In April 2016 the European Parliament passed a new regulation on general data protection (GDPR), this regulation will be applicable as of the 25th of May 2018. It is important to know whom this regulation will affect and how to comply with the new constraints it brings forward. This reform updates and modernises the principles declared in the 1995 European directive. One can also see the creation of a new directive relating to personal data privacy and its protection in the context of Law and order.
It’s true that GDPR may seem like an obscure subject to SME’s and start-ups however, what are the overall consequences of this regulation on companies, more specifically in the world of events? Let’s take things step by step.
Are you affected by the changes in the regulation?
This is a law that is applied by all companies that collect, process and stock personal data, which can identify a person directly or indirectly.
So you may have by now understood that this involves most companies that handle European Data. Nevertheless, individuals and collectives such as associations, unions, local authorities, administrations and all structures that are concerned with personal data. These reforms are inescapable as the collection and handling of personal data of employees partners, prospects or customers allow them to be identified (directly or indirectly) on a digital device (computers, servers, mails…).
To an extent, if you process any data from members of the EU you will face change no matter what. However, you may not have to appoint a Data Protection Officer (DPO) if you are not processing data in large masses, you will not need to record all processing activities if your company has less than 250 employees. If you have a CRM or you are collecting data as part of your marketing operations some changes will be in order. This applies to both the BtoB and BtoC enterprises.
If you collect data from your website through subscription forms for newsletters, ensure to get the registrants consent and explain the purpose of the data. Clarity and precision must be kept to avoid risks of sanctions.
For each contact on your mailing list you will have to specify the date you received their information as well as the origin of the data. You must also get a renewal of the users consent after every 13 months through your cookies. Additionally, if the contact I older than 3 years you must separate it if it has been inactive during the period.
You will also have to facilitate the export of the data of your contacts, within the GDPR framework; you must simplify the users’ data portability towards third parties.
The right to be forgotten
A user now has the right to ask you for the information you have stored about him. This user has the right to ask you to suppress the data as part of the right to erasure (right to be forgotten).
You will be required to specify on the legal notice the nature of the data collected and its purpose.
The GDPR intends to bring transparency for all Internet users, information being the root of economic growth of companies.
Profiling is included within the scope of the new regulation and is likely to have a major impact on the marketing activities in a company. All forms of profiling should be done with direct and explicit user consent.
GDPR provides 5 legal frameworks for which the handling remains lawful, even without consent:
- When the processing is the result of a legal obligation.
- Where the processing is necessary to safeguard the vital interests of a person.
- When the processing is necessary based on a contract with the person’s consent.
- When the processing is to safeguard public interest.
- Any other legitimate interest of the controller, unless the interests or fundamental rights and freedoms of a person can be breached, especially if it is a child.
What data is of concern?
- Professional phone
- Job title
- Business mailing address
- GPS data and IP address
- ID number, Usernames
- Elements corresponding to the physical, psychic, genetic or economic identity
All this data is now falls into personal data. They are therefore concern by the GDPR. You can’t recover email addresses via a third party website or by any other means that do not have user consent.
Don’t miss out our 2018 trends!
The solution so far is the pseudonymisation of data, a type of key that effectively protects data of the user. An encrypted document will not really be readable and allow the individual to remain anonymous in case of data piracy. I.e. the use of this method is encouraged but not mandatory. Nevertheless it seems to be the best possible method.
The world of events in GDPR
The world of events is very particular and very concerned by this new regulation, as in this is field event organisers have personal data (mail, gender, first name, last name) that is easily accessible and not encrypted. It is therefore inevitable for organisers and event management software vendors (even if they aren’t based in Europe but store and process data from the European union) have to be up to date on the GDPR.
How to react as a #eventprof?
You must surely be in the middle of organising events for 2018, if you have attendees from the EU, you must be sure that the processes put in place are in agreement with the regulation.
Find which data to keep and process depending where your attendees come from, you will understand this way which data you need to protect. You will have to understand how the data is transferred from one system or server to another, how your editor secures data collected. In case you are storing data on a US-based cloud platform you need to be sure to set up a control system and ask for new mentions on the contract.
Implementing these changes will require a lot of time and effort. Take the time to explain to your colleagues the importance of this regulation and make the necessary preparations to avoid not being ready for May 25, 2018, which could have large consequences. In fact, the penalty is a 20 million euro fine or 4% of the total turnover of your company (the largest amount being retained).
Want to send invitations mails?
Don’t miss out our templates!
What is its impact on the world of events?
Companies that use data that is bought and that they didn’t collect on their own will not be allowed to do so with people residing in the EU. So companies in the event industry will have to play on the social aspects to collect new data. This new regulation will therefore bring more relationship management into the world of events. Consent will become mandatory; it will be necessary to create a relationship of trust with participants to have their consent. Currently, large companies should be in the process of preparing as they have a lot more data and this data can be older.
The GDPR will definitely prevent some companies from buying and trading with others. The event industry will really have to reconsider how it goes about collecting and will need to treat the data as if the data was a person. Relationship management will grow in importance than ever before in the event sector.
It’s time for event professionals to take control of their data management systems, protect it, in order to ensure participants are not targeted without consent as they are to be used daily.
This regulation is a major change for event marketers. In the future, any data collection, they will need to specify why they are collecting the data and how they are using it and storing it.
Most importantly, event professionals will not need to collect data they will not use. More importantly, consent will need to be given no matter what happens. If companies want to share lists, they’ll have to gain consent from all the contacts by explaining the purpose and usage of the data simply and clearly.
Important questions to ask your publisher/suppliers/ agency?
- Does each service/software respect the Personal data protection regulation?
- What personal data do you collect?
- What purpose does the personal data serve?
- Where this data is stored?
- Is this data protected and encrypted?
- Does the contract or the general terms of sale commit the supplier/publisher to respect the regulation on the protection of personal data?
- Are the listings you send to suppliers well protected and encrypted?
- Who is responsible to ensure the smooth running and processing of this data?
- What is the relationship between agencies and providers when it comes to data transfer?
In conclusion, the GDPR will surely shutdown certain companies as will no longer be permitted to sell data but it is an opportunity to change things and we are finally coming to a point where our data will not just be treated like 0’s and 1’s but, will hold a value. It will be treated as people. It’s all about treating people like you would want to be treated.