Event Profs: Get Ready for GDPR Compliance

ITA Group
ITA Group

Security lock

There's a new regulation taking effect May 25 which may affect you, but it isn’t state or federal. It’s a regulation in European Union (EU) law. If you're living in the United States, you're probably thinking, "Why would I be concerned with an EU regulation?"

For starters, if your company markets to individuals who live or work in the EU, and you run afoul of the GDPR, your company could be fined more than $20 million.

What is GDPR and Who Does It Affect?

The General Data Protection Regulation, or GDPR, was passed on April 14, 2016. The GDPR is designed to protect EU residents, businesses and employees with a comprehensive framework of rules governing the use of personal data. The new law replaces the Data Protection Directive 95/46/EC with an eye towards data management in the 21st century and beyond. It harmonizes the approach of the individual EU member states.

The GDPR is applicable to any company or non-profit located or operating within the borders of the EU. It's notable that GDPR also applies to any organizations outside the EU that offer goods or services to individuals in the EU. Those organizations must, in turn, ensure that their suppliers adhere to the GDPR requirements. As a result, the GDPR has a broad extraterritorial reach. If you handle personal data, it probably applies to your organization in some form.

Pay Attention Event Marketers

As an event marketer, your ingestion of personal data might be analogous to “drinking from a fire hose.” So the new rules are especially important:

  • “But that event I ran is done and dusted!” Beware: the personal data you have on file from past events is regulated. Even if you don’t have international events planned in the immediate future, the GDPR still applies to how you use or store personal data of past EU participants.
  • The events you are mindlessly planning today are the personal data snafu of tomorrow. Looking ahead to an upcoming event that’s already driving registrations? Now is the time to get GDPR compliant.
  • Compliance equals better engagement and conversion from your events. This is about more than just following the law—being forthright about how you use personal data will foster trust among your participants. Complying can help improve the impact and success of your marketing.
  • Don’t forget about online events. Really. The GDPR applies to that participant data in your database, too. If you’re conducting online events which include EU participants, heads up, even if you never actually set foot in the EU.

New Roles and Responsibilities

There are several steps that companies must take also in order to comply with the GDPR. Where you stand depends on where you sit in the personal data food chain. If you are a controller, you run the data show. The controller defines how personal data records will be effectively processed, spelling out the processes and procedures that its processors must follow. As the controller, you are the master of your personal data destiny. And your practices better check out. If you’re a processor, you may only feel like a pawn in the game of life. But certain rules still apply: you need to adequately safeguard your controller’s personal data, and follow their instructions. No funny business. Know your role to understand the scope of your accountability.

Another sticking point of the GDPR is that the controller must notify their supervisory authority “without undue delay” and, where feasible, not later than 72 hours after having become aware of a personal data breach. If the notification is not completed within 72 hours, the notification must be supported by reasons for the delay.

Data Subject Rights

Perhaps the most significant aspect of the GDPR is the expanded control EU individuals have over their own data. Treating personal data with dignity is a fundamental concept. Under the GDPR, individuals, who are called data subjects, have the right to access their data from the controller. They have the right to have their data forgotten. The data subject can transmit their personal data from one controller to another. Was your system designed to accommodate this? Time to prepare.

Data Protection by Design

So many systems have grown without consideration of what happens to the personal data flowing through them. The GDPR requires you to understand where your personal data goes, and control it. To keep it private, and record what you do with it. You may view this as an administrative burden, but consider the cost of not complying. Better late than never.