After several months and many hours of looking at systems and talking to vendors we today published a series of articles on how ticketing systems are preparing for GDPR.
From the outset these articles were not designed to be ‘reviews’ or in any way endorsements of the products or the direction their architects have taken.
It is fair to say there are differing approaches, priorities and overall levels of preparedness, in our opinion.
There were two key areas where we saw these differences, firstly in the customer audit, some systems have a robust, and have had for many years, audit of customer records, tracking each change, the channel, operator as well as before and after values. Others appear slightly later to the party. The auditing of descriptions, labels and other ‘sign up’ phrases was only seen in a few systems.
We also saw differences in readiness to be able to collect granular third party consent, that is the named party a customer is consenting to share their data with, typically this is for touring or co-productions. Here, we saw a number of vendors deliver a solution, whilst some were still in design phase. As we see in all implementations of software, there was some difference in the quality of the design and deployment.
Venues will need to examine how they move forward with their current provider and satisfy themselves that the software is capable and is configured to fit in with their own organisations policies to be compliant with GDPR. As we have said on numerous times, compliance is not the responsibility of the provider, but of the organisation using it. GDPR also stretches way beyond boring ticketing and marketing!
We have seen vendors already openly talking about or briefing their users on new GDPR tools, with more due in the New Year. So if you haven’t made a start, you best make a start. A call to your software’s support department could be a good place to start.
This article gives information in relation to what we consider to be best practice. However, compliance is context and fact sensitive and as such following any guidance does not guarantee regulatory or statutory compliance.
The Information Commissioners Office will judge any complaint on its own merits, and organisations in need of context or situation specific legal advice should seek it from an appropriately qualified source.
This work has been made possible by support from Arts Council England