One of Europe’s biggest shake-ups in data protection and privacy laws is coming into effect this May and event planners need to be prepared. The new General Data Protection Regulation (GDPR) will apply to every organisation in the EU and ANY organisation holding data on EU citizens – regardless of their location. It is a major global issue and one that is vital for marketers to learn about as ignoring it could lead to some very serious financial consequences.
What Is GDPR?
The new EU General Data Protection Regulation (GDPR) will be directly applicable from 25th May 2018. It’s seen as the most important change in data privacy regulations in 20 years and aims to give EU citizens more control over how their personal data is used. Why is it happening? Well, the legislation that is currently in use was put in place before the Internet and cloud technology completely changed the way companies use data, and the GDPR aims to address that. The EU also wanted to give businesses a simpler, clearer legal environment in which to operate in where they have to comply with one law, instead of 28 laws across different EU countries.
How Does GDPR Impact Events?
One of the key reasons as to why GDPR is coming into force is because of the exponential rate that data is now being collected. In the events industry, we use so many different data collection tools that help us gather and analyse information on attendees – from registration systems and mobile apps to surveys, social media and so on. Events in particular also deal with highly sensitive personal data – from attendee names, contact details and employment information to gender, disabilities and dietary preferences. With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that marketers and event planners need to prepare before the new regulations come into place.
Any organisation that collects and processes data on European citizens falls under the new regulation. So, if you are hosting events in Europe or your attendees are European citizens (regardless of where your events are taking place), then the new regulation applies to you. Also, if you’re using some kind of event management or registration software that helps you capture and process data around your events, then GDPR will apply to your technology providers too (even if they’re based outside the EU).
What Are the GDPR Requirements?
You need to remember that the GDPR focuses on the rights of individuals over companies. But what exactly does it entail? Have a look:
Consent: Event organisers will be required to obtain their attendees’ consent to store and use their data, as well as explain how it will be used. Consent must be active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs. If this isn’t already part of your registration process, then it’s something you need to do.
Breach Notification: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach. Failure to do so can result in heavy fines.
Access: You must always be prepared to provide digital copies of private records to attendees that request what personal data your organisation is processing, where the data is stored and what it’s being used for.
Right to be Forgotten: EU citizens at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (ex. Suppliers, hotels, venues etc.) – who will also be obliged to stop processing it.
Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. What this means for you is that upon request, you should always be ready to provide the data you have on your attendees in a commonly used digital format.
Privacy by Design: GDPR requires that organisations have to have data security built into products and process from the very start – this particularly applies to all the tech systems that help you gather and manage data on your event attendees.
Data Protection Officers (DPO): Some organisations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.
What Are the Penalties for Non-Compliance?
The consequences for non-compliance can depend on many things – how long the infringement lasts, the number of individuals who have been affected and the level of impact. Companies can be fined up to €20 million or 4% of their total annual turnover of the preceding financial year (whichever is higher) – that’s alongside any personal damage that may be claimed by individuals whose data has been compromised, and the personal liability of managers within your organisation.
What Do Event Planners Need to Do about GDPR?
It’s easy to look at GDPR compliance as a technology initiative and not a business one. But the reality is that even though it may be the responsibility of your IT and operations team to sort it all out, event planners need to know what they should and shouldn’t do and the rights of their attendees when it comes to collecting and processing their personal information. And although GDPR won’t be applied for another year, which may seem like a long time – in reality, it’s not.
You may be already planning around an event you’re hosting next year and if your attendees are coming from Europe, then you need to make sure that you have the proper processes in place. Find out what data you store and process on European attendees so that you can figure out what kind of data needs to be protected under the new regulations, and what falls outside its remit. Find out where all this data is stored, how it is transferred from one system to another (or one server to another), what systems are used and how your technology providers are also processing, storing and securing the data within their own organisation and servers. If data is stored outside the EU (e.g. on cloud servers in the US), you may need to put additional contractual controls in place.
Finally, implementing changes will be a team effort with all the key people in your organisation aware of these new requirements and procedures. So, make sure everyone is on board and understands the importance and consequences of making the new changes.