Tag: GDPR

Ask the Experts: What Impact will GDPR have on Meetings and Events?

Posted on by Eventsforce

We’ve been talking a lot about GDPR lately.  And for good reason too.  One of the biggest shake ups in data protection and privacy laws for the past 20 years, the new EU General Data Protection Regulation will come into effect in May 2018 and completely change the way events collect and handle the personal information of European attendees.  But how important are these changes actually going to be for event planners? Is GDPR going to make things like data-driven marketing and personalisation a lot more difficult? Or will the new regulation bring on some new opportunities?

Are your events ready for GDPR? Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take to meet the new requirements.

EventTech Talk spoke to a number of well-known event experts to find out what they think about GDPR and what kind of impact it will have on the industry.  Here’s what they had to say:

Adam Parry, Editor, Event Industry News

GDPR will have a huge impact on event marketers next year, and this in my opinion is a good thing.  As an industry we have been very lazy, relying on email marketing with outdated and uncheck cleansed data, I see it myself getting invites to events from previous roles and or having never attended the event in the first place.

We will have to work smarter as event marketers but there are tools and solutions out there to help us and not make it a case of having to work harder.  Let’s take for example retargeting technology, it’s not new but hugely under-utilised by our industry as a way of remarking our event to web visitors that didn’t sign up to attend.

Follow Adam Parry on Twitter: @punchtownparry

Michael Owen, CEO, EventGenuity

I’m surprised by how little is known about GDPR by those in business events and associations sector in the United States. Of those who are familiar with the regulation, many forego learning more, as they think it applies only to organisations based in the EU. With headlines about breaches of personal data like Equifax as frequent as the sunrise, one would think at least that curiosity would drive everyone to fully understand the ramifications.

How great will the impact be in non-EU organisations? It’s hard to tell right away. At a recent session, one gent said, “I’m not going to worry about it, because it will be hard to enforce.” Hard? Yes. Impossible? No. Once non-EU enforcement is figured out, and the first massive fine occurs, I suspect interest will spike.

Misconceptions place barriers to learning: “We don’t have offices or hold meetings in the EU”, etc. For business events and associations who host attendees have members or subscribers from the EU for whom they hold data, there is liability.

It’s not all bad news, though. There is opportunity to improve internal business processes. The requirements force organisations to become more, well, organised. Isn’t it a good thing to be more aware of what personal data one possesses, where it resides, how it is processed and protected? Compliance could well reduce financial and reputational risk, and build trust with customers, members, attendees across the board. This outcome would provide more accurate data sets and more meaningful relationships amongst organisations and valued customers.

Follow Michael Owen on Twitter: @EventGenuity

Did you know that more than 75% of event planners think that data security is a much bigger priority for them because of GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

Brandt Krueger, Speaker & Consultant, Event Technology Consulting

I have extremely mixed feelings when it comes to GDPR, or for that matter, a lot of attempts to regulate the Internet. While companies clearly need to be held accountable for the securing of our personal data (I’m looking at you, Equifax), and I’m in favour of data transparency – most of these attempts at legislation are reactionary and only deal with new problems as they arise.

Much of the GDPR regulations surround consent. While noble in cause, we already give our consent to all kinds of things without thinking twice about it. We click through license agreements and software permission screens without reading them, and every website in the EU has to let me know that it’s using cookies. How many times have you stopped and thought, “Oh my, I don’t know about this cookie thing. I guess I’ll just shut down my browser and walk away.” Nope, you click on it as quickly as possible to just make the pop-up go away.

I worry that we’re going to be generating more and more of these types of screens, where people will be forced to check off 37 boxes of consent, just to find out where their next hosted buyer appointment is. Customers do need to be made aware of what information they’re providing, and exactly what is being gathered about them, but I have severe concerns about the implementation. This will be the most immediate impact on the event industry – how technology companies deal with the informed consent GDPR seems to demand. I predict lots of splash screens and checkboxes that absolutely nobody will read, along with signage next to fishbowl drawings at expos that, you guessed it, nobody will read.

