One of Europe’s biggest shake ups in data protection and privacy laws is coming into effect next year and event planners need to be prepared. The new General Data Protection Regulation (GDPR) will apply to every organisation in the EU and ANY organisation holding data on EU citizens – regardless of their location. It is a major global issue and one that is vital for marketers to learn about as ignoring it could lead to some very serious financial consequences.
Are your events ready for GDPR? Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.
What Is GDPR?
The new EU General Data Protection Regulation (GDPR) was adopted last year, and will be directly applicable from 25th May 2018. It’s seen as the most important change in data privacy regulations in 20 years and aims to give EU citizens more control over how their personal data is used. Why is it happening? Well, the legislation that is currently in use was put in place before the Internet and cloud technology completely changed the way companies use data, and the GDPR aims to address that. The EU also wanted to give businesses a simpler, clearer legal environment in which to operate in where they have to comply with one law, instead of 28 laws across different EU countries.
How Does GDPR Impact Events?
One of the key reasons as to why GDPR is coming into force is because of the exponential rate that data is now being collected. In the events industry, we use so many different data collection tools that help us gather and analyse information on attendees – from registration systems and mobile apps to surveys, social media and so on. Events in particular also deal with highly sensitive personal data – from attendee names, contact details and employment information to gender, disabilities and dietary preferences. With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that marketers and event planners need to prepare before the new regulations come into place.
Any organisation that collects and processes data on European citizens falls under the new regulation. So, if you are hosting events in Europe or your attendees are European citizens (regardless of where your events are taking place), then the new regulation applies to you. Also, if you’re using some kind of event management or registration software that helps you capture and process data around your events, then GDPR will apply to your technology providers too (even if they’re based outside the EU).
What Are the GDPR Requirements?
You need to remember that the GDPR focuses on the rights of individuals over companies. But what exactly does it entail? Have a look:
Consent: Event organisers will be required to obtain their attendees’ consent to store and use their data, as well as explain how it will be used. Consent must be active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs. If this isn’t already part of your registration process, then it’s something you need to do.
Breach Notification: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach. Failure to do so can result in heavy fines. Learn more about what you should do if your attendee data does end up geting lost, stolen or compromised here.
Access: You must always be prepared to provide digital copies of private records to attendees that request what personal data your organisation is processing, where the data is stored and what it’s being used for.
Right to be Forgotten: EU citizens at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (ex. Suppliers, hotels, venues etc.) – who will also be obliged to stop processing it.
Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. What this means for you is that upon request, you should always be ready to provide the data you have on your attendees in a commonly used digital format.
Privacy by Design: GDPR requires that organisations have to have data security built into products and process from the very start – this particularly applies to all the tech systems that help you gather and manage data on your event attendees.
Data Protection Officers (DPO): Some organisations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.
What Are the Penalties for Non-Compliance?
The consequences for non-compliance can depend on many things – how long the infringement lasts, the number of individuals who have been affected and the level of impact. Companies can be fined up to €20 million or 4% of their total annual turnover of the preceding financial year (whichever is higher) – that’s alongside any personal damage that may be claimed by individuals whose data has been compromised, and the personal liability of managers within your organisation.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
Some of you may remember how UK mobile operator TalkTalk was fined a record £400,000 for security failings which led to the theft of personal data of almost 157,000 customers in 2015. IT Pro has stated that under the new rules, that fine would have amounted to £59 million – to put that in context, TalkTalk’s third quarter revenue last year came to £435 million. Similarly, Tesco’s banking business would have had to face a potential penalty of almost £1.9 billion for their recent data security breach if GDPR had been in full force. Non-compliance really isn’t worth the risk.
What About Brexit?
According to Information Age, it has been confirmed that the UK will have to adhere to EU’s GDPR when it is officially implemented in 2018 – ten months before Britain completes its exit from Europe. Surprisingly, however, research from Crown Records Management, has found that a massive 44% of businesses don’t think the regulation will apply to UK businesses after Brexit.
“For so many businesses to be cancelling preparations for GDPR is a big concern because this regulation is going to affect them all one way or another,” said John Culkin, director of information manager at Crown Records Management. “Although an independent Britain would no longer be a signatory, it will still apply to all business which handle the personal information of European Citizens.”
What Do Event Planners Need to Do about GDPR?
It’s easy to look at GDPR compliance as a technology initiative and not a business one. But the reality is that even though it may be the responsibility of your IT and operations team to sort it all out, event planners need to know what they should and shouldn’t do and the rights of their attendees when it comes to collecting and processing their personal information. And although GDPR won’t be applied for another year, which may seem like a long time – in reality, it’s not.
You may be already planning around an event you’re hosting next year and if your attendees are coming from Europe, then you need to make sure that you have the proper processes in place. Find out what data you store and process on European attendees so that you can figure out what kind of data needs to be protected under the new regulations, and what falls outside its remit. Find out where all this data is stored, how it is transferred from one system to another (or one server to another), what systems are used and how your technology providers are also processing, storing and securing the data within their own organisation and servers. If data is stored outside the EU (e.g. on cloud servers in the US), you may need to put additional contractual controls in place.
Finally, implementing changes will be a team effort with all the key people in your organisation aware of these new requirements and procedures. So, make sure everyone is on board and understands the importance and consequences of making the new changes.
Need help tracking and managing consent on event websites and registration forms? Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance – from audit trails and consent management to anonymisation of personal information and data security.