By Frank M. Waechter
GDPR went into effect on May 25, 2018, and a year later, it seems clear that data protection and privacy rights are taking center stage on a global scale and are not a strictly European phenomenon. Data and privacy professionals are counting the days until the California Consumer Privacy Act — similar to GDPR in its scope and requirements — comes into effect next year, and similar laws are being drafted in countries like Brazil and India.
The run-up to GDPR’s enforcement date last May was fraught with uncertainty as organizations scrambled to decide how they would adjust their operations to comply with the new regulations. Readiness for GDPR had to be implemented across several departments, creating multiple and unique compliance challenges. Fast forward to May 2019, and organizations are still trying to come to terms with GDPR’s practical impact, and department-specific compliance challenges remain a significant hurdle.
By the end of 2018, and six months after GDPR came into effect, a survey by the International Association Of Privacy Professionals depicted a mixed picture of the status of GDPR compliance. On the one hand, working towards compliance seems easier in practice than it was on paper. Three-quarters of respondents said they had appointed a data protection officer, and three in four claimed they had made changes to products and services for compliance purposes. However, more than half of respondents admitted they were far from achieving compliance, and nearly 20 percent said full compliance might never be achieved.
As far as associations are concerned, GDPR compliance has prompted an overdue reconsideration of data security in their technical infrastructure, management systems, and member data collection and handling procedures.
Here’s a review of GDPR’s requirements as they relate to the business events industry:
- Consent — Explicit consent is required to store and use data belonging to any EU resident or citizen attending your event. Organizers must specify their reasons to collect data, how data will be used, whether any third parties like suppliers, exhibitors, or sponsors will have access to such data, and for how long. During event registration, attendees must give specific consent to each and every activity that requires data collection, and they must be able to opt out.
- Data-breach notification — Event organizers must have data-breach notification procedures in place and be able to demonstrate that they are doing everything in their power to safeguard attendee data. This includes training your entire team, defining best practices, and establishing incident reporting procedures.
- Access — Upon request, you must give attendees free-of-charge digital copies of their data as well as details on where the data is being stored and for which purposes.
- Right to be forgotten — EU citizens or residents can request that you delete their data. Proof of compliance is also required.
- Portability — Upon request, you must securely transfer attendee data to a different data controller.
- Data protection officers — When involved in the large-scale processing of data, controllers and data processors (which in the case of many event organizers are one and the same) must appoint a data protection officer.
- Privacy by design — Privacy and data protection cannot merely be add-ons to your systems but must be integral to the entire organisation.
Where Do We Stand Now?
How far have we come in the meetings industry implementing the requirements above? There are noticeable changes across three main areas:
- Communications — Privacy, consent, and data protection now govern the interactions between event organizers and attendees, which requires the modification of communication strategies. New terms of service are usually communicated via email. Opt-ins and consent requests also required website or event tech app updates, which now must incorporate footers, banners, or check boxes, detailing their privacy and cookie policy, as well as users’ rights.
- Handling Requests — Organizations should be prepared to handle data-access requests from attendees or members, who also have the right to request data deletion or amendment. Some organizations have taken a proactive approach and made changes to their association-management systems to enable them to handle these requests appropriately — even if they have had no requests so far.
- Third-Party Services and Suppliers — Some event organizers use third parties as data processors, and GDPR compliance is expected from vendors and contractors too. In some cases, contracts have had to be rewritten, or suppliers had to be replaced.
These changes hint at a change of mindset among PCOs: For some, compliance is not purely a legal issue, but a matter of ethics and organizational culture, something that adds intrinsic value to an association or organization. This is a promising aspect of GDPR and likely to become even more critical in the future.
What’s Next?
It seems clear that GDPR compliance will be an ongoing effort extending beyond the regulations’ enforcement date. On this note, enforcement will become increasingly rigorous: Fines for non-compliance are already being issued, signaling event organizers about the risks of complacency. Key takeaways from the fines already levied are:
- There are now legal precedents, and the grace period is over. Regulators expect organizations to be proactive regardless of where their headquarters are located or who provides/maintains their data-management systems.
- Proactivity means making demonstrable efforts to comply — the keyword being demonstrable. No organization is too small or too big to be exempt.
- Implementing GDPR can get complex, but it’s helpful to focus on the seven basic requirements listed above, and be ready to fine-tune them continuously — and not only when you are hosting events.
It is also essential to create mechanisms that reinforce cybersecurity. GDPR readiness audits can take so much of your time and resources that they may interfere or distract you from enforcing other security mechanisms.
Looking ahead, you should also be vigilant about the impact of GDPR on your marketing practices, in particular where email marketing, marketing automation, and public relations are concerned. These should be governed by the principles of GDPR: transparency, accountability, privacy by design, and freely given consent.
Frank M. Waechter is a Europe–based digital marketer specializing in the meetings, incentives, conferences, and events industry as well as associations and small- and mid-size businesses. His company’s services include digital engagement strategy; conference and event social-media marketing; live, on-site digital engagement; and training, digital transformation and speaking.