The upcoming EU General Data Protection Regulation (GDPR) is probably one of the most important changes facing our industry today but compliance is seen by many as a complex, challenging and costly process. Find out how what event planners can do NOW to get their events ready for the May 2018 deadline.
How will GDPR impact Meetings & Events?
GDPR is a new legal framework that is set to radically change the way we collect, process and protect the personal data of people in the European Union. We published an article on the topic a few months ago (Blog: What Event Planners Need to Know About GDPR), looking at what the new requirements meant for our industry, the implications of BREXIT and how non-compliance, compared to current data protection regulations, can bring serious financial consequences to organisations worldwide.
For event planners, specifically, there are three main reasons why GDPR matters:
- GDPR will apply to ANY organisation hosting events in the EU and ANY organisation collecting data on EU citizens and residents – regardless of where the events take place.
- Events deal with high volumes of personal data collected through registration forms, mobile apps, surveys and networking tools. It is inevitable that planners need to know what they can and can’t do under GDPR.
- GDPR requires event planners (and event management agencies) to play a bigger role in securing their event data and ensuring that third party suppliers (ex. event tech suppliers) are also GDPR compliant. Not doing so can result in big fines and lost business.
Are your events ready for GDPR? Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take NOW to get ready for the May 2018 deadline.
How Event Planners Can Prepare for GDPR
It’s easy to look at GDPR compliance as a technology initiative and not a business one. But the reality is that even though it may be the responsibility of your IT and legal teams to sort it all out, there are a number of things that event planners need to do to make sure they don’t put their organisations at risk.
This checklist highlights the key steps to take now to prepare your events for the May 2018 deadline, based on advice published by the UK Information Commissioner’s Office (ICO):
1) Create Awareness
One of the first things you need to do is make sure that everyone in the events team (as well as other departments that deal with your event data) are aware that the law is changing to GDPR. They need to understand the changes you’re going to make around collecting, storing and managing the personal information of people coming to your events. They need to understand what they need to do to keep that data safe. And most importantly, they need to understand the risks of non-compliance (fines up to €20 million or 4% of your global annual turnover) and identify the areas that could cause problems under GDPR.
2) Run a Data Audit
You need to figure out what personal data you already hold in the databases you use around your events – starting from attendee mailing lists, speakers, sponsors and so on. You need to know exactly where that data came from and whether or not you have the adequate consent from these individuals to contact them (pre-ticked boxes and soft opt-ins no longer count with GDPR). You need to identify what systems that data is stored in, when it was last used and what it was used for. You need to know if that information was shared with other suppliers and partners (event management agencies, event technology providers). And if it was, then check that you have the adequate consent for doing so and that these third-party organisations are also complying to GDPR.
It is a BIG job. And the bad news is there’s no way round it. Say you find out you’ve shared delegate lists with sponsors and venues without the proper consent, then you need to destroy that data and make sure they do too. You will not be able to make these kinds of decisions unless you know what personal data you hold, where it came from, where it is stored and who you shared it with.
Read: 5 Questions to Ask Event Tech Providers About GDPR Compliance
3) Update Your Consent Boxes
Have a look at your current privacy notices and consent boxes in things like registration forms, apps and websites and put a plan in place for making any necessary changes in time for the GDPR deadline – including what campaigns you’re going to run to get people to opt-in again. Don’t forget if you don’t have the correct type of ‘active’ consent from someone then legally, you will no longer be allowed to contact them come May 2018. So you need to find a way of getting people to re-opt-in if you want to keep them on your mailing lists.
Under current law, you need to give people only a certain level of information on how you’ll be using their data whenever you ask for consent. With GDPR, you need to explain very clearly why you are collecting their information, how it will be used and ideally, how long you’ll keep their data for. If you’re sharing their details with sponsors and exhibitors, then you need to name those organisations – general terms like ‘sponsors’ or ‘venues’ won’t do. The language you use needs to be clear and concise and easy to understand.
4) Get to Know Your Attendee’s Rights
Don’t forget that GDPR is all about giving individuals more control over the use of their personal information. Check your processes and make sure they cover all the new rights people will have under GDPR (Blog: How GDPR Changes the Rights of Attendees). What would you do if an attendee asked you to delete all the personal information you hold on them? The new regulations state you’ll need to respond to requests within 30 days at no charge. Would your event management system help you locate and delete the data in time? What about the same data that’s been recorded into your CRM? What kind of hidden costs are there in doing this? What happens if you need to deal with multiple requests at the same time? It is important that you get answers to these questions now to assess whether or not you need to make any changes to your processes.
5) Prepare for a Data Breach
This is really key because it is essentially what can get your organisation into a lot of trouble if it’s not complying with GDPR. You should make sure you have the right procedures in place to detect and report the loss or theft of an individual’s data (think printed delegate lists). GDPR requires all organisations to report data breaches to the ICO or other such authority, if its’s likely to result in a risk to the rights and freedom of individuals (identify theft, financial loss, discrimination, damage to reputation etc). If the risk is high for any of these things happening, then you’ll have to notify the affected individuals too. Failure to report a breach within 72 hours could result in massive fines, as well as a fine for the breach itself.
6) Keep Your Event Data Safe
GDPR definitely puts security more front of mind when it comes to your event data. You’ll need to show that you’re doing your best to protect the personal information of individuals to minimise the chances of it getting into the wrong hands. Yes, you’ll need to follow your organisation’s own data security policies – from communications procedures and firewalls to the use of encryption and anti-virus software. But while your IT department will focus on typical external threats, there are risks that comes from within.
Find out who has access to your event data – both within your own organisation and the third-party suppliers that process data on your behalf (event tech vendors, event management agencies etc). Have a look at their data security policies. Think about system passwords and how often you change them. Think about how you share your event data with others and what procedures you have in place to keep data safe on-site at your event. Ensuring everyone on your team has a good understanding of what constitutes a data breach and how to follow best practices will be key to compliance.
7) Appoint a Designated GDPR Team Member
Some organisations will be required to formally designate a Data Protection Officer (DPO) to take responsibility for data protection and GDPR compliance. However, regardless of whether your organisation needs one or not (or whether compliance is something that will be managed by your IT and legal departments), it is important to have one person from the events team to take ownership of GDPR now and be the focal point of all things events and compliance.
GDPR compliance is not a simple matter and this is by no means a comprehensive list of everything you need to do to get your events ready for the May 2018 deadline – but it’s a good start. The ICO still needs to clarify a lot of the requirements and everyone agrees that preparations for the new regulations will be a complex, challenging and costly process. But those who take action now will be in the best position to succeed in the future.
Start planning for GDPR now by thinking about how your events are collecting data on EU citizens, how you’re storing consent and how you’re incorporating data security into your event planning and management processes. Find out as well what your event tech providers and third-party agencies are also doing to comply with GDPR. Finally, remember that implementing changes will be a team effort where everyone is aware of the new requirements, along with the new processes that you’ll need to put in place.
If you want more detailed information on what kind of impact GDPR will have on events and the kind of steps you need to take to get your events ready for May 2018, please download your FREE copy of ‘The Event Planner’s Guide to GDPR Compliance’ here.