On the positive side, I do think it’s important to require companies to provide a high level of transparency when it comes to other people’s data, though again I’m hesitant about the implementation. Does a dump of data into a CSV count as an accurate representation of your data? And again, the different types of data that are being gathered can be difficult to provide in a way that makes sense to the person making the request. Because it’s not just about the tangible, easy to understand, data like names and addresses – it’s often about the relationships, the links, the connections between that data that’s important. Knowing your name, address, and what magazines you subscribe to are three separate data points, but their interconnectivity can be enormously revealing in ways people would be shocked to discover.

Follow Brandt Krueger on Twitter: @BrandtKrueger

Kevin Iwamoto, Senior Consultant, GoldSpring Consulting

GDPR will have a major impact on the way companies and their event suppliers manage their events in 2018 and beyond.  All meetings and events that handle registrant-attendee personal information and the ways they handle, manage, and purge that information will have to change.  The currently liberal ways that attendee personal information is shared will also have to change.  GDPR will at least temporarily hinder how attendee data and registration lists are currently used.  The proliferation of technology platforms, mobile apps, etc. that currently use personal data for marketing campaigns and for determining things like Return on Engagement (ROE) and Return on Objectives (ROO) will need to be reviewed and changed to avoid major EU fines for GDPR violations.

Read: 5 questions to ask event tech providers about GDPR

All companies and their event supplier partners should be doing a personal data audit now to discover the multiple areas that will need to be modified to become GDPR compliant and to avoid the potential for massive fines.  Unfortunately, so many companies remain in the dark and in denial about their GDPR complicity requirements.

Follow Kevin Iwamoto on Twitter: @KevinIwamoto

Paul Cook, Writer & Researcher/Creator of Specialised Content Consultancy, Planet Planit

GDPR will have an impact on the events industry as it will on every sector. How big that impact is will depend on how many changes organisations will need to make in the way they look after personal data currently. For those companies that have strict policies in place already it will have less of an effect.

Having said that, marketing under the new regulation is a key area that will impact all businesses. Right now, the business has the power. Next May, the businesses effectively lose that power as it will be the individual that is in control. Consent to receive marketing messages will be a key challenge for a lot of companies and now is the time to sort out the data bases and work on privacy notices.  No longer will companies be able to say we will send your information to interested third parties. They will need to state who those companies are. Consent needs to be recorded and updated on a regular basis.

Does it bring new opportunities? Yes absolutely. One big benefit is that companies will be able to get closer to their clients and prospects. They will need to re-think some of their existing strategies for marketing but for the companies that understand how to make the most of the regulation they will gain trust and a bigger market share. After all, who wants to deal with a company that doesn’t care about whether your identity can be stolen or not?

Follow Paul Cook on Twitter: @planetplanitbiz

George Sirius, CEO, Eventsforce

GDPR is going to change the mindset of event planners when it comes to deciding what data they should collect from attendees, how they use that data for things like marketing campaigns and what they need to do to keep that data safe.  Current practices around getting consent in using this information and sharing it with other parties like event sponsors, for example, will land organisers into big trouble after May 2018.  The regulation is also going to force planners to play a bigger role in securing all the data they collect from attendees, as well as making sure that third party suppliers like agencies and event tech suppliers are also compliant to GDPR.   Again, not doing so can result in big fines.  And that is one of the big things about GDPR.  Compared to current data protection regulations, non-compliance comes with serious financial consequences. People aren’t fully aware of their rights yet, but they will be.  And once they are, the enquiries will start to come.  As will the lawsuits – especially if an event suffers a data breach.

Read: Will GDPR change the rights of your attendees?

