The General Data Protection Regulation, or GDPR, has radically changed the way event planners collect and handle the personal information of people coming to their events. But compared to the past data protection regulations, what has actually changed when it comes to the rights of attendees?
GDPR: Giving Individuals More Control
One of the big things about Europe’s new data protection law, which came into effect in May 2018, is that it focuses on the rights of individuals over organisations. And it’s happening because current legislations no longer meet the privacy needs of the digitally connected world we live in today. The existing EU Data Protection Directive was first put in place in 1998 – long before the Internet, social media and cloud computing completely changed the way companies use data, and GDPR aims to address that.
GDPR is also happening because of the exponential rate that data is being collected by organisations today – and the events industry is no exception here. We use so many different data collection tools that help us gather and analyse information on our attendees – from registration systems and mobile apps to surveys, social media, lead capture tools etc. We also deal with a lot of personal information (attendee names, contact details, employment information, gender, disabilities, dietary preferences). And this is one of the key things GDPR wants to address: that organisations dealing with personal data are doing so in a transparent and secure way – and always in the individual’s best interests.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
GDPR Will Standardise Individual Rights Globally
If your events are based outside the EU, then you may feel GDPR isn’t relevant to you. But if you’re collecting personal information on European citizens and residents through registration forms and apps, then it doesn’t matter where your events are or where your events team is based, GDPR compliance is going to apply to you.
In fact, experts are predicting that the regulation will eventually expand outside the EU as the subject of data privacy and security becomes more and more front of mind. The UK government has already confirmed that it will adhere to GDPR after it completes its exit from Europe and there are similar regulations in Canada and Australia (though not the US). People all over the world are going to start demanding more rights over their personal information and we expect GDPR standards to become the norm over the coming years.
How Will GDPR Change Your Attendees’ Rights?
GDPR will certainly change attitudes to individual rights – especially in events. It will change the mindset of event planners when it comes to deciding what data they should collect from attendees, how they use that data for things like marketing campaigns and what they need to do to keep that data safe. People aren’t fully aware of their rights yet, but they will be. In fact, IBM’s GDPR lead in the UK, Steve Norledge, recently commented how the new regulation may prompt legal firms behind the PPI claims industry to shift their business model to the GDPR and start flooding Facebook and Twitter feeds with adverts like: ‘Do you want us to do a subject-access request for you? If they can’t serve it, we’ll raise a class-action’.
And as awareness goes up, enquiries from individuals will go up too. As will the lawsuits -especially for those organisations who suffer a data breach or can’t show what steps they’ve taken to comply to the new regulation. It is therefore vital that event planners understand what changes GDPR will bring about – especially when it comes to the rights of people coming to their events.
Let’s take a look at what rights GDPR will bring to attendees when it comes to organisations collecting and processing their personal information:
Right #1: Find Out Exactly How Their Data Is Being Used
One of the major changes with GDPR will be the conditions of consent that attendees need to give for you to store and use their personal information. Using pre-ticked boxes and automatic opt-ins within registration forms, for example, will no longer be an option. Instead, consent will need to be unambiguous, using unticked opt-in boxes, separate from other terms and conditions. Attendees will also expect more clarification on how their information will be used. For example: When you’re asking attendees if you can include their details in a delegate list, then you will need to clearly state what personal information will be included in that list, the names of the third parties you will be sharing that data with (industry sectors will no longer be enough) and how these organisations will be using their information.
Right #2: Access Their Personal Data for Free
GDPR will give attendees a lot more power to access the personal information you hold on them. Under current regulations, a Subject Access Request (SAR) allows organisations to charge £10 to be given what’s held on them. With GDPR, requests for personal information have to be met within 30 days and free-of-charge.
Would you like to stay up to date on all things event tech? Sign up to the weekly EventTech Talk Newsletter here and get all the latest news, advice and tips on the technology trends shaping the events industry today.
Right #3: Request the Deletion of Their Data
GDPR will give attendees the power to get their personal data erased from your systems without delay – particularly if the information is no longer necessary for the purpose it was collected (ex. they only shared their information for that one event), if consent is withdrawn, there’s no legitimate interest or if it was unlawfully processed. Not only will they have the right to get you to delete their data, but to also stop sharing it with third parties that they had previously given consent to (ex. suppliers, hotels, venues etc), who will also be obliged to stop processing it too.
Right #4: Obtain and Reuse their Personal Data
Your attendees will now have the right to ask your organisation to give them back a copy of all the personal data they previously provided you at an event – or send this information to another organisation, which may be a competitor. They have the right to ask for this data in a commonly used and machine-readable format.
Right #5: Be Informed of a Data Breach within 72 Hours
If you lose or misplace your attendee’s personal information (think of printed delegate lists) or their data is compromised through theft or a cyberattack on your systems, then they have the right to be informed within 72 hours from the time the breach is first discovered. This can be difficult to do as most breaches can happen and no one will know about it for a while. However, failure to inform them in this timeframe can result in substantial fines for your organisation or a class-action lawsuit which your attendees can also now resort to in the case of a data breach.
The EU GDPR clearly presents some new challenges for event planners, but it also brings some big opportunities too. By focusing on the rights of individuals over organisations, the new regulation will help events become a lot more creative in the way they engage with attendees. Those that can show they’re dealing with personal information in a transparent and secure way and have respect for the privacy of individuals will succeed in building new levels of trust. And this will be key in deciding which organisations people will choose to deal with in the future.
Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.
If you’d like to learn more about Eventsforce and how we can help your events comply to GDPR requirements, please contact one of our team on +44 (0) 207 785 6997.