(Yes, I know they’re all the same kind of thing. I’m using the term “chamber larp” in this article because that seems to be gaining ground as the most common term right now.)
So, you’re organising a one-shot chamber larp for a convention. If you manage your players’ personal data (email addresses, names, and so on), GDPR may apply to you. And if you are in the EU (including the UK) or have EU/UK players, you are definitely subject to GDPR. (Other territories have their own data laws, obviously.)
 |
| Hosting Venice. Photo by Tsijon |
Now, I’m not a lawyer or a GDPR expert, but this is my take on the GDPR requirements.
When does GDPR apply?
GDPR protects data belonging to EU/UK citizens and residents, and it applies even if you’re outside the EU/UK. So if you’re organising a convention chamber larp with European players, GDPR applies to you – wherever you are in the world.
GDPR applies to “professional and commercial” activities. So if you are organising a chamber larp for a few friends, GDPR doesn’t apply. But if there's some kind of commercial arrangement (such as a convention, or charging players to cover room hire), then GDPR applies.
Data controller
As the organiser of a chamber larp, you are acting as an independent "data controller" for a small amount of personal data (usually name, email address, perhaps accessibility requirements). GDPR applies, and requires that you handle the data sensibly.
Broadly, the key principles are:
- Collect only what you need
- Be clear about why you’re collecting it
- Don’t expose players to each other unnecessarily
- Have a retention policy
Collect only what you actually need
For most games, you probably need:
- Name (or preferred name)
- Email address
- Character assignment information
- Perhaps a few logistics questions
Information about disabilities or health conditions is considered special-category personal data under GDPR. You may need this information depending on your game, but be aware that it is even more sensitive than other data.
Only collect additional information if there’s a clear purpose (for example, if your game doesn’t care about your players’ ages, don’t ask them!).
Your responsibilities as a data controller begin when you first receive details about your players – normally from the convention organisers.
Be clear about why you’re collecting it
It helps to be clear about why you’re collecting the data. Ideally, when you first collect data (perhaps in a sign-up or casting form, you should include something like:
I will use your contact details to send information about the game you have signed up for, including character materials, scheduling information, and post-game follow-up if necessary.
Don’t unnecessarily expose players’ data
The golden rule when sending emails to a mixed group of strangers is always to use BCC for mass emails.
(This is an easy mistake to make.)
And don’t circulate participant lists containing email addresses. If you want players to communicate before the game, get explicit permission first.
For example: Would you like to be included in a pre-game player discussion group? Your email address will be visible to the other participants.
Be careful with character materials
If you’re like me, you’ll create a spreadsheet to manage your players, with columns for player name, email, and character. This is fine for your own use (and essential if you are using a mailmerge programme).
What’s less fine is accidentally sharing that spreadsheet!
Have a retention policy
The easiest GDPR retention policy is to delete the data you no longer need. (You can’t misuse data you don’t have!)
For convention games, this might look like:
- Keep contact details until the event is over
- Keep them for a short period afterwards (e.g. 1–3 months) in case of follow-up issues
- Then delete them unless the person has separately opted into future contact
(Set a calendar reminder! And if you’re a convention organiser who gave player details to their GMs, please remind your GMs to delete those records!)
I use Gmail, Google Forms and Google Docs, so in practice this means for me:
- Deleting emails about the game to players
- Deleting my contacts
- Deleting email addresses from my casting spreadsheet
- Deleting the responses from my casting questionnaire
(It’s surprising how widely these systems share data…)
What about friends?
Obviously, some of the people who play my games are my friends, and we are regularly in contact. So do I need to delete their details as well?
I think GDPR is a little unclear here, so this is my pragmatic approach:
- I delete all the responses from my casting spreadsheet and questionnaire
- For friends (and this is a judgement), then I delete neither their emails nor their contact details, because I will need them again
In practice, this tends to mean that if you play one of my games and you are new to me, or I don’t know you very well, then I’ll delete your details. If you’re someone I’ve shared drinks with in the bar, then I probably still have your details. (If that’s you and you don’t want me to have your details, just let me know and I’ll delete them.)
And what about photographs?
I often write about my games on my blog and like to use photographs of the games in progress. So as part of my casting questionnaire, I ask: May I use a photograph/screenshot of you playing the game in future publicity? (For example, on my blog, website and social media.)
So I need to record this, which is why I keep the casting spreadsheet (although I delete actual emails from it, just to be sure).
Marketing
For those of us who occasionally organise games privately, it’s important to separate "game administration" from "future marketing."
Just because someone played your game in 2020, they may not want emails about your future games in 2027. So if you want to maintain a mailing list, make it explicit: Would you like to hear about future games I run?
Keep that list separate from event administration records. And when you do send out emails, explain how recipients can remove themselves: Just let me know if you no longer want to receive emails from me.
Or use mailing list software that handles much of this automatically: If you want to hear about future games I run, click here to subscribe to my mailing list.
Use mainstream tools sensibly
Fortunately, we don’t need enterprise-grade infrastructure to satisfy GDPR. Things like Gmail, Google Sheets and so on are fine, provided:
- Your account is secured with a strong password and preferably MFA
- Sharing permissions are controlled
- You don’t make documents publicly accessible
A simple chamber larp organiser policy
So for running chamber larps as a volunteer at conventions, a practical policy might be:
- Collect only names, email addresses, and information necessary to run the game.
- Use contact details only for organising that game.
- BCC group emails unless players have opted into a shared communication channel.
- Keep accessibility or dietary information private and delete it after the event.
- Delete participant lists a few months after the convention.
- Maintain a separate opt-in mailing list for future games.
- On request, tell players what information you hold and delete it if there is no longer a reason to keep it.
That would put you in a much stronger position than most hobby organisers and aligns well with GDPR’s core principles without creating excessive administrative overhead.
No comments:
Post a Comment