Disclaimer: The purpose of this article is to inform our followers and clients about the EU’s General Data Protection Regulation (GDPR) and how it might impact the planning of their events. The information contained in this article is not intended to convey legal advice. Consult an attorney to learn more about the law and how it will affect your specific circumstances.
There’s one acronym that seems to be constantly popping up these days: GDPR.
Whether you’ve received a few newsletters about this or heard your colleagues mention it, GDPR became a sort of “buzzword.”
Yet, far from being a fancy abbreviation for a cutting-edge concept, this acronym has business owners and event professionals quite worried.
That’s why we recommend you not skip over this article and read it thoroughly.
Knowing this information will protect you from unpleasant outcomes, such as large fines and a damaged reputation. On the other hand, it can help you actually improve your data quality.
As you’ve probably heard, the GDPR rules go into effect May 25, 2018, and will replace the EU’s 1995 Data Protection Directive 95/46/EC.
According to the European Commission, “The regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens.”
The GDPR rules are strengthening of a new digital economy. It protects the rights of EU citizens regarding their personal data privacy.
Data controller versus data processor
Let’s start by defining the key roles in the successful application of the GDPR rules. There are three main stakeholders that make the data dynamic possible.
First one is the data subject, or the person who provides his or her personal data.
The second one is called the data controller. As specified in Article 4.11 of the GDPR, the controller refers to “the natural or legal person public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
If you plan events and also run marketing campaigns and registration processes, you can also call yourself a data controller. Since you are gathering and handling your attendees’ personal information, you are part of the data processing chain.
And the third stakeholder is the data processor. These people are handling the users’ (or attendees’) personal data on behalf of the controller.
In this data ecosystem, Eventtia is a data processor. We help you design email campaigns, build registration forms, and use the personal data of your attendees to make better decisions regarding event planning or marketing.
Consequently, data controllers are responsible for ensuring GDPR compliance. Data processors, on the other hand, have to adjust their services accordingly to meet the controller’s new requirements.
At the end of this article, we’ve introduced a few changes we’ve made to support you in complying with the GDPR rules.
Personal data and consent
GDPR will affect all businesses that use personal data or sensitive personal data from EU citizens. It will not matter if the business is based in the EU or not.
If you collect email addresses from your EU leads, customers, or attendees, you’ll have to comply with the GDPR.
Although the EU previously had specific regulation for data protection, the important thing about GDPR is the change in the definition of personal data.
Compared to previous laws, this concept became more detailed.
According to the Information Commissioner’s Office (UK), (ICO), “The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
There is a wide range of identifiers, including the person’s name, identification number, location, IP address, and cookies.
Sensitive personal data, on the other hand, refers to genetic and biometric data that is unique to every individual.
To gather, store, and handle personal data of an individual, you must receive his or her consent.
As indicated in Article 4.11 of the GDPR, consent is “a clear affirmative action.” As a result, the consent must be:
• Freely given. You can’t force the attendee to give his or her agreement when opting in;
• Specific and unambiguous. The way you formulate the opt-in or the registration form must be clear and leave no doubts for interpretation;
• Informed and documented. The user or attendee must know exactly what you plan on doing with his or her personal data; and
• Subject to withdrawal. People must be able to easily cancel their consent.
However, obtaining attendee consent is only part of the deal. You also must consider the individual’s rights regarding his or her personal data.
The right to be forgotten
You have little to no control over the personal data of your event’s guests.
Although you were given the consent to handle this (for specific reasons) after completing the opt-in procedure, users (aka attendees) have the right to manage the information they’ve provided as they wish.
According to ICO, the GDPR includes the following rights for individuals:
• Be informed;
• Have access to their personal data;
• Correct any data;
• Remove any provided data;
• Restrict the data processing;
• Have the right to data portability (the right to know where the data processing is based, when processing is carried out by automated means, and when the information is provided to a data controller);
• Avoid being subjected to automated decision-making, including profiling, which refers to processing the data to determine or predict the user (attendee) characteristics, such as his or her health, economic situation, personal preferences, interests, movement, location, behavior, etc.
If you don’t respect these new requirements and individual rights regarding data privacy, your company could incur a huge penalty.
According to GDPR Associates, “Article 83 of the General Data Protection Regulation provides details of the administrative fines. There are two tiers of fines. The first is up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. The second is up to €20 million or 4% of annual turnover of the previous year, whichever is higher. Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher level fine.”
Your next steps to becoming GDPR compliant
As an event professional or a person who happens to plan events, you are gathering and handling large amounts of personal data on a regular basis.
Hence, your number one responsibility is to make sure you are GDPR compliant. To do so, you must follow the next steps:
Step #1. Conduct a data audit
Whether you are a professional planner or in charge of managing events for your institution, you must start with evaluating the data you already have. You’ve most likely gathered plenty of personal information about clients, leads, or past attendees. If you are operating at an international level, you’ll have to segment your data by EU and non-EU.
Second, you’ll have to review the opt-in policy. Do you have the consent to market to your contacts the way you do, or do you need additional approval from your database?
Step #2. Create a new registration form template that complies with the GDPR rules
Step #3. Keep your data clean and up to date
Register everything. Create a document that outlines the data you store, your data sources, and how are you using the data or with whom you are sharing it. As a result, you'll have more control and a greater understanding about the personal data you’ve stored.
Step #4. Educate your team about GDPR
Help everyone understand the risks of not complying with the GDRP rules, and prevent them from running noncompliant event marketing experiments.
Step #5. Reinforce your collaboration with data processors
Finally, identify the organizations and the entities that have access to your data and with whom you are collaborating in handling the personal information about your attendees.
Make sure they are also GDPR compliant and transparent about the use of personal and sensitive data.
How Eventtia can help you become GDPR compliant?
Eventtia has introduced several changes to support you with GDPR compliance.
First, each time you import a list of attendees for marketing purposes, an opt-in window will appear, asking you to confirm that you have the right to send the attendees promotional or event-related emails.
Second, in the case of commercial events, we will enable you to personalize the registration disclaimer, letting your (potential) attendees know how you intend to handle their personal or sensitive data. Apart from that, the attendees will have to give their data-related consent on the registration form.
The bright side
Although these changes require some work and time, there’s a positive side. You’ll have the perfect excuse to keep your database up to date. Also, you'll be able to enrich it with high-quality data from people who actually care about your brand and event.
In conclusion, we encourage you to read more about the GDPR rules, consult an attorney for legal advice, and inform your team about the new requirements.