Professional event marketers, organizers and event technologists will already have May 25th, 2018 marked down in their calendars. On that day the updated European Union’s General Data Protection Regulation (GDPR) will come into effect. The event and tech worlds are aware of its significance, but many are still not clear on exactly how the GDPR will impact the way we interact with global event attendees, technology vendors and the data we collect.
Given that the scope of the GDPR is not limited to the European Union but to its citizens at large, this new regulation is having a profound impact on the global event technology landscape. With fines threatened to reach the higher of 20M EUR or 4% of global annual revenues this new legislation has event professionals scrambling to establish compliance, and lawyers gearing up for litigation and class action.
Global 500 companies will spend a combined $7.8 billion over the next year on GDPR compliance. – IAPP
Protect your brand’s reputation and financial bottom line, and ensure your attendees are secure by learning exactly how GDPR impacts your events and how you can prepare for these changes. Understanding how GDPR compliance affects your events doesn’t have to be complicated— in essence, the new legislation is really just about respecting the individual’s rights to their personal data. Data collection has become a key part of personalization in the event world, dramatically improving how you can delight and inspire your attendees. GDPR compliance doesn’t have to change this if you’re considering these six important rules.
1) We’re all European citizens.
Just because your event isn’t occurring in the EU doesn’t mean you are exempt. If you have a citizen of the EU attending your event, you need to ensure you are compliant with GDPR. When registering for events, the attendee’s nationality or citizenship isn’t commonly requested, and shouldn’t be a mandatory field. In fact, by doing so you are collecting “special category” data and elevating the level of protection and care required. Rather than trying to establish which attendees the GDPR applies to, it is simpler to design systems and processes that assume “we’re all European citizens.”
2) Clearly articulate what data you’re collecting, and why.
Under GDPR, collecting and storing reasonable types and volumes of data is still fine as long as your customer understands and consents to it. When completing registrations, whether it’s for your next big conference or setting up an account, it’s your organization’s job to clearly articulate what data you’re collecting, why and if other third parties will interact with the data.
3) Only collect data that is necessary.
If data is reasonably needed for legal and security reasons or is used to provide the best experience and journey to your data subjects (that’s the legal term for anyone whose data you’ll be managing and controlling), collect it. Save your organization the potential headaches, and don’t collect any data you don’t require for legal or security purposes.
4) Treat data securely and with respect.
It goes without saying that you respect your attendees personally, so treat their data with the same level of integrity. Don’t share data with third parties that don’t offer a similarly high level of security and respect, and ensure the sharing is in-line with the agreement your attendees consented to. Lack of compliance in this area could have a very significant impact on the business, as the recent scandal involving Facebook and Cambridge Analytica highlight. In the event of a breach or problem with data security, address it transparently and keep the affected individuals fully informed.
5) Consent must be clearly given, and as easy to withdraw as it is to give.
Individuals may want to inquire about what data you’re holding, request that you change or delete their data, or they may want to “pack up and go” by requesting a copy of their data and then asking you to delete it. Be prepared to facilitate these requests, and ensure any third parties who are also processing this data are prepared as well.
6) Back up your claims with action.
Convey an honest, up-front sense that you truly care for your attendees’ and customers’ data, and back that promise up with action. Privacy, like security, only works if everyone within your organization is on the same page.
Follow these guiding principles to form your GDPR compliance strategy. They should inform the processes and people that have to work with the personal data of your customers, partners and staff.
How Eventbase is addressing the GDPR changes
As the leading enterprise event technology provider, Eventbase understands that our clients’ security and their attendees’ privacy are top priority. Finding the balance between privacy, usability and utility for attendees while providing value to the event organizers we partner with is our commitment to our clients.
Our systems, technology, and processes are ready to provide you with a GDPR-friendly platform that offers the highest level of security and compliance.
Take the next steps for GDPR compliance
Looking for the next steps to ensure your organization is GDPR compliant? You’ll need to create a data map to get a full picture of what personal information is being captured and how that information is being used. Find out how in part 2 of our GDPR blog series.