But it’s not all bad news. I think GDPR will bring about some big opportunities for our industry too.  Event planners will need to think and act very differently in the way they talk to attendees – and be a lot more honest in the way they manage their information too.  Those organisations that show they’re dealing with personal data in a transparent and secure way and have respect for the privacy of individuals will succeed in building a new level of trust.  And this will be key in deciding which organisations people choose to deal with in the future.

Follow George Sirius on Twitter: @georgesirius

Corbin Ball, Meetings Technology Speaker/Consultant/Writer, Corbin Ball Associates

GDPR is a sweeping set of privacy regulations that will affect any event with European attendees or members regardless of where the event takes place. Non-compliance penalties are stiff so it will be imperative that the planners work with their IT departments and technology providers to ensure that the new regulations are met.

Follow Corbin Ball on Twitter: @corbinball

Are your events ready for GDPR? Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.

 

 

 

 

 

New eBook: The Event Planner’s Guide to GDPR Compliance

Posted on by Eventsforce

The events industry needs to pay attention to Europe’s changing data protection laws or prepare to face the consequences.  A new eBook by Eventsforce, titled The Event Planner’s Guide to GDPR Compliance, explains why the events industry has to start taking responsibility for the upcoming General Data Protection Regulation (GDPR), its impact on event marketing, data management and event technology and what steps event planners need to take now to get ready for the May 2018 deadline.

How ready is the events industry for GDPR?  Find out what other event planners are doing by taking part in this 2-minute survey and a chance to win a £50 Amazon voucher!

Why Is GDPR Compliance Responsibility of Event Planners?

GDPR will come into effect on 25th May 2018 and will apply to any organisation that collects and processes personal data on European citizens or residents. So, if you are hosting events in Europe or your attendees are European citizens (regardless of where your events take place), then the new regulation will apply to you.  And if you’re using some kind of event management or registration software that helps you capture and process the data around your events, then GDPR will apply to your technology providers too – even if they’re based outside the EU.

Is it a big deal?  Yes, because GDPR is going to change the way you collect and process personal data through things like registration forms and mobile apps. It’s going to impact how you use that data for marketing and personalisation. It’s also going to impact the measures you have in place to keep that data safe. And though you’ll be right in thinking that compliance is something that will be dealt with by your IT, legal, operations or marketing teams, the reality is that the responsibility for the new regulation does not stop there.  And that is because many of the things event planners do today can put their organisations under serious financial risk with GDPR:

  • Using pre-ticked consent boxes and vague opt-outs within registration forms and apps
  • Not having the proper processes and systems in place that store consent
  • Not being able to access or delete the data you hold on people – quickly, at no cost
  • Sharing delegate lists freely with venues, speakers and other attendees
  • Not paying attention to the data freelancers and temp staff have access to
  • Emailing unsecure spreadsheets & leaving unattended registration lists on-site

The consequences of these actions are huge compared to current data protection regulations, especially if the data gets into the wrong hands. And though people aren’t fully aware of their rights yet, they will be.  And once they are, the enquiries will start to come.  As will the lawsuits.  It is therefore important that event planners understand exactly what they should and shouldn’t do under GDPR – so that they can then figure out what changes they need to make around collecting and managing the personal information of people that come to their events.

eBook: The Event Planner’s Guide to GDPR Compliance

GDPR presents some big challenges to the events industry, but it also brings some big opportunities too. The ‘Event Planner’s Guide to GDPR Compliance’ eBook gives a simple overview of what GDPR actually means for event planners, what changes it will bring about compared to current regulations, the rights of attendees, the risks of non-compliance and the consequences of BREXIT.

It also provides insight on how GDPR will impact event marketing, data security and event technology, as well a step-by-step guide on what event planners need to do now to meet the May 2018 deadline.  Highlights include:

Event Marketing Under GDPR – One of the major changes for event planners with regards to GDPR compliance will be the conditions of consent – this will have a profound effect on the way we currently use personal information to build mailing lists and push the marketing activities we do around events.  The eBook covers the topic through a Q&A that provides answers from experts on some of the most common questions event marketers have about GDPR.

