Data collection plays an important role in the events industry. The more personal data event managers can collect about the people who attend their events, the better they can customise the event experience, as well as future products and services.
But there is risk associated with the collection and handling of all that data. That is why the EU approved the General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018. Considering many 2018 events are already in the planning phase or have already opened registration, there is no time to delay.
This article will help you to better understand what GDPR is and what requires from you. Secondly, it will show you that GDPR is bringing some opportunities our to industry. We share also a few tips on how to educate your team and delegates.
What is GDPR and why does it matter?
The majority of data protection in Europe is based on dated legislation. GDPR replaces and improves upon existing regulations, notably, the EU Data Protection Directive of 1995, and addresses developments in mobile and cloud technology. So, in a world of online fraud, cyber security data breaches, and almost immeasurable volumes of data, I think it makes sense to update security laws that are over 20 years old.
GDPR also combines multiple existing regulations into one harmonized and simplified set of rules for all EU nations. GDPR gives EU citizens more insight into, and control over, how their personal information is collected and used. To make sure the law is followed, GDPR adds significant fines and penalties for non-compliant data controllers and processors for up to 20 million Euro or 4% of annual global turnover.
While GDPR has been adopted in the EU, the new regulations are not based on location. GDPR applies to every organization in EU and to any organization holding data on EU citizens. This means, as an event organizer, if you are hosting an event in Europe or if your attendees are EU citizens, you are responsible to comply with GDPR. It is important to note that if you are using event management or registration software that helps you to capture and process personal data around your event, the technology you are using is subject to GDPR as well.
There are 7 major components to GDPR that companies and organizations, including event organizers, will have to follow in order to be comply with the new laws. Here is a brief overview of each component:
Consent – Obtaining the consent of your attendees to store and use their personal data can no longer be passive with pre-selected opt-in boxes. Under GDPR, event organizers are required to actively obtain consent from attendees and explain how their data will be used.
Breach Notification – Organizations must notify both users and data protection authorities within 72 hours of discovering a security breach to avoid major fines.
Access – Event organizers must be ready to provide digital copies of private records if an attendee asks to know what personal data of theirs is collected, where it is stored, and what it is being used for.
Right to be Forgotten – Under the new regulations, EU citizens can ask organizations at any time to delete their personal data and ask that their data no longer be shared with 3rd party companies.
Data Portability – The new law states that individuals are able to transmit their data from one data controller to another. Simply put, event organizers should be prepared to provide attendee data in a commonly used digital format if it is requested.
Privacy by Design – Organizations will now be required to have data security built in to their products and processes from the start, specifically in the technology that is used to gather and manage attendee data.
Data Protection Officers (DPO) – For organizations that monitor large amounts of data or deal with data relating to criminal convictions, they will be required to have a DPO who is in charge of GDPR compliance enforcement.
What Event Planners Need to Know?
Event organizers and planners use many different data collection tools from registration systems, mobile apps, surveys, and more to collect personal data from their attendees. The new GDPR is going to affect the way we capture data from attendees, what data we collect, and how it is going to be used going forward.
Under the new GDPR laws, attendees will have new rights to their personal data. Attendees will now have the right to:
Access their personal data for free
Know exactly how the data is being used
Ask for errors to be corrected
Ask the data controller to stop or to restrict the processing of their personal data
Obtain and reuse their personal data
Request their personal data be deleted
Collecting and processing data isn’t the only aspect of events that will be affected by GDPR. Event marketing will feel the impact of the new regulations in a big way. Event marketing efforts will no longer be able to use pre-ticked boxes or automatic opt-ins for marketing mailing lists but will need to have the attendee actively sign up to join and receive marketing messages. Also, if you are collecting attendee data and want to share this data with vendors, the new laws require you to disclose what data is shared, each vendor it is shared with, and what they will be using the data for.
What IS THE BIGGEST CHALLENGE GDPR PRESENTS FOR EVENTS?
The biggest challenge the GDPR is going to bring is the way meeting planners decide what data needs to be collected from attendees in things like registration forms and apps and how that data is going to be used for marketing and personalization. It will change the way attendee data is shared with other third-party organizations like venues, sponsors, agencies and tech providers.
