEX, but simple enough for your breakfast meeting.

We recently created an event app; after years of watching the industry and seeing how awful event apps were, I had another of my “how hard can it be” moments and created the EventReference App in a weekend. IMEX America will be using our app this year because of its simplicity and functionality – it gives an attendee what they need in an uncomplicated structure and feedback has been great. That is the ultimate accolade for us.

Tell us something we don’t know about you

I’m a geek, I’m a techie and I love gadgets but I’m not a huge fan of event tech; the events industry is about face-to-face contact and there is a real limit on how much you can improve the face to face experience. I’m also learning to fly and play the drums!

Real Life, not Real Time

I thought I’d seen the back of wearable event tech when Google Glasses fell out of favour. When they launched in 2013, our industry fell over itself to say how they would change events for ever. But of course they didn’t because they were a gimmick that didn’t offer any tangible benefit to the way we organise events.

Wearables have a benefit in certain environments; in aviation we have a knee-board, and wearable tech to show route planning – simply because having these things on hand in a cockpit can be a huge benefit when flying a plane!

But wearable tech is now back in the events industry with vendors claiming that it will provide real time data on attendees’ location and even allow the transference of personal data from one attendee to another.

Does anyone remember ‘Bump’? It was an app that allowed you to ‘fist bump’ your phone into another’s phone to exchange personal info and so do away with the business card. Sadly, it went the way of so many new technologies because it was fixing a problem that doesn’t exist. The exchange of business cards is a practice that is convenient and one that we really don’t mind doing.

One of the claims made about wearables is that we are on the cusp of ‘data driven’ events; that wearable tech can track an attendees’ every move as they walk from the main plenary to the catering area and back again. Does anyone remember ExCeL announcing that they were going to install a tracking system through their halls? They announced it with a fanfare, but they are now strangely quiet about it because it just didn’t offer any benefits that organisers were prepared to pay for.

And hasn’t the Cambridge Analytica debacle taught us anything? People don’t like to be tracked at every level. It’s just a little bit creepy, and I haven’t even mentioned the GDPR implications. But what real benefit will it bring to the average event organiser? It is claimed that it will show the ‘sticky’ parts of an event where delegates dwell, and it will show us this in real time – actually whilst the event is taking place.

So that organisers can do what exactly? Will the screen highlight that a delegate is standing alone, so that the organiser can swoop in to introduce them to a colleague? Would the organiser watch and obsess about why delegates are standing to the left and not the right? Will it show the organiser where the most popular places of the event are? (I can tell you this for free – it will be where the food or the booze is…) In reality what live changes could be made to an event on the day because some data has shown that people prefer standing at the bar rather than sitting down?

This ‘real time’ analysis also implies that an organiser would rather watch their delegates’ movements from afar, on a screen in a voyeuristic fashion. Events are live and real, they should be experienced by all first hand, and not through a screen. All the organisers that I know will be submerged in their event, with their delegates and actively in the room.

They are busy running the event, interacting, making sure everything runs smoothly, so why should they step back and view it on a screen in real time when they are already part of it in real life? This technology is creating a barrier rather than enhancing the experience. Why should we view our events in real time when we can experience them far better in real life?

Simon on: A GDPR cautionary tale

Lifecycle Marketing, the publishers of Emma’s Diary pregnancy guides, is in a whole heap of trouble because it sold personal data to the Labour Party. When it collected the data it told mums that it would share their data with other companies, but their privacy policy didn’t specifically state they might supply it to political parties – so once they did sell it to a political party, it meant Lifecycle was in breech of data protection legislation and this was the old Data Protection Act (1998) which isn’t anywhere near as tough as GDPR.

This story hasn’t come to a close yet though, because at the time of writing, the ICO has only announced that they will be fining Lifecycle Marketing, which is an unprecedented step in itself but it means we have to wait a few months for the full ruling to understand everything in full detail.

Our industry shares data and we should all be very careful of how we do that. Consider this example: a visitor walks onto an exhibition stand for a drinks reception and the exhibitor asks if they can scan the visitor’s badge.