Data Security Under GDPRData security is another issue that becomes more of a priority under GDPR.  Organisations will have to show that they’re doing their best to protect the personal information of individuals to minimise the chances of it getting into the wrong hands. The eBook exposes a number of important vulnerability areas that event planners should be putting greater attention to and what they need to do in the case of a data breach.

Event Technology Under GDPR – GDPR regulations require compliance both by the company hosting an event and by the event tech companies that process data on their behalf (ex. registration systems, mobile apps, surveys, networking tools etc.). The eBook explains why event planners dealing with non-compliant vendors can pose a big financial risk to their organisations.  It also outlines the important questions planners need to ask tech suppliers to ensure they’re fulfilling their legal obligations.

What Steps to Take to Prepare for GDPR – A simple nine-point checklist which highlights the key steps event planners need to take to prepare for GDPR, based on advice published by the UK’s Information Commissioner’s Office (ICO). Highlights include how to create awareness about the new regulation across your team, how to run a data audit to assess what needs to be done with all the personal data your systems hold on people, as well as guidance on managing consent boxes within forms.

The eBook also highlights the opportunities that GDPR brings to the events industry.  It looks at how compliance will give organisations the chance to show that they’re dealing with personal data in a transparent and secure way.  This will help them build a new level of trust with attendees and customers, which will be key in deciding which organisations people choose to deal with in the future.

To get a FREE copy of the ‘Event Planner’s Guide to GDPR Compliance’ eBook, please click here.

To learn more about Eventsforce and how it can help events with GDPR compliance, please contact one of our team at gdpr@eventsforce.com

If you’d like to get weekly updates on all things event tech, along with some expert advice on how to make the most out of your technology investments, then sign up to our EventTech Talk Newsletter today!

Will GDPR Change the Rights of Your Attendees?

Posted on by Eventsforce

The General Data Protection Regulation, or GDPR, has radically changed the way event planners collect and handle the personal information of people coming to their events. But compared to the past data protection regulations, what has actually changed when it comes to the rights of attendees?

eBook: The Event Planner’s Guide to GDPR Compliance

GDPR: Giving Individuals More Control

One of the big things about Europe’s new data protection law, which came into effect in May 2018, is that it focuses on the rights of individuals over organisations.  And it’s happening because current legislations no longer meet the privacy needs of the digitally connected world we live in today. The existing EU Data Protection Directive was first put in place in 1998 – long before the Internet, social media and cloud computing completely changed the way companies use data, and GDPR aims to address that.

GDPR is also happening because of the exponential rate that data is being collected by organisations today – and the events industry is no exception here.  We use so many different data collection tools that help us gather and analyse information on our attendees – from registration systems and mobile apps to surveys, social media, lead capture tools etc.  We also deal with a lot of personal information (attendee names, contact details, employment information, gender, disabilities, dietary preferences).  And this is one of the key things GDPR wants to address: that organisations dealing with personal data are doing so in a transparent and secure way – and always in the individual’s best interests.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

GDPR Will Standardise Individual Rights Globally

If your events are based outside the EU, then you may feel GDPR isn’t relevant to you.  But if you’re collecting personal information on European citizens and residents through registration forms and apps, then it doesn’t matter where your events are or where your events team is based, GDPR compliance is going to apply to you.

In fact, experts are predicting that the regulation will eventually expand outside the EU as the subject of data privacy and security becomes more and more front of mind.  The UK government has already confirmed that it will adhere to GDPR after it completes its exit from Europe and there are similar regulations in Canada and Australia (though not the US).  People all over the world are going to start demanding more rights over their personal information and we expect GDPR standards to become the norm over the coming years.

Read: Infographic – Are Your Events Complying to GDPR?

How Will GDPR Change Your Attendees’ Rights?

