If you’re an event planner or marketer and not up on the General Data Protection Regulation (GDPR) – a new, stricter EU data privacy law that comes into effect on May 25th 2018, the time to pay attention is now. George Sirius, CEO of Eventsforce, explains in an interview with MeetingsNet magazine, why GDPR is one of the most important changes facing the events industry today.
Why is GDPR an issue for meetings and events? What type of events will it effect?
GDPR is important because it will completely change the way events and meeting planners collect, process and protect the personal information of attendees coming from the Europe. It will apply to ANY event holding data on EU citizens and residents – regardless of their location. It is a major global issue and one that is vital for organisers to understand and prepare for as ignoring it could lead to some very serious financial consequences.
What impact will it have on events? The new regulation is going to change the way meeting planners decide what data needs to be collected from attendees in things like registration forms and apps and how that data is going to be used for marketing and personalisation. It will change the way attendee data is shared with other third-party organisations like venues, sponsors, agencies and tech providers.
The regulation will also force planners to play a much bigger role in securing all the data they collect from attendees, as well as making sure that any organisation dealing with their event data is also complying to the new regulations. Not doing so can result in big fines – and this is one of the most important things about GDPR. Compared to current data protection regulations, non-compliance comes with serious financial consequences so event planners need to be prepared.
Get your copy of ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.
Why do meeting planners need to pay attention to GDPR? Isn’t this an IT or legal problem?
It’s easy to look at GDPR compliance as a technology initiative and not a business one. But the reality is that even though it may be the responsibility of the IT and legal teams to sort it all out, there are a number of things that event planners do today that can put their organisations under serious financial risk with GDPR. Things like using pre-ticked consent boxes in registration forms and apps and not having the proper processes in place to store attendee consent. Or sharing delegate lists freely with venues, speakers and other attendees. Or not paying enough attention to the information freelancers and temp staff have access to. Emailing unsecure spreadsheets and leaving unattended registration lists around. The list can go on and on.
It is therefore really important that event planners understand exactly what they should and shouldn’t do under GDPR – so that they can then figure out what changes they need to make around collecting and managing the personal information of people that come to their events.
Did you know that more than 81% of event planners think that data security is a much bigger priority for them because of GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
How does it affect event technology providers? What should planners be talking with their event tech suppliers about when it comes to GDPR?
GDPR regulations require compliance both by the organisation hosting the event and the event tech companies that process data on their behalf (registration systems, mobile apps, surveys, networking tools etc). It is therefore important that event planners make sure that all their tech vendors and suppliers are also fulfilling their legal responsibilities. Why? Because if in the course of an investigation, the authorities find that these parties have not been compliant, then the host organisation may also be liable too (even if they themselves were compliant).
So organisers need to start asking their event tech providers from now how they’re planning to fulfil their obligations around their events and GDPR – especially if their data centres are based outside the EU. They need to find out where their data is hosted and how that data is being transferred in a way that is compliant to the new regulations. They need to find out how the data is being used by the organisation, who has access to it and where they’re based. For example, if their customer support team is based outside the EU (even if data is hosted within the EU), then they’ll still need to ensure that they’re complying with GDPR standards.
In the case of registration systems, the meetings organisation needs to find out how their provider allows them to obtain and store consent, as well how it can help them delete any personal data. And they need to ask them how they themselves as an organisation are complying with GDPR. Having an EU-based tech provider will ensure they’re also subject to the new regulations, which will limit the risk of non-compliance. But that’s not enough. What is their understanding of GDPR and how are they planning to help you their clients meet their obligations? How important is data security for them and do they follow best practices? What about their own suppliers and contractors who also have access to their data? Having the answers to these questions will protect event organisers from any unpleasant surprises in the future.
What aspects of GDPR are most important for meeting professionals to pay attention to?
There is no single aspect of GDPR that is less important than others – if an organisation is found to be non-compliant, then they will still be fined up to 20 million or 4% of their global turnover for each instance of non-compliance. However, as we mentioned earlier, the key concerns for event planners in particular are the issues of consent, data security and ensuring that third-parties that process event data on their behalf are also meeting their legal obligations.
I think it’s important to highlight the issue of data security because a data breach is essentially what can get an organisation into a lot of trouble if it’s not complying with GDPR. Event organisers need to show they’re doing their best to protect the personal information of individuals to minimise the chances of it getting into the wrong hands. Failing to report a data breach with 72 hours can result in crippling fines under GDPR – so ensuring that everyone in the events team has a good understanding of what constitutes a data breach and how to follow best practices is key to compliance. It’s also important to think about what processes need to be put in place once a breach has been identified, including how to report it within a three-day timeframe.
What are likely to be the biggest challenges in preparing for GDPR? Are there any benefits that will result from doing the preparatory work, aside from avoiding penalties?
The biggest challenge for event planners will be around figuring out what personal data they hold on attendees/speakers/sponsors etc, where it came from and whether or not they have the adequate consent – remember that pre-ticked boxes and soft opt-ins will no longer count. They need to know which systems this data is stored in, when it was last used and what it was used for. They need to know how accurate the information is, what kind of processors they have in place to keep that data safe and whether or not it’s been shared with other suppliers and partners. If it has, then they need to ensure that these parties also have the consent and that they are doing everything they can to comply to GDPR regulations and keep that data safe.
Running a data audit of this scale is a BIG job and unfortunately, there is no way round it. If you find out you have inaccurate information on one of your delegates, for example, and you have shared this information with hotels and venues, then you will need to inform them about the inaccuracy and get them to correct their own records. Or destroy the data if you never had the right consent in the first place. You will not be able to do any of this unless you know what personal data you hold, where it came from, where it is stored and who you shared it with.
It will be a challenging time ahead but it’s important to note that GDPR will also bring about some big opportunities for our industry too. Those that can show they’re dealing with personal data in a transparent and secure way and have respect for the privacy of individuals will succeed in building a new level of trust. And this will be key in deciding which organisations people choose to deal with in the future.
Do you have any tips on how to make the preparation process as painless as possible?
Some organisations will be required to formally designate a Data Protection Officer (DPO), who will take responsibility for data protection compliance. However, regardless of whether you need one or not (or compliance is something managed by IT and legal departments), it will really help the process if you have one person in the events team take ownership of GDPR and be the focal point for all things events and compliance. That way you can keep a tighter control on making sure all the necessary steps are being taken to prepare for compliance and that the events team aren’t doing anything that puts their organisations at risk.
The full interview can be read as part of the new ‘Meeting Planner’s Guide to GDPR’ published by MeetingsNet this month.
Enjoyed reading this article? Sign up to our EventTech Talk newsletter for similar insights and weekly updates and advice on the latest technology trends, discussions and debates shaping the events industry today.