The General Data Protection Regulation is a Europe-wide set of data protection laws. It’s a long-overdue standardisation of best practice in data handling across Europe, which came into force in May 2018. Although they’re an EU directive, the current British government has supported GDPR and is likely to adopt similar standards to cover British citizens, post-Brexit.
Any business which holds the personal data of European citizens may find its practices challenged under GDPR, and could face a fine of 4% of their global revenues or €20 million (whichever is greater) for non-compliance.
You may be wondering why this concerns us – after all, isn’t data protection an IT thing?
No. It’s not. Corporate events involve “regular and systematic collection of personal data on a large scale”. If you’re collecting business cards, sign-ups or feedback forms, you’re collecting data that could be used to identify a given person, and so GDPR applies.
If you’re collecting a person’s data, you need to do so on a lawful basis. There are six possible legal bases for data collection under GDPR. They all have equal weight and standing, but the one that’s of most use for event organisers is legitimate interest. It’s a flexible basis that rests on what people reasonably expect their data to be used for, and what justification there is for processing it.
To establish that justification you’ll need to carry out a legitimate interest assessment. The LIA a three stage process in which you identify your business’ interest, show that data has to be processed to achieve it, and balance it against the data rights and expectations of individuals.
For example: to host an event you need attendees, which means you need to hold the contact details of people who might be interested so you can invite them. Provided you only contact them to ask specific questions or deliver specific information about events, you have legitimate interest. The Direct Marketing Association, which lobbied for legitimate interests to be included in GDPR, has provided a full guide to the LIA process.
You still have to tell your data subjects what information you’re going to collect, what you’re going to use it for, and how you’re going to communicate with them.
In practical terms, GDPR means no more assuming that you can do what you like with someone’s details just because they gave you their business card or signed up for your newsletter – they have to be told up front and given the opportunity to opt out.
Buying in a mailing list to market your event is also a dicey prospect, unless everyone on that list has opted in to receive communications from you – or from anyone to whom the list is sold.
GDPR is retroactive – it applies to the data you’ve already collected in addition to brand new data. If processing data on the basis of legitimate interests, you’ll need to send your attendees your updated, GDPR compliant privacy policy if you haven’t done so already.
GDPR also demands increased data hygiene – reviewing your backup practices for electronic data, and looking through physical records, including drawers full of business cards, to make sure you’re not holding ‘expired’ data acquired without consent.
While much of the discussion around GDPR is digitally driven, one expert reminds us that a data breach can be as simple and physical as leaving a piece of paper on top of a printer, or an unsent email on a screen, or a card lying around on an event desk.
The way we collect data at events needs to become more secure – think less “let me take your card” and more “let me put it on this tablet and screenlock it”. It’s going to be a little more cumbersome, but the point of GDPR is to make data handling a priority for businesses, and ensure that we treat our contacts’ data with the same care we’d demand for our own.
Many brands already require their event agencies to adhere to stringent data handling practices that go beyond the needs of current data protection rules.
GDPR compliance is basically a three stage process. Firstly, there’s data hygiene – checking to see what you’re holding, how you got it and how you’re storing it. Secondly, there’s the LIA – establishing what data you’re collecting, what for, and why you can’t operate in any other way. Thirdly, there’s planning how you’ll collect data going forward. How will you make sure that the data you collect is secure? How will you confirm that people understand how you’re using it?
GDPR is a serious matter, but at the bottom line it’s about individual rights and communication. Yes, businesses must be aware of the rules and the penalties for non-compliance – but it will help to see the opportunities in doing so, and the brand value that can be built.