GDPR will certainly change attitudes to individual rights – especially in events. It will change the mindset of event planners when it comes to deciding what data they should collect from attendees, how they use that data for things like marketing campaigns and what they need to do to keep that data safe. People aren’t fully aware of their rights yet, but they will be.  In fact, IBM’s GDPR lead in the UK, Steve Norledge, recently commented how the new regulation may prompt legal firms behind the PPI claims industry to shift their business model to the GDPR and start flooding Facebook and Twitter feeds with adverts like: ‘Do you want us to do a subject-access request for you?  If they can’t serve it, we’ll raise a class-action’.

And as awareness goes up, enquiries from individuals will go up too.  As will the lawsuits -especially for those organisations who suffer a data breach or can’t show what steps they’ve taken to comply to the new regulation.  It is therefore vital that event planners understand what changes GDPR will bring about – especially when it comes to the rights of people coming to their events.

Let’s take a look at what rights GDPR will bring to attendees when it comes to organisations collecting and processing their personal information:

Right #1:  Find Out Exactly How Their Data Is Being Used

One of the major changes with GDPR will be the conditions of consent that attendees need to give for you to store and use their personal information.  Using pre-ticked boxes and automatic opt-ins within registration forms, for example, will no longer be an option. Instead, consent will need to be unambiguous, using unticked opt-in boxes, separate from other terms and conditions. Attendees will also expect more clarification on how their information will be used. For example: When you’re asking attendees if you can include their details in a delegate list, then you will need to clearly state what personal information will be included in that list, the names of the third parties you will be sharing that data with (industry sectors will no longer be enough) and how these organisations will be using their information.

Read: Event Marketing Under GDPR – Consent Vs Legitimate Interest

Right #2: Access Their Personal Data for Free

GDPR will give attendees a lot more power to access the personal information you hold on them.  Under current regulations, a Subject Access Request (SAR) allows organisations to charge £10 to be given what’s held on them.  With GDPR, requests for personal information have to be met within 30 days and free-of-charge.

Would you like to stay up to date on all things event tech?  Sign up to the weekly EventTech Talk Newslettehere and get all the latest news, advice and tips on the technology trends shaping the events industry today.

Right #3: Request the Deletion of Their Data

GDPR will give attendees the power to get their personal data erased from your systems without delay – particularly if the information is no longer necessary for the purpose it was collected (ex. they only shared their information for that one event), if consent is withdrawn, there’s no legitimate interest or if it was unlawfully processed. Not only will they have the right to get you to delete their data, but to also stop sharing it with third parties that they had previously given consent to (ex. suppliers, hotels, venues etc), who will also be obliged to stop processing it too.

Right #4: Obtain and Reuse their Personal Data

Your attendees will now have the right to ask your organisation to give them back a copy of all the personal data they previously provided you at an event –  or send this information to another organisation, which may be a competitor.  They have the right to ask for this data in a commonly used and machine-readable format.

Right #5: Be Informed of a Data Breach within 72 Hours

If you lose or misplace your attendee’s personal information (think of printed delegate lists) or their data is compromised through theft or a cyberattack on your systems, then they have the right to be informed within 72 hours from the time the breach is first discovered.  This can be difficult to do as most breaches can happen and no one will know about it for a while. However, failure to inform them in this timeframe can result in substantial fines for your organisation or a class-action lawsuit which your attendees can also now resort to in the case of a data breach.

Read: Look after your attendee data…or face the music!

Conclusion

The EU GDPR clearly presents some new challenges for event planners, but it also brings some big opportunities too. By focusing on the rights of individuals over organisations, the new regulation will help events become a lot more creative in the way they engage with attendees. Those that can show they’re dealing with personal information in a transparent and secure way and have respect for the privacy of individuals will succeed in building new levels of trust. And this will be key in deciding which organisations people will choose to deal with in the future.

Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.

If you’d like to learn more about Eventsforce and how we can help your events comply to GDPR requirements, please contact one of our team on +44 (0) 207 785 6997.