One of the most significant implications of GDPR is that it is retroactive. Come 25th May 2018, all data you store and process for your event will need to comply with the regulations set out by GDPR. This means you’ll need to perform a full audit on the data you currently store to check that it will be compliant ahead of GDPR. Any data that doesn’t meet the guidelines by 25th May 2018 will need to be deleted.
Event planners need to keep in mind that GDPR is not as unreasonable regarding data processing as some alarmists are making it out to be. What is important when processing any data is that you have identified one of the legal grounds for doing so (consent, legitimate interests, contractual necessity, etc.). It’s a good idea to clearly document this for all types of personal data that you process in the course of running your event. Not only does this ensure you are always complying with GDPR, it also acts as clear proof of planning and consideration should the data protection authority ever ask you for this.
IF A COMPANY HAS DONE NOTHING TO COMPLY WITH GDPR, HOW QUICKLY CAN IT GET UP TO SPEED?
Meetings and events are highly exposed to complex data collection and management, which makes GDPR compliance a must. Considering many 2018 events are already in the planning phase or have already opened registration, there is no time to delay.
GDPR preparedness requires a lot of work, but there are some smaller steps you can take to do as much as you can before the deadline. Several authorities have stated that there will be no respite when GDPR is introduced as of May 25th, they accept that GDPR compliance is an ‘ongoing journey’. Being able to demonstrate that you are taking the correct steps forward towards GDPR compliance is already a big step forward. There is a lot of information to be found online. Reading through some good recourses would already be a good step in the right direction.
Secondly start by performing a full audit of the personal data you process as an event and think about minimizing the data you ask your attendees to provide. This assessment will give you a better overview to create an action plan for all non-compliant issues.
Also think about all the third parties you work with, what they do with the data and double check if those third parties are following the GDPR. As a data controller/event organizer, the latter is your responsibility. And last but not least, create GDPR awareness throughout the whole team and your event staff. They probably all have some involvement in one way or another with data processing and need to know how to appropriately manage data.
How to Prepare for GDPR?
The road to GDPR compliance can be long and complex. All corporate and agency planners should begin the process now to ensure compliance before their next event takes place. Let’s talk about how you can prepare for the new laws. Here are 5 ways to help you prepare for the implantation of GDPR:
- Educate Your Team – It is important to be sure everyone on your team and involved with your event is aware of GDPR and how it will affect your event. Make sure they understand the changes you have made to comply with the new laws, they are aware of security processes to keep data safe, and they understand the risks of non-compliance.
- Run a Data Audit – The best place to start when preparing for GDPR is with an audit of the data you currently have on attendees, speakers, sponsors, and more. Find out where the data was collected and whether you have adequate consent to keep the data. Be sure to document the process of your data audit so that you can show your efforts to comply with the new regulations.
- Update Consent Boxes and Privacy Information – Check the privacy information and consent boxes found on registration forms or websites and update this text to comply with GDPR. Remember to use language that is easy to understand, clear, and concise.
- Understand Individual’s Rights and Special Protection Laws for Children – Review the procedures you have in place and make any changes needed to cover attendee rights, like their right to ask for data to be deleted. In addition, be sure to research and understand the special protection laws for children that have been included in GDPR.
- Be Prepared for Data Access Requests and a Possible Data Breach – Now is the time to update procedures or create a plan for how your organization will handle requests from attendees for personal data. If a request is made, you must be prepared to provide the data at no cost and within 1 month of the request. Create a plan and procedure to detect and report a data breach.
DOES GDPR HAVE ANY POSITIVES FOR THE EVENTS SECTOR?
GDPR is a hard apple to crack, but it’s important to note that GDPR will also bring about some big opportunities for our industry. Organization who are transparent and deal with data in a compliant way, will gain the respect of the data subjects. A new level of trust will be built. Especially the transparent way of communicating will be a reason why a person will choose for that specific organization in the first place.
Another big GDPR challenge is the fact that it is retroactive and you need to investigate whether the processing of the data is done on a legal ground. While many events organizers are panicking about this mass loss of data, you should actually see this as a good opportunity for some digital housekeeping. This is the perfect time to improve the quality of your mailing lists, and ensure that you’re only storing the data that you actually need.
This article is intended to convey general information about GDPR only and not to provide legal advice or opinions. The contents should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation.