Data has been the headline act at events in the 21st century. The forms customers fill in to buy tickets, to register for an exhibition, to enter a session at a conference or a competition at an awards ceremony, all help to shape the next time.
On May 25, General Data Protection Regulation (GDPR) supersedes the Data Protection Act. As countless of ‘please confirm you opt in to our mailing list’ emails bounce around their inboxes, event planners need to be in step with what the changes mean for their approach to collecting and processing data and, ultimately, with the benefits of the new regulation.
GDPR won’t stop data being the event currency, but the modified ‘exchange rate’ operates between tighter, more effective guidelines and planners need to understand it to cash in.
The state of our union
GDPR is EU legislation but there is no opt out, even for the staunchest Brexiter. The British government confirmed its commitment to the regulation 12 months ago, ensuring the UK framework is ‘suitable for our new digital age, allowing citizens to better control their data’.
Nine keys to compliance
Don’t panic. Even at this late stage.
GDPR is about making personal data safer. It’s not trying to catch companies out and lay them to waste with massive fines.
Know your place — A data controller determines the purpose and means of collecting and processing personal data. A data processor is responsible for processing data on behalf of the controller.
Consent — This is the principal GDPR hook, the new regulation cornerstone. Make sure you have permission to hold data pertaining to an individual. ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, either through a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
So no more, ‘uncheck this box if you don’t want our emails’. You need to say what information you’re after, what you’re going to use it for and how you’re going to communicate. You need the individuals’ consent to collect their data and you need it for each use of that information, including any campaigns you come up with later on.
Right to access — Think freedom of information. GDPR means anyone can ask for the personal data a business has gathered that can be used directly to identify them, like name, email address, IP address bank details or posts on social network sites. And you must supply that information within a month.
Right to be forgotten — If an individual asks you to delete their data from your system, stop sharing it, do it!
Breach notification — In the event of a security breach likely to risk the ‘rights and freedom of individuals’, both users and data protection authorities must be notified within 72 hours.
Data Portability — A wholly new element in the data protection provision, portability gives individuals the right to ask an organisation for a copy of all the personal data they have provided or to have it sent to any other company, including the competition, and it has to be supplied in a popular, useable format.
Privacy by design — Make sure data collection and processing is secure. Data controllers, review your data processor’s systems.
Data Protection Officers — Organisations that frequently monitor large amounts of data need to appoint a Data Protection Officer, who will look after GDPR compliance, making sure the company’s data protection policies are up-to-date, that processing activities are always documented, and looking after any necessary staff training.
Also, remember existing data has to comply with the GDPR benchmarks as much as the information you gather on or after May 25. So inform your contacts on how you intend to get in touch and what for.
GDPR isn’t negotiable. It’s the gateway to the next era of data management. Every business has to know the new rules, abide by them and learn how to reap the benefits of playing to a perfect audience.
The price of ignorance
GDPR plays for the consumer and, naturally enough, there’s a cost for non-compliance. The top tier, ‘up to €20m, or 4% of global turnover, whichever is higher’ is for infringements to an individual’s rights to privacy. Breaches of an organisation’s obligations can cost ‘up to €10m, or 2% of global turnover’.
That’s fodder for the tabloids of course but most infringements will be far less expensive and it’s safe to assume there will be a stretch of transition and teething time too.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation for 20 years and, as you would expect, there’s a website with all the detail.
Consumer and trade magazines are rife with detail about GDPR, or follow our blog for more GDPR and event planning resources.