 

 

 

5 Questions to Ask Event Tech Providers About GDPR

Posted on by Eventsforce

One of Europe’s biggest shake ups in data protection and privacy laws is coming into effect in May 2018 and preparations across the events industry are already underway. A new industry poll from Eventsforce this month has found that 95% of event planners have started planning for the new General Data Protection Regulation (GDPR) – but are they doing enough?

Why is GDPR So Important for Events?

GDPR is a new legal framework that is set to change the way we collect, process and protect the personal data of people in the European Union. We published an article on the topic a few months ago (Blog: What Event Planners Need to Know About GDPR), looking at what the new requirements meant for our industry, the implication of BREXIT and how non-compliance, compared to current data protection regulations, can bring serious financial consequences to organisations worldwide.

For event planners, specifically, there are three main reasons why GDPR matters:

  1. Responsibility for GDPR compliance extends to marketing and event operations – not just IT and legal departments. It will apply to every organisation hosting events in the EU and ANY organisation collecting data on EU citizens and residents – regardless of where the events take place.
  2. Events deal with high volumes of personal data collected through registration forms, mobile apps, surveys and networking tools (attendee names, contact details, gender, dietary preferences etc). With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that planners need to know what they can and can’t do under GDPR.
  3. GDPR requires event planners (and event management agencies) to play a bigger role in securing their event data and ensuring that third party suppliers (ex. event tech suppliers) are also GDPR compliant. Not doing so can result in hefty fines and lost business.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

Event Technology and GDPR Compliance

GDPR regulations require compliance both by data controllers (ex. company hosting an event) and data processors (ex. event tech companies like registration and mobile app providers that processes data on their behalf). The requirements clearly state that data controllers must show how they are complying with the new regulations.  And part of that responsibility is making sure that all the data processors they are also dealing with are also fulfilling their legal responsibilities. If in the course of an investigation it is found that these parties have not been compliant, then the organisation hosting the event may also be found liable too.

It is therefore important for event planners to find out how their event tech providers are planning to meet their obligations around GDPR by asking them the following questions:

1. Where is Our Data Hosted?

Hosting and sharing data within the EU is legally not a problem – as long as your event tech providers meet the requirements of GDPR. What can create issues and a much heavier burden on you, however, is if the data in these systems is stored in servers outside of the EU.   Remember, it is your organisation’s responsibility to ensure that data transfers outside the EU still meet GDPR standards.  Some countries like Canada have equivalent standards, while others like the US don’t.   US transfers may be covered by the ‘Privacy Shield’ agreement but this is currently under challenge in EU courts and can be a risky long-term option.

If your data is hosted in servers outside the EU, then you need to ask your providers what steps they’re taking to make sure your data transfers are compliant.  They also need to explain clearly what contractual and legal safeguards they have in place to look after your data at all times.

2. Who has Access to Our Data?

It is not enough meeting GDPR requirements with just data storage and the location of servers.  You also need to find out how your data is being used while it’s being processed by their organisation. Find out who from their organisation has access to your data and where are these people located.  For example, the support centre of your event management solution provider will have remote access to your attendees’ personal data.  If the support team is based outside the EU (event if data is hosted within the EU), then you will need to ensure that they’re also complying with GDPR standards.

Find out if they also subcontract any part of your data processing to third parties or if your data is accessible through other countries or legal entities within their own corporate group. If they do, then find out what kind of data processing agreements they have in place that meet the new standards.

Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.

3. How Does Your System Allow Us To Store Consent?

One of the key changes that GDPR will bring is ensuring you have the right processes in place to store the consent you get from individuals when collecting their personal information.   For example, if you’re using an event registration system, you would want it to store the date and time an attendee ticked a particular consent box, along with the IP address that was used.  That way, if the person complains or there’s an investigation by authorities, your organisation can prove what consent was given, when it was given and how.

