Events in Europe? What you need to know about GDPR
There is a big change for those that plan and organize events in Europe. You need to understand the new GDPR and get your data in order pronto.
Beginning on May 25, 2018, the GDPR (General Data Protection Regulation) goes live and bring with it tough new data protection rules that will directly affect all the companies.
The GDPR require you to review and update how you collect, store and process the personal information of your attendees, members, and service providers.
You will need to demonstrate that you and your partners are in compliance with the GDPR. This means that you need to know that your event management company, or others that you share data with, is in compliance.
Here is a quick look at some of the new rules (this is just an overview, there are pages and pages of new rules):
- Consent to Share – This means that there needs to be “clear affirmative action” before consent to share data is established. No more pre-ticked boxes stating that attendees accept the terms and conditions. They have to check the box themselves.
- Transparency – You need to be ready to share with your attendees in detail how their data will be used, where it is being stored, how long do you intend to keep it, and what you are doing to make sure that it is safe.
- Lawful Processing – Basically, you need a valid reason to be collecting the data but you can know more here.
- Privacy First – Your daily operations must now be privacy first. You must downsize the amount of data you hold on attendees and you must default to the best privacy settings in all of your technology.
- Hack and breach notifications – You have 72 hours to notify regulators and the affected individuals in the event of a data privacy breach where there is a risk of harm to individuals.
- Access to Info – Individuals can access their personal data, have the right to know how that data is being used, and you have a shorter time to respond to their requests for information. There is also a new “right of erasure” and “right of data portability” which means that if they write to you and say “erase my data”, you have just to erase their data (an exception to this is transaction records, of course, if they bought a registration, you don’t have to erase the transaction details).
- Accountability – You must now be ready to prove that you are complying with the GDPR. Document what you do and how you do it.
- Data Protection Officer – You must now have one. It just has to be one person to rule them all and who knows what you are doing inside and out. You can even outsource if you must.
- Penalties – The fines will be huge because they want you to actually do the right thing and be accountable.
- Non-Traditional Items – Yes, it is primarily computers, networks, and the web that we are talking about but there are other places attendee data lives in electronic form. Name badges, lanyards, and ID Card printer ribbons are just a few things to consider.
GDPR is a serious matter, but at the bottom line, it’s about individual rights and communication. Yes, businesses must be aware of the rules and the penalties for non-compliance – but it will help to see the opportunities in doing so, and the brand value that can be built.