A friend may be happy to lend you their bike, but that doesn’t mean that they would be happy for you to lend their bike to someone else

It’s reasonable to say that the visitor gave permission for their data to be collected because they allowed their badge to be scanned. For the sake of clarity, it should be in the event organiser’s privacy policy that allowing your badge to be scanned by an exhibitor will mean your data will be passed to them but most people would understand that was the purpose of the scan anyway.

When you give permission for your badge to be scanned, you are giving permission for that company to be given your data. You are not giving permission for that company to share your data with other companies – stand sharers for example. The company that scanned the badge becomes a data controller and that gives them a responsibility to keep that personal data safe and if they want to share it with any other companies then they need your explicit permission separately.

So, be careful and be wary of any company that shares or sells you data even if they claim that they have the full permission of the data subject. The ICO says that companies receiving data have to have proof that the data is correctly permissioned, which means the data subjects had to understand clearly and easily who the data was going to be supplied to. In the past 18 months, the ICO has prosecuted a number of companies for using lists of categories of companies that were “too vague” for the data subjects to be able to understand where that data was going.

GDPR is in place to encourage companies to be responsible custodians of data. A company should consider that they only have data on loan; they don’t own it and so therefore they need to treat it with care. A good analogy would be that a friend may be happy to lend you their bike, but that doesn’t mean that they would be happy for you to lend their bike to someone else.

Simon on: RefTech renews information security management certification

Event registration and badging systems provider RefTech has once again achieved certification to the internationally recognised ISO/IEC standard in information security management.

RefTech first achieved the standard in 2015 for a three year term. Following annual audits, the company has now been re-assessed and achieved the new upgraded 2017 certification.

Simon Clayton,  chief ideas officer, RefTech said: “Achieving this international standard is a great indication that a registration company has the technical and organisational security in place to be GDPR compliant. It is the only externally assessed certification in data security and it is only achieved as a result of a complex and demanding process. We believe that we are the only event registration and badging provider to achieve this standard in information security management throughout the company, not just on its servers.”

ISO 27001 is the internationally recognised information security management standard that proves an organisation’s commitment to the security of its customer, employee and shareholder’s information. With ISO 27001 in place, RefTech is able to minimise risks to potential data security breaches and reduce errors and costs, while demonstrating credibility and trust.

The benefits of certification to ISO 27001 include:

 Proving to clients an organisation keeps their information secure

 Achieve operational excellence

 Minimise risk of potential data security breaches

 Protects reputation

 Reduces errors and costs

 Increases business profitability

 Engage employees

This independent assessment was conducted by the British Assessment Bureau, a leading certification body, and confirms that the data security policies and procedures that RefTech use to handle client event data are robust and secure. RefTech first achieved this standard in 2015 and has conducted annual audits since then. This was its first re-assessment.

GDPR: a matter of consent

Since GDPR first hit the headlines there has been an awful lot of scaremongering and/or misunderstanding over the ‘consent’ part of the regulations. Many ‘experts’ claimed that a company needed specific consent from the individual for them to use their personal data but this simply isn’t true and I think it’s a lack of understanding of the full text of the regulations that is the problem here.

Read more: An introduction to GDPR

Article 6 of the GDPR Act clearly states that there are six different lawful reasons for processing personal data and they are all equally valid. There is no hierarchy i.e. one is not better or ‘more legally binding’ than the others. One of those reasons is that you have the data subject’s ‘consent’ but the ICO says that you shouldn’t use consent if you have another legal reason for processing the personal data.

“One of the reasons for holding and processing personal data is for the legitimate interests of the data controller as long as those interests don’t override the rights and freedoms of the data subject.” In order to find out if the rights and freedoms of the data subject are impacted you should conduct a “balancing test” and in simple cases of direct marketing, the balancing test can normally be satisfied by giving the individual the right to opt-out or unsubscribe from direct marketing.