4. How Does Your System Help Us Delete Personal Data?

Similar to the earlier point, GDPR gives individuals the right to be forgotten – which means you need to have a process in place that allows you to quickly ‘erase’ any personal information you hold on people.  So, if someone attended one of your events but wants you to remove all their information from your database, you need to make sure that your systems have the proper processes in place to help you do that – quickly and at little cost to your organisation.

Ask your providers how their system will help you delete the information, whether this data is also deleted in back up servers and how quickly this is done.  Make sure they confirm in writing whenever they do this as this will give you protection if they’ve failed to delete as promised.  It’s also worth asking them what their general policy is around data retention: how long do they keep your data on their servers, whether it is moved to other locations and whether or not they delete it after a defined period of time.

5. How Does Your Organisation Comply with GDPR?

Ask your tech suppliers how they themselves comply with GDPR. Having an EU-based tech provider will ensure that they’re also subject to the new regulations, which will limit your own risk of non-compliance.   But that’s not enough. What is their understanding of the new regulations and how will they help you meet your own obligations?  How important is data security for them as an organisation – do they follow best practices?  How do they monitor vulnerabilities? Who has access to your data, how do they handle authorisation and what happens when someone leaves?  And what about their own suppliers and third-party contractors who also have access to their data? Having the answers to these questions will protect you from any unpleasant surprises in the future.

Conclusion

If you haven’t already started, we would highly recommend that you start planning for GDPR now by thinking about how your events are collecting data on EU citizens, how you’re storing this information and what your event tech providers are doing in preparation for the new regulations – especially if their datacentres are based outside of the EU. Finally, implementing changes will be a team effort where everyone is aware of the new requirements, along with all the new processes that you’ll need to put in place.

Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR readiness.  If you’d like to have a chat about GDPR and how we can help you out, get in touch with us now on +44 (0) 20-7785-7040 or info@eventsforce.com.

 

 

 

 

 

 

 

What Event Planners Need to Know About Europe’s New Data Protection Law

Posted on by Eventsforce

One of Europe’s biggest shake ups in data protection and privacy laws is coming into effect next year and event planners need to be prepared.  The new General Data Protection Regulation (GDPR) will apply to every organisation in the EU and ANY organisation holding data on EU citizens – regardless of their location.  It is a major global issue and one that is vital for marketers to learn about as ignoring it could lead to some very serious financial consequences.

Are your events ready for GDPR? Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.

What Is GDPR?

The new EU General Data Protection Regulation (GDPR) was adopted last year, and will be directly applicable from 25th May 2018.  It’s seen as the most important change in data privacy regulations in 20 years and aims to give EU citizens more control over how their personal data is used.  Why is it happening? Well, the legislation that is currently in use was put in place before the Internet and cloud technology completely changed the way companies use data, and the GDPR aims to address that.   The EU also wanted to give businesses a simpler, clearer legal environment in which to operate in where they have to comply with one law, instead of 28 laws across different EU countries.

How Does GDPR Impact Events?

One of the key reasons as to why GDPR is coming into force is because of the exponential rate that data is now being collected. In the events industry, we use so many different data collection tools that help us gather and analyse information on attendees – from registration systems and mobile apps to surveys, social media and so on.  Events in particular also deal with highly sensitive personal data – from attendee names, contact details and employment information to gender, disabilities and dietary preferences. With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that marketers and event planners need to prepare before the new regulations come into place.

Any organisation that collects and processes data on European citizens falls under the new regulation.  So, if you are hosting events in Europe or your attendees are European citizens (regardless of where your events are taking place), then the new regulation applies to you.  Also, if you’re using some kind of event management or registration software that helps you capture and process data around your events, then GDPR will apply to your technology providers too (even if they’re based outside the EU).

What Are the GDPR Requirements?

You need to remember that the GDPR focuses on the rights of individuals over companies. But what exactly does it entail?  Have a look:

Consent: Event organisers will be required to obtain their attendees’ consent to store and use their data, as well as explain how it will be used. Consent must be active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs.  If this isn’t already part of your registration process, then it’s something you need to do.

