A new, stricter European Union data privacy rule—the General Data Privacy Regulation—will begin to be enforced in May 2018. Are you ready? Use this as your to-do checklist.
1. Build awareness.
Make sure everyone in your group, including leadership, is aware of GDPR. It may take some time and money to bring your organization into compliance, so don’t wait until the fines start in May to start preparing.
2. Do a data audit.
Find out what personal data you currently collect and store, how you collect it, and who you share it with, then document everything so you can show how you are complying with GDPR’s accountability principles. The biggest challenge for event planners will be figuring out what personal data they have on attendees, speakers, sponsors, and others—and whether or not they have adequate consent, says George Sirius, CEO, Eventsforce, an event tech company. “They need to know which systems the data is stored in, when it was last used, and what it was used for. They need to know how accurate the information is, what kind of processes they have in place to keep that data safe, and whether or not it’s been shared with other suppliers and partners. If it has, then they need to ensure that these parties also have the right consent and that they are doing everything they can to comply with GDPR regulations. Running a data audit of this scale is a big job. Unfortunately, there is no way around it.”
3. Identify and resolve all gaps.
Sirius says, “If you have inaccurate information on one of your delegates, for example, and you’ve shared this information with hotels and venues, then you need to inform them about the inaccuracy and get them to correct their records. Or destroy the data if you never had the right consent in the first place. You will not be able to do any of this unless you know what personal data you hold, where it came from, where it is stored and who you shared it with.”
4. Update privacy consent notices on forms.
Does your current data privacy notice explain how long you plan to store the data, and the fact that EU citizens and residents can complain to the Information Commissioners Office if they think your system isn’t handling their data securely? Does it include an opt-in consent form? Does your consent form enable people to freely and unambiguously give their consent for you to use their personal data for purposes that are specific and limited?
5. Understand the individual rights GDPR is protecting, because you’re going to have to honor them.
6. Prepare for data access requests.
If someone says, “I want access to my data; how much information do you have on me?” you must be able to answer in the 30-day timeframe. You also must provide it in a machine-readable, commonly used format.
7. Create a plan.
You need a process to detect, report, and investigate a personal data breach, and be able to implement the plan within 72 hours.
“Can your processors respond within 72 hours? That’s a question you’ll have to ask,” says Kevin Iwamoto, senior consultant with GoldSpring Consulting.
8. Ask your data processors how they’re keeping your event data secure.
9. Appoint a GDPR point person.
“It will really help the process if you have one person in the events team take ownership of GDPR and be the focal point for all things events and compliance,” says Sirius. “That way you can keep tighter control on making sure steps are being taken to prepare for compliance and that the events team isn’t doing anything that puts the organization at risk.”
More Food for Thought
It’s also a good idea to think about everyone who has access to attendee registration data, including temp staff and local volunteers. How are you handling data security on the front lines? “You cannot leave printed registration lists unattended on site. You shouldn’t even have them printed out,” says Iwamoto. And any spreadsheets you send have to be password protected. He cites a 2016 study by Eventsforce that found 65 percent of event planners email data to people outside the events team—“that’s going to have to change”—and 33 percent share passwords with others.
And 60 percent of event report data is on paper that’s accessible to anyone.
GDPR may have you rethinking your event marketing strategy as well, says Ian Grey, a U.K.–based information and cybersecurity consultant with Wadiff Consulting. Emailing potential attendees is going to be trickier now that you need opt-in consent to contact people. “In practice, that means moving away from emails and going toward social-media marketing. If you’re on Facebook or Twitter or LinkedIn, you can use those platforms to try to get them to come to your event, instead of trying to get consent for direct email.”