Recital 47 of GDPR goes further and says that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” but this again is only as long as the rights and freedoms of the data subject aren’t outweighed. To summarise that - if you have a legitimate business reason for storing personal data then you don’t actually need a person’s explicit consent.

This means that if you are holding a person’s data because they attended ‘A Conference 2017’ then it is reasonable to safely and securely store their data and contact them to ask if they would like to attend ‘A Conference 2018’ because it’s a reasonable assumption that if they attended last year’s event then they may well be interested in attending this year’s event too. Be careful not try to stretch it too far – you probably shouldn’t assume that they would also like to attend other completely unrelated events that just happen to be organised by you, or subscribe to a related magazine or other service you offer. You can take one small leap in your assumptions – from last year’s event to this year’s – but a second leap to an unrelated product may be a leap too far.

If you still aren’t sure you should take the ‘expected’ test – would the data subject reasonably expect to be invited to this year’s event? If you can morally and ethically say yes (and not because you’ve abused their data in the past), and the subject has the opportunity to opt out of the communication, then you should be fine. A good solution for other events would be to use legitimate interests for the next year’s show and have a consent tick box for “Other events that we organise that you might be interested in”.

An important point here though is that any consent tick boxes must never be checked by default and you must record exactly what the wording was at the point that the data subject agreed to it. You need to be able to prove that they consented otherwise the consent is not valid. A really important point here is that you should always document the decisions that you are making relating to this stuff because it’s a bit like your maths homework; even if you actually get the answer wrong, if you can show your reasoning and show that you thought about the legitimate interest and the data subject’s rights then you should be fine.

The ICO want us all to be more responsible and think ethically about how we all use personal data. We will be explaining the other legal reasons for storing and using data in our next blog to be published in January.

Lies, damn lies and GDPR

By Simon Clayton, chief ideas officers and GDPR practitioner, RefTech 

Are you fed up of reading conflicting information about GDPR? Are you receiving a deluge of emails from companies proclaiming that unless you sign up and give consent then you will never hear from them again and then you will miss out on their offers / newsletter etc.? At last count I’ve received 40 of these emails, many from companies who have never even contacted me before, perhaps thinking that this is their last opportunity to contact me, even though they haven’t felt the need to previously. On one hand it’s very annoying, but on the other, it’s very interesting to see the number of companies who actually have my data.

The majority of these companies probably don’t have to contact their entire database. But they are doing it under the guidance of some self proclaimed ‘expert’ who is telling them that they have to have explicit consent to be able to store a person’s data (you don’t – ‘consent’ is only one of the six lawful reasons to store data).  

Even the BBC got it wrong; an incorrect news item sat on their website for three days until they corrected it. They only corrected it because I (and presumably others) complained to them and pointed out their error; they said that having consent was the only way a company could store and process a person’s data.

A myth has to be strong for the BBC to fall for it and this myth seems to have perpetuated itself into fact, which means I am getting totally fed up pointing this fallacy out to other people. I’ve even had to step away from a GDPR Facebook group I belonged to after several heated discussions with people who simply didn’t believe me because they had heard ‘facts’ to the contrary. The final straw was a heated discussion with a woman who runs a club who told me in no uncertain terms that under GDPR she has to contact all her members and ask them for permission to continue to store their data.

Think about it; this is a club that people sign up to voluntarily and pay to join, whose member benefits include a newsletter and other contact from the club. The very nature of joining a club is that you want them to have your details, and you expect to hear from them so that you can get involved. The club’s secretary actually thinks that they have to get explicit permission from each member to be able to just fulfil the benefits of the membership. I asked her what they would do if someone joins but withholds consent (as they must be able to do if you’re using consent as your legal basis for processing data) but she couldn’t answer that one!

Think how ludicrous that sounds? It’s utter madness to think this and it’s not what GDPR states at all. You don’t need consent if you have a ‘legitimate interest’ to store a person’s data – which means that it is quite reasonable for you to continue to store your members’ data because it’s a legitimate part of their membership.

