When we first wrote about General Data Protection Regulation (GDPR), it seemed a long way off.
Now that 2018 is here, organisations that handle the personal data of EU citizens need to ensure that they understand and comply with the regulation before it comes into force on May 28th. If they don’t, they risk fines of €20 million or 4% of global revenues, whichever is greater.
Event organisers handle huge swathes of data. We gather it for personalisation, for improving future events, for marketing comms and more. GDPR means companies will have to change the way they collect, store, process and share that data. For organisers planning events in 2018 and beyond, processes need to be put in place to manage this data while complying with the new laws.
Brexit won’t stop UK event planners from having to comply – the UK is adopting GDPR of its own volition, and GDPR is a citizen-first law, protecting EU citizens regardless of where the data is held. Similarly, event organisers from other non-EU countries will still need to comply with the terms of GDPR when organising events that attract EU speakers, sponsors, exhibitors or delegates.
GDPR, combined with the current government review of the Privacy and Electronic Communications Regulations 2003 (PECR), means that event organisers have more to think about than ever when putting plans for 2018 into place. While an increase in workload is more than likely, it’s well worth it to avoid the huge financial penalties. Here are five major considerations to bear in mind this year.
GDPR will apply to all personal data that you collect – no matter where it comes from. You need to take stock of your sources, creating a detailed inventory of every single way in which you collect data, to ensure that each and every method complies.
Depending on your approach to data collection, this may include newsletter sign-ups, connections gained with lead magnets, telephone or email enquiries, in-event data collection, ticket sales and more. It will also include any personal information that you already hold about individuals: GDPR applies to data collected before May 2018 too.
Understanding every single means of data collection surrounding each event is a necessary first step to ensuring compliance and avoiding financial penalties. Going forward, event organisers will need to ensure that each individual has consented to supply their data – so bear this in mind if considering buying in third-party lead lists. Did everyone on that list consent to having their data sold to you?
GDPR isn’t just about gaining individuals’ consent to use their data – it’s about how their data is used too. A simple “tick this box to hear more from us” is no longer acceptable. Instead, you’ll need to gain explicit permission – from new and existing contacts alike – for every single way in which you want to use their personal information.
For event organisers, the ways in which personal data can be used are endless: sending out email newsletters, phoning to offer tickets/invite to speak/pitch for sales, requesting post-event feedback, sending copies of presentations post-event. If an individual has given explicit permission for you to send email newsletters and nothing else, you’ll be risking the huge fine for a data breach if you contact them for any other reason.
Pre-GDPR, members of your team should be briefed on these changes, sign-up forms on your website should be modified, and existing database records should be contacted if explicit consent is required. This rule also applies going forward. Should you wish to contact your connections for a brand new reason in the future that they haven’t already consented to, permission will need to be gained before you do so.
Every single person within your organisation who has access to personal data will need to be fully briefed on GDPR requirements, in order to ensure compliance. But that’s not all: if you work alongside third parties who also have access to your databases, the onus is on you to ensure they comply too.
This could include technology vendors that create your event apps or who look after event registration/management on your behalf; external HR firms, if you use them; event sponsors, and more. The same rules apply to them as to you: ensure that they are aware of their obligations in terms of GDPR, and that anyone who needs to be removed from databases you have shared with them is removed.
This is vital: while it may seem that the data they hold is their responsibility, this isn’t the case. When you’ve shared your customers’ personal information with third parties, you’re liable should any financial penalties for non-compliance be levied.
GDPR is all about making sure individuals’ personal data is secure, and this includes how it’s stored. Unsecured Excel spreadsheets are no good – password-protected, encrypted databases are vital. Only give database access to those who absolutely require it, and change passwords on a regular basis to keep security levels high.
Take care to destroy any paper-based data collection tools, like sign-up forms used during events, or printoffs of database records. Remember that transferring data to different servers or systems – for example, creating delegate lists on a tablet for the registration desk at your event – will be subject to the same rules and requirements too.
The last 12 months alone have seen a number of high profile data breaches reported – and when GDPR comes into force, there are specific ways in which such breaches must be handled.
Any breach that could result in a risk to people’s rights and freedoms will need to be reported within 72 hours of the breach taking place. Fines may be levied, but the purpose of the regulation isn’t to punish – it’s to impose an incentive on organisations so they step up their handling security issues.
For event organisers, it’s important to have a detailed, documented procedure in place in case data breaches should occur – and making contacts aware that such documentation is in place could well help to cement greater trust in your brand.
The end of May may still seem like a long way away, especially with the workload that a brand new year brings. In truth, though, preparing for GDPR may well be a longer, more complex process than some event organisers may think: act now to start building a fully compliant company, or risk huge fines.