The Event Marketer’s Guide to GDPR Compliance
You know that feeling in your stomach? The one you get when there’s something you’ve been putting off for awhile, but there’s a looming deadline that’s getting closer and closer? Well, from the sounds of it that’s how a lot of event marketers are feeling these days about something called the GDPR and GDPR compliance.
Sound familiar? For those who might need a refresher, the General Data Protection Regulation (GDPR) is a piece of EU legislation that will be coming into effect on May 25, 2018. It’s all about protecting individuals’ personal data in the digital age.
How does GDPR affect event marketers?
As you go about planning, marketing and hosting an event, you’ll likely be collecting