If you’re not up on the General Data Protection Regulation, a new, stricter European Union data privacy law that goes into effect May 25, 2018, the time to pay attention is now.
“GDPR is probably one of the most important changes facing our industry today,” says George Sirius, CEO, Eventsforce, an event tech company. “It will completely change the way meeting planners collect, process, and protect the personal information of people in the EU who attend events.”
And the consequences of noncompliance can be severe, with fines as high as $24 million or 4 percent of your organization’s total annual revenue from the preceding financial year (whichever is higher). While the law is more evolutionary than revolutionary in its specifics, “The fines are now putting a fear factor into the process,” says Ian Grey, a U.K.–based information and cybersecurity consultant with Wadiff Consulting.
Why Is This My Problem?
If you don’t hold events in Europe—you don’t have to worry, right?
That’d be a no.
GDPR covers any organization that provides goods or services to citizens or residents of the EU, regardless of where they reside, where the meeting is held, or where the organization is headquartered. So, if you have even one EU citizen at your event, you have to comply with the new rules around how you collect, store, update, and use that person’s personal data. Even if you run events for a state association in the U.S., for example, can you be 100 percent certain that a student from Germany on a semester abroad hasn’t registered for a program?
But why, you may ask, is this a problem for meeting professionals—can’t the IT, legal, or operations departments worry about it?
That’s also a negative.
Yes, it will be up to those departments to hammer out the details and put the systems in place, but you can’t just sit back and hope for the best. “Hope is not a strategy,” says Kevin Iwamoto, senior consultant with GoldSpring Consulting. Between registration forms, mobile event apps, social media, lead-capture technology, and surveys, meeting professionals are collecting an enormous amount of personal data on attendees. Along with names, titles, contact information, and employers, most planners also ask about food allergies, disabilities, and dietary preferences. GDPR also considers web data, including IP address, cookies, and RFID tags, to be personal data.
Sirius says, “There are a number of things that event planners do today that can put their organizations in serious financial risk with GDPR. Things like using pre-ticked consent boxes in registration forms and apps, and not having the proper processes in place to store attendee consent. Or sharing delegate lists freely with venues, speakers, and other attendees. Or not paying enough attention to the information that freelancers and temp staff have access to. Or emailing unsecure spreadsheets and leaving unattended registration lists around. The list can go on and on.”
While you don’t have to become a GDPR whiz, you need to know enough to ensure your processes comply in terms of the data you collect from attendees in registration forms and apps, how that data is used for marketing and personalization, and how you share attendee data with third-parties such as venues, sponsors, agencies, and tech providers, says Sirius.
Michael Owen, managing partner at meeting and event services provider EventGenuity, agrees, “It’s like with cybersecurity—you need to understand it on a personal level so you can contribute to keeping your organization safe. It’s not just an IT thing; it’s an everyone thing.”
It’s Your Suppliers’ Problem, Too
GDPR also requires any organization that processes data on behalf of a meeting—such as event apps and registration and networking technologies—to comply with its rules. “It is important that event planners ensure that all their suppliers are fulfilling their legal responsibilities,” says Sirius. “Why? Because if, in the course of an investigation, the authorities find that these parties are not compliant, then the host organization may also be liable (even if they themselves were compliant).”
In the case of registration systems, meeting hosts need to find out how a provider obtains and stores consent, as well how it can help them delete any personal data. And they need to ask how the third parties themselves are complying with GDPR. Using an EU-based tech provider is one way to be sure GDPR is top of mind, he says, but that’s not enough. Ask them about their understanding of GDPR and how they can help clients meet their obligations? What are their data security best practices? What about suppliers and contractors who have access to their data? “Having the answers to these questions will protect event organizers from unpleasant surprises in the future,” Sirius says.
Also, find out if your organization already has a rider or a GDPR responsibility document you can share with suppliers who touch data for EU residents or citizens, says Iwamoto. “It should outline your company’s expectation that your suppliers adhere to the letter of the law around personal information data governance per GDPR.”
GDPR is going to create a lot of new work, forcing you to reconsider how you collect, process, store, and share personal data from your events. But, there’s a silver lining, says Wadiff Consulting’s Grey. “Many of my clients are using it to get rid of data they really shouldn’t have in the first place.”
Also, while it may be scary to winnow down your attendee marketing list, it could work in your favor. Grey cites the case of a U.K. charity, the Royal National Lifeboat Institution. “Pre-GDPR, they went to a consent-only email fundraising marketing plan. They thought they were going to lose thousands of pounds in funding, but in fact they ended up with a much smaller, but much more targeted mailing list of people, and their funding drive did much better than anticipated.”
Adds Owen, “At first it seemed too tough, that it would cost a lot of money and take a lot of time, but it’s really just common sense. Any responsible organization wants to be able to put their hands on that sort of data quickly anyway. And as an individual, wouldn’t you want the companies and associations you do business with to have plans and policies in place to keep your personal data secure? It’s almost a best practice wrapped in legal mumbo jumbo.”
“It will be a challenging time ahead but it’s important to note that GDPR will also bring about some big opportunities for our industry,” says Sirius. “Those who can show they’re dealing with personal data in a transparent and secure way and have respect for the privacy of individuals will succeed in building a new level of trust. And this will be key in deciding which organizations people choose to deal with in the future.”