Happy Anniversary, GDPR! The most significant change in data privacy regulation is almost a year old now. Let's look at some statistics:
- There have been over 200,000 reported violations.
- Regulators report 95,000 complaints from individuals across Europe.
- Companies in telemarketing, email promotion, and surveillance have reported 41,000 data beaches.
- France levied a massive fine on Google for non compliance.
Many companies are admittedly still playing catch-up. Has your organization done everything to ensure compliance?
A Quick Refresher on GDPR
On May 25, 2018, the European Union began enforcing Regulation (EU) 2016/679 of the European Parliament. According to the European Commission, the General Data Protection Regulation (GDPR):
"regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU."
The GDPR's reach is long. Even if your company isn't based in the EU, but conducts business with EU citizens, you must comply. The implications for event marketing organizations are huge if regulators find that you didn't follow the rules.
An Event Marketer's GDPR Checklist
We've prepped a short checklist to help make sure your organization is ready for GDPR. Please note, this is not legal advice, nor is it a comprehensive list of all the things an organization needs to do to comply. Speak with your IT and legal departments to hammer out all the details. Special thanks go out to ico.org.uk for their in-depth guide on GDPR.
Appoint a Data Protection Officer (DPO)
Someone needs to take the lead so that everyone stays on the same page with regards to GDPR compliance. So, the first order of business is designating a person who will handle all GDPR matters. Having a DPO is crucial in managing all the processes related to compliance and enforcement.
Next on the agenda is creating awareness within your organization. All members of the events team and the departments dealing with event data should be up to speed with the changes introduced by GDPR.
Everyone should understand that there will be changes in:
- Data collection
- Management of an attendee's personal information
- Data security
Non-compliance exacts a heavy toll: 4% of annual revenue or fines of up to €20 million (whichever is greater).
Audit All Data
We won't sugarcoat it.
Auditing ALL user data is a massive undertaking. For starters, you need to determine what personal information is already stored in your database. Think sponsors, guest mailing lists, and event speakers.
Data audits can be a pain, so here's a summary of what you need to do:
- Determine what personal information is present in your database.
- Find out exactly where all this event data came from.
- Check if you have adequate consent from individuals to contact them.
- Identify all the systems that store data, along with usage dates and the purpose of using them.
- Find out if third-party suppliers or partners also have access to this information.
- If other suppliers have access to your data, check if you have consent to share it and if these companies are GDPR compliant.
Secure Your Event Data
GDPR emphasizes the need for organizations to use strict security measures to safeguard personal data. IT departments use firewalls and anti-virus software to handle threats from the outside. However, some risks are internal. Identify everyone who has access to event data –- your team and third-party vendors – and check their security protocols.
Data Breach Management
By now, you should already have a strategy regarding how to deal with a data breach. Ensure that all procedures are in place to detect, mitigate and report the theft or loss of personal information.
Under the GDPR:
- If the data breach poses a risk to the freedom and rights of individuals, organizations must report it to the authorities within 72 hours.
- Failure to report within the 72 hours may lead to huge fines and lawsuits.
- If the risk is high for identity theft, discrimination or financial loss (among others), organizations need to notify the affected individuals.
GDPR Compliant Consent Boxes
Update your consent boxes and registration forms to follow the new GDPR guidelines. Avoid pre-ticked consent boxes. Under the new law, individuals must decide whether they want to give consent or not. Also, avoid legal jargon and keep things simple.
Explain in a clear and concise manner:
- The purpose of data collection
- How you'll use the data
- How long you'll keep the information
- The names of third parties (for shared data)
Know the Rights of Attendees
Always remember that GDPR is all about empowering an individual's right to personal data. Double check your internal procedures to make sure they are GDPR compliant. For example, individuals have the right to access personal information at any time. They can also ask that you delete all their data in your database. Organizations have 30 days to respond to requests or risk non-compliance.
One Last Thing
GDPR compliance is what it's all about now. The regulation is pretty good, and it makes sense on so many levels. We're all individuals who have personal information scattered across the internet. Instead of fighting GDPR, embrace it! Your organization and the people you serve will be better off in the long run.
By the way, the life of an event marketer is not all unicorns and rainbows. Make your life easier by using a fully-integrated events management platform like Aventri. We have everything you need to manage events that have the word "epic" written all over it. Sign up for a personalized demo account to find out more.
While you're here, subscribe to our blog! It only takes seconds, and you'll have access to a world of event marketing information, trends, and other interesting material.