The General Data Protection Regulation that updates the older, pre-cloud-era data privacy rule in the European Union, will begin to be enforced in May. And this is a regulation you ignore at your peril, with fines that can reach up to $24 million. For more background on the regulation, see New EU Data Privacy Rules Are Coming. Here are the seven specific requirements that planners need to know about now.
Forget the pre-checked, often vaguely worded opt-out box most event organizers currently use in the registration process. Any EU resident or citizen has to actively opt in and give you explicit consent to store and use their data. You also have to explain what you will use the data for, who you will share it with, and for how long. As the data controller, it’s up to you to get the consent, says Kevin Iwamoto, senior consultant with GoldSpring Consulting.
Furthermore, he says, you can’t generically ask people to give consent to all activities around an event when they register. “You have to say specifically who they’re giving that consent to. In addition to your organization, that includes everyone who could have access to the personal information, including exhibitors and sponsors. You also have to tell participants what the suppliers are going to use it for, and when the information is going to be purged from their systems.” And, he adds, you have to enable attendees to opt out if they don’t want their information to go to any of the listed third parties. “This is going to cause a lot of disruption,” says Iwamoto. “Think about the disclosure and consent and opting in for a hosted-buyer program, for example.”
2. Data Breach Notification
GDPR gives you just 72 hours after you discover you’ve had a breach to notify data protection authorities and, in some cases, users. While the fines are expected to be proportional to the level and severity of noncompliance, and the number of people affected, if you tried to pull an Equifax and wait months before reporting a breach, you could expect the fines to be fairly severe, says Ian Grey, a U.K.–based information and cybersecurity consultant with Wadiff Consulting.
“Event organizers need to show they’re doing their best to protect the personal information of individuals to minimize the chances of it getting into the wrong hands,” adds George Sirius, CEO, Eventsforce, an event tech company. “Ensuring that everyone in the events team has a good understanding of what constitutes a data breach and how to follow best practices is key to compliance. It’s also important to think about what processes need to be put in place once a breach has been identified, including how to report it within three days.”
If an EU resident or citizen wants access to his or her data, you need to provide digital copies of it, along with where it’s being stored and what you’re using it for. And you need to be able to do this within 30 days at no charge,
4. Right to Be Forgotten
Data controllers have to be able to delete an EU citizen’s data on request, and also have your suppliers delete it as well. “They have to have ways of minimizing errors, correcting inaccuracies, and deleting data,” says Iwamoto. “And you have to be able to prove that it is, in fact, deleted.”
If requested, you need to be able to export an individual’s data to another data controller in a commonly used format.
6. Privacy by Design
Don’t expect to get away with tacking some data privacy stop-gaps on to your systems. Under GDPR, security must be integral to your data-collection and management technology and processes from the get-go.
7. Data Protection Officers
Not everyone needs to have an official data protection officer, or DPO, but most multinational organizations already do, says Iwamoto, because even before GDPR, the EU in particular had far more stringent rules and regulations around citizen data privacy than the U.S. “And they’re not afraid to litigate.”
If your organization has a DPO, “You need to let them know your department is going to be affected. Any forms or terms and conditions that they’re putting together to protect the company also need to be incorporated into events and meeting planning,” says Iwamoto. Adds MaryAnne Bobrow, CAE, CMP, CMM, president of Bobrow Associates, even if you do have a DPO, you need to have a working knowledge of GDPR requirements. “If you don’t have that knowledge, you could be violating the rules without the DPO knowing anything about it.”
If you don’t have a DPO, Bobrow suggests finding a company that can serve as your “trusted advisor” to do the research for you. “It’s pennywise and pound foolish not to have someone to walk you through the steps to make sure you’re protected from noncompliance.”