With the enforcement of the General Data Protection Regulation (GDPR) in May 2018, businesses around the world must adapt to suit this brand new data protection policy. As the broadest modification in data privacy laws since 1995, the GDPR is going to be a game changer in every industry that deals with data collection. We’ve decided to explore how event businesses should perform effective due diligence today to avoid painful punishments in May.
What is GDPR?
The GDPR is the EU’s new data protection regulation coming into effect on May 25, 2018. Aimed at providing EU citizens with more control over their contact information, the GDPR is enforced with heavy penalties for disregarding the regulation. The newly adopted law will apply to all businesses collecting and processing the personal data of EU citizens, regardless of their physical locations.
How will the events industry change after GDPR enforcement?
Europe’s new data protection law imposes new obligations on event planners and event marketers. Eventually, GDPR is going to transform the methods of collecting data through registration forms, storing it, targeting clients through marketing activities, and sharing data with third-party organisations. This means that both event businesses and independent event organisers should put a strong compliance mechanism in place to protect themselves from heavy fines.
What are the GDPR requirements?
Before discussing compliance mechanisms, let’s first explore the actual requirements that the GDPR establishes to understand the best way for event businesses to adapt.
Here are seven principles of the GDPR that you should consider when organising or marketing an event:
- Lawfulness. A data subject should be perfectly acquainted with how and why their data is being used. Based on the specific method of communication and the direct or indirect collection of personal data, European citizens should fully comprehend how their data is to be processed. It’s important that all information is provided in clear, plain language. Basically, this is the rule killing the traditional pages of small print that irritate you so much.
- Accuracy. No inaccurate or outdated information is allowed. Data controllers are obliged to pay attention to any updates and make the necessary amendments once any inaccuracy is identified.
- Purpose limitation. Every data processing action must be founded on a related permission from the user. This means that processing your client’s personal data is allowed only to the extent that it is compliant with your client’s permission.
- Minimisation. Before requesting permission for a specific set of data, make sure you need it. According to the GDPR, collected and processed data must be limited to what is necessary for the organisation.
- Confidentiality. The lifeblood of any data protection regulation is keeping the clients’ private information secure. This means that as a data controller, you must develop strong confidentiality mechanisms and check whether they work on a regular basis.
- Storage. The GDPR says you should regularly scrub your database. Once the goal of retaining specific facts and figures has been reached, you’re obliged to dispose of them unless you have further grounds for retention.
- Accountability. Imagine that an information commissioner knocks on your door one day and asks you to explain how you comply with the GDPR requirements. This is a situation that every data collector must be prepared for when dealing with the personal data of EU citizens.
What are the penalties?
When the deadline for the GDPR enforcement arrives, it’s going to be a real apocalypse for those entering the game unprepared. One of the reasons you should be scared is that failure to comply can have serious financial consequences for your organisation.
“One of the significant differences between the Directive and the GDPR is that the latter greatly increases the maximum fine amount—up to €20,000,000, or up to four percent of the company’s annual ‘global turnover’ for the preceding year, whichever is greater,” says TechTalk.
The penalties for GDPR non-compliance can be very heavy, especially if you think in terms of large companies like Google or Facebook. For instance, considering the fact that Facebook’s turnover equaled $40.7 billion in 2017, the company would have to pay $400 million in fines in the case of non-compliance.
What should event planners do about Europe’s new data protection law?
To ensure that the impact of the GDPR won’t ruin your event expertise in May 2018, today is the perfect time for taking action. Add the following tasks to your to-do list to avoid the danger of non-compliance:
- Adopt data-auditing practices. In the very best tradition of Sherlock Holmes’ inspections, explore all the wheres, whos, and whys of the personal data stored on your software systems. With a good data-auditing mechanism in place, you’ll manage to stick to lawful data storage and processing.
- Facilitate consent requests. Your ultimate goal is to ensure that whenever data collection takes place, a data subject is informed as to why this particular information is collected, how it will be processed, and for how long it will be stored. Think about the tools that will help you automatically update data subjects and request consent, which will lead to personal data being transferred to your contact base.
- Adjust entry forms. Data minimisation lies at the heart of the new data protection law. Attend to your event registration and survey forms to make the necessary improvements in relation to the reduction of unnecessary questions.
- Ensure the highest level of security. When choosing technology partners, pay attention to their compliance policies and the way they adapt to the GDPR. Also, facilitate an efficient system for notifying security breaches in order to address all breach issues as soon as they arise. According to the GDPR, security-related announcements must be made within 72 hours of a breach.
The impact of the GDPR on event management and event marketing is expected to change the way event businesses build relationships with both customers and technology partners. Through the timely preparation and implementation of new data security mechanisms, you can protect your event business from bankruptcy and heavy fines.