The GDPR Guide for Eventprofs + Checklist

Over the past two decades, the internet has become a focal point for businesses to engage with their customers. In the process of knowing their customers and prospects better, companies have accumulated large stores of personal data from their customers and prospects.

There has been growing unease about how companies use this data for a long time now. In Europe, the new GDPR regulations aim to empower citizens by giving them greater control over their personal data.

The new regulations are set to change the way businesses collect, store and use personal data of their customers. This applies to all organizations that collect data of European citizens, and this definitely includes the events industry.

What is GDPR?

The General Data Protection Regulation is the biggest change to data protection regulations since the 1995 Data Protection Directive. The new measures are designed to reflect the new ways and scale in which businesses collect personal data, and is aimed to give people more control over their own personal data. It will come into effect on 25th May, 2018.

Who does this affect?

Any person or organization collecting and using data on European citizens will be affected.

Your company doesn’t necessarily need to headquartered or have a presence on European soil. Even if you are just attending or exhibiting at an European event, you will have pay heed to the new laws.

What does the change imply?

1. 1. Personal data is any information that can be used to identify a person. Organizations need to be transparent about how they obtained the data, who they intend to share it with, while maintaining clear internal records of all this information.
   2. Existing regulations state that companies should inform how they intend to use the data, but the new regulations are much more stringent. Privacy laws are more strict, which means that people will need to know that you are collecting data lawfully and for how long you plan to store the data. This is in addition to the existing laws, which need you to tell people how you intend to use personal information and disclose your company’s identity.
   3. In the event of a data breach of any magnitude, affected people have the right to know of its occurrence within 72 hours of the first breach instance.
   4. People are also empowered to question and fight decisions that have been made based on their data, and bring into question the veracity of algorithmic-based decision making.

(source)

1. Existing laws are not clear in enforcing personal data laws, but the new laws give the people stronger rights and more control over their own personal data. Companies will have to delete their customers’ personal data if they are asked to, and have a right to know why their data is being collected.
2. It also makes it easier for people to port whatever data they have residing on your company’s servers. This is to ensure easy switching of services if required.
3. If a company holds personal data, the responsibility of safeguarding it lies with them too. The new regulations ask for robust security and privacy considerations to be baked into products and services, which ensures the best level of data security. Also, only data relevant to the company’s tasks at hand need to be kept on file.
4. It’s not all bad news for companies. The new rules make it easier to record how companies use personal data. Earlier they had to report everything to the Data Protection authorities, but it has now become an internal function of the company. Making sense of different data laws of different nations has been a hassle for MNCs, and the new regulations make record keeping easier for them.

How does this affect the Event industry?

Events have always been treasure troves of data. There is so much information being collected with badge scans, RFID sensors, leads, attendee registrations and so on. So trade shows are going to see a change in how all this data is being processed.

The new regulations affect how you collect personal data of your attendees, vendors, prospects, and even your own employees. The data includes everything from names, email addresses, photos and IP addresses. Any data or images of attendee badges with QR codes also falls under the ambit.

If you are registering attendees, you’ll have to show how you’ll store and process the data you collect at events and tradeshows. If you are collecting business cards and scan badges, you’ll need to get your attendees’ consent through email, before you can use that data in any way. The data collected must be used for the sole intended purpose only. You should also divulge how long you intend to keep the data. They need to consent unambiguously to be a part of your marketing/follow-up campaigns.

What are the consequences of non-compliance?

Organizations who do not prove that they are GDPR compliant will have to face fines up to 20 Million EUR, or 4% of their annual worldwide turnover.

Getting started on GDPR compliance

1. Audit all your third-party tech solutions if they will be GDPR compliant.
2. Request vendors to divulge how they store personal data to identify if there are any liabilities for you.
3. Have a process in place to deal with and manage data breaches, and how you will communicate that to the people affected.
4. New contracts and deals should refer to the new regulations explicitly.
5. Ensure that all the data can be erased when you need it to be. When your customers request to erase their data, you should not be in a position you do not have complete access to their data.

While the deadline is around the corner, it doesn’t mean that event professionals can wait until then to get started. Companies should be fully compliant by that date to avoid any penalties. This is especially applicable when pre-scheduling meetings at events, which means that the data has to be compliant before that date. You will also be unable to send any marketing mails after May 25th, 2018, so the success of your follow-up campaigns depends on you getting started right now.