Breach Notification: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach. Failure to do so can result in heavy fines.  Learn more about what you should do if your attendee data does end up geting lost, stolen or compromised here.

Access: You must always be prepared to provide digital copies of private records to attendees that request what personal data your organisation is processing, where the data is stored and what it’s being used for.

Right to be Forgotten: EU citizens at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (ex. Suppliers, hotels, venues etc.) – who will also be obliged to stop processing it.

Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. What this means for you is that upon request, you should always be ready to provide the data you have on your attendees in a commonly used digital format.

Privacy by Design: GDPR requires that organisations have to have data security built into products and process from the very start – this particularly applies to all the tech systems that help you gather and manage data on your event attendees.

Data Protection Officers (DPO): Some organisations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.

Read: Will GDPR Change the Rights of Your Attendees?

What Are the Penalties for Non-Compliance?

The consequences for non-compliance can depend on many things – how long the infringement lasts, the number of individuals who have been affected and the level of impact. Companies can be fined up to €20 million or 4% of their total annual turnover of the preceding financial year (whichever is higher) – that’s alongside any personal damage that may be claimed by individuals whose data has been compromised, and the personal liability of managers within your organisation.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

Some of you may remember how UK mobile operator TalkTalk was fined a record £400,000 for security failings which led to the theft of personal data of almost 157,000 customers in 2015.  IT Pro has stated that under the new rules, that fine would have amounted to £59 million – to put that in context, TalkTalk’s third quarter revenue last year came to £435 million. Similarly, Tesco’s banking business would have had to face a potential penalty of almost £1.9 billion for their recent data security breach if GDPR had been in full force.  Non-compliance really isn’t worth the risk.

What About Brexit?

According to Information Age, it has been confirmed that the UK will have to adhere to EU’s GDPR when it is officially implemented in 2018 – ten months before Britain completes its exit from Europe.  Surprisingly, however, research from Crown Records Management, has found that a massive 44% of businesses don’t think the regulation will apply to UK businesses after Brexit.

“For so many businesses to be cancelling preparations for GDPR is a big concern because this regulation is going to affect them all one way or another,” said John Culkin, director of information manager at Crown Records Management. “Although an independent Britain would no longer be a signatory, it will still apply to all business which handle the personal information of European Citizens.”

What Do Event Planners Need to Do about GDPR?

It’s easy to look at GDPR compliance as a technology initiative and not a business one.  But the reality is that even though it may be the responsibility of your IT and operations team to sort it all out, event planners need to know what they should and shouldn’t do and the rights of their attendees when it comes to collecting and processing their personal information. And although GDPR won’t be applied for another year, which may seem like a long time – in reality, it’s not.

You may be already planning around an event you’re hosting next year and if your attendees are coming from Europe, then you need to make sure that you have the proper processes in place.  Find out what data you store and process on European attendees so that you can figure out what kind of data needs to be protected under the new regulations, and what falls outside its remit. Find out where all this data is stored, how it is transferred from one system to another (or one server to another), what systems are used and how your technology providers are also processing, storing and securing the data within their own organisation and servers. If data is stored outside the EU (e.g. on cloud servers in the US), you may need to put additional contractual controls in place.

Finally, implementing changes will be a team effort with all the key people in your organisation aware of these new requirements and procedures.  So, make sure everyone is on board and understands the importance and consequences of making the new changes.

Need help tracking and managing consent on event websites and registration forms?  Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance – from audit trails and consent management to anonymisation of personal information and data security.

For more info, please click here or get in touch: gdpr@eventsforce.com

Resources:

Life Hacker: GDPR Essentials – What You Need to Know

IT Pro: What is GDPR – Everything You Need to Know

eBook: The Event Planner’s Guide to Data Security in a Post-GDPR World