GDPR is actually a reasonable piece of legislation, designed to protect the individual. It’s not out to confuse or over complicate business, but to make us all think about what data we collect and to use it responsibly. It is a little rough around the edges and some parts need further clarification and examples, but its heart is in the right place.

Stop listening to the experts, read the ICO’s guidelines yourself and if something seems silly, then it’s probably is and not actually part of GDPR at all.

GDPR: Take it to the limit

My GDPR blogs should now be making you think about how and why you are collecting and storing data, so I’d like to now discuss storage limitations; i.e. how long you are able to store data for.

GDPR is focused on encouraging responsible stewardship of data, and being responsible means not storing data indefinitely. The shift in responsibility means a shift in mind-set: an organisation does not own a person’s data anymore; it is simply on loan for a given task.  Keep this in mind and consider what is fair and reasonable to the data subject and do not ‘outstay your welcome’. 

Although you cannot store your data indefinitely, there are no hard and fast rules. How long you store it for is up to you to a certain extent but you have to document how long you are storing it for and justify why this length of time was chosen. You have to ‘show your workings out’ and show that your rational is robust and totally considerate of the data subject.

If you have an annual event, you should be able to justify holding registration data for eighteen months, working on the premise that  if someone came to your event in 2016 then you can hold their data and use ‘legitimate interest’ and the PECR ‘soft opt in’ caveat  to contact them about the 2017 event. If they don’t come to that event, then you will probably have to work much harder to justify holding their data for the 2018 event. That said, if you can prove that a significant percentage of your audience only attends your events every other year then you may have a case. The justification is for the ICO, so it has to be documented and robust enough to stand up to investigation, should that occur.  

If you cannot fully justify holding the data, then you will have to delete or anonymise it.  Remember though, not all data is equal; whilst passport and bank details should be kept for the bare minimum amount of time (you cannot justify keeping hold of such sensitive information for longer than necessary), you should be able to justify keeping a contact name and email address for a lot longer.

Your privacy policy has to tell your data subject up front at the time of collection, exactly how long you are going to store their data for, or at least tell them how you will work out the storage time. It may not be a finite fixed time – such as a year. You may wish to be more fluid, for example ‘for six months after the last event that you attended.’   

This is another great example of how GDPR will be encouraging companies to adopt better data practices that are not just good for the data subject, but much better for business too. No business should be clinging on to data that simply isn’t relevant to them any more.

GDPR is open to interpretation and there is a reason for that; it has been introduced to encourage organisations to think about how they use data and to be considerate of the data subject, not just follow a check list.

GDPR: too good to be forgotten

We’ve all received emails we don’t want – regardless of whether they’re relevant or not. Normally, it’s just a case of scrolling down and clicking the “unsubscribe” link and as long as the company sending the email is responsible then you won’t hear from them again. Some people wrongly assume that clicking an unsubscribe link will delete you from that company’s database and in fact under article 16 of the GDPR, there is a “right to erasure” which is sometimes known as the right to be forgotten. Unfortunately, this right can’t be applied in these circumstances because there is another law which prevents companies from emailing people who have opted out of marketing communications. That law is called the “Privacy and Electronic Communications Regulations” (frequently known as PECR) and because of that, any company that you have opted out of marketing communications from has a legal obligation to maintain a record of that on their suppression list and a legal obligation is one of the reasons that the right to erasure can be denied.

This is something that FlyBe, Honda and Morrisons all know too well as the ICO found them in breach of PECR in 2017 for emailing people who had previously opted out of marketing communications and fined them a total of £93,500!

The other thing to remember is that GDPR says consent must be as easy to withdraw as it is to give. So you need to make sure that your unsubscribe mechanisms are as easy as possible and crucially – are working correctly. I see plenty of poor unsubscribe mechanisms that ask me to enter the email address they sent the email to but most email clients don’t make it easy to find that out and if you have multiple email addresses it can be very frustrating. Finally, make sure you’re archiving the list of unsubscribe requests somewhere safely because if you rely on an online platform to manage that for you and they get it wrong and lose the list then you will be the one the ICO comes for if you email people you shouldn’t!  

GDPR: Reasons to be Lawful

There are six lawful reasons to store and process data. I covered one – ‘legitimate interests’ – in my last blog so I thought the next obvious step would be to explain the other five.

Read more: a matter of consent.

I’ll start in order of least general relevance to the majority of the conference industry, so we can quickly get the less interesting ones out of the way, and focus on the more relevant reasons. I’ll also use the terms set out in the act to avoid confusion:

1. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; it would be in the public interest for the Police to keep data pertaining to an individual’s criminal record for example. The ‘right to be forgotten’ is not an absolute right in this case!
2. Processing is necessary for compliance with a legal obligation to which the controller is subject; it may be a legal requirement for a company to keep data relating to a person’s financial transactions – for accounting for example.
3. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;it’s perfectly acceptable to keep data relating to someone who you are starting a contract with, or that you are hoping to start a contract with. This could relate to a non-financial contract too.
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person; the operative words here are ‘vital interests’, meaning that it is perfectly legal to process data that could make a difference to the data subject. There isn’t yet an official definition of ‘vital interests’ but you can assume ‘life or death’ as safe. This reason becomes applicable to events because it means that you can quite legitimately store data that relates to a person’s allergies, relevant medical issues or their disabilities. This also brings up the fact that the data you hold on one person could be legitimately processed under different sections of this act. For example, you could hold a person’s name and contact details under ‘legitimate interest’ and their dietary requirements under ‘vital interest’. It could also mean that you may need to keep parts of their data for longer periods than others. For example, you may have no justification for keeping their dietary requirements, but can keep contact details so you can market to them for another run of the same event. Each of these different reasons for processing their data, and your desired retention period needs to be clearly stated in your privacy policy – but we will cover that in a future blog.
5. The data subject has given consent to the processing of his or her personal data for one or more specific purposes; this is the one that has alarmed everyone. As I have said before, if you can use any of the other five reasons for storing data, then do so. Do not go down the route of asking consent unless it is your only option.

If you do need to ask for consent, then you have to make sure that you ask for it clearly and on a granular level. Article 7 covers the conditions for consent and they are listed on page 17 of our GDPR white paper, which you can view here.

This option is very relevant when asking delegates to register for an event. I can categorically state that your event registration form will have to change under GDPR. When collecting data, consent has to be asked for in a clear and concise manner and not buried deep within the small print. Specific questions need to be asked; you cannot simply bundle consent into one ‘catch all’ statement that simply states ‘marketing’ – you must separate multiple purposes and reasons for using their data into different questions.

You also cannot dictate that consent is part of the deal – for example, that the subject is only allowed to enter an event or receive goods if they give their consent to receiving your newsletter – something you might be able to do if you were only using legitimate interests.

A data subject must give consent in an affirmative nature – i.e. they have to actively say yes, rather than simply not saying no. Equally, pre-ticked boxes that the subject has to untick are not allowed.

You also have to be able to prove that your data subject gave their consent and document exactly what they consented to. In 2016 Honda was fined £13,000 for marketing to people whose data was fed into their central database by their dealers. The dealers may have got permission to use the data, but mandatory fields were not filled in so they could not prove that they had specific permission to do so although interestingly, this was under Privacy and Electronic Communications Regulations (PECR) rather than GDPR so don’t think that just being GDPR compliant is enough!

Consent policies can change over time and so you must keep an audit trail of exactly what wording each data subject has agreed to. And obviously, you can’t change your policy and then assume that just because your data subject has agreed to a past policy that they give their permission for a newer one.

Consent relating to children’s data is a completely different matter and at the moment the acts around it are a little fuzzy as it’s written with information society services in mind (social media and the like). Thankfully it isn’t generally relevant to our industry, so we don’t need to worry about this.

It is important to remember that none of these reasons to store personal data are carte blanche to keep data indefinitely. You need to have a data retention policy that says how long you will keep personal data for – or at least, how you decide how long to keep the data for. More on that and also privacy policies in an upcoming blog.