GDPR. What even is it?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. It replaces the data protection directive passed in 1995, and will bring the regulatory environment up-to-date with how 21st century businesses now collect, process, and use customer data.
But doesn’t Brexit mean this has nothing to do with the UK?
Hard Brexit or not, GDPR will affect any company handling EU residents’ data – regardless of where in the world your company is headquartered. And it won’t just be Britain that needs to be aware of the new regulations.
If you’re a US-based event agency for example, but run occasional events or conferences in Frankfurt, Lisbon, or anywhere else in the EU, you’ll still need to make sure you comply with the new regulations if any of your delegates are based in EU member states.
OK, so tell me more…
Data breach notification
Unlike Yahoo, who managed to keep their calamitous hacking on the down-low for 5 long years, customers and data controllers will need to be notified within 72 hours of any data breaches. A breach can be a leak, a hack, or even just a forgetful intern leaving a laptop or USB stick in a cab.
Right to access
Individuals now have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where, and for what purpose. Data controllers (that’s the company that owns the personal data) must provide a copy of this data (free of charge) if requested. Moreover, individuals have the right to question and fight decisions affecting them that have been made on a purely algorithmic basis eg. targeted marketing based on algorithmic segmentation.
Right to erasure
The right to be forgotten means that individuals can have the data controller delete their personal data, stop any further dissemination of the data, and have third parties stop processing the information.
But I only store attendee registers – that’s not personal data is it?
The EU defines personal data as any information related to a person or ‘data subject’ that can be used to directly or indirectly identify the individual. It can be anything from a name, email address, photo, or computer IP address to more detailed information on medical conditions, dietary requirements and social media posts. And badging companies take note – even photos of attendee badges displaying individual QR codes would fall into this category.
Are there any penalties?
Yes – HUGE ones, which is exactly why GDPR has become an issue being discussed at board-level, highly relevant to CMOs, rather than simply a new and minor legal change. Penalties are tired, but companies can be liable for up to 4% of their annual global turnover.
What does it mean for me as an event professional?
In a lot of cases it’ll be your marketing technology and SaaS suppliers (the data processors) that will need to make sure they’re compliant, and have the requisite measures in place internally to securely manage the data they store and process for you.
What happens after my event and how long can I hold onto data after an event?
All events are different, there’s no set rule on the length of retention, but event planners should think about whether the data they’ve captured is still relevant, and how long it’s necessary to keep it. So for example, do you really need to store individual dietary requests after the event, or can this more sensitive personal data be deleted after the event?
Make sure any data you hold onto is only being used for the intended purpose too. So for example be careful about selling event attendee lists onto advertisers if you weren’t given explicit consent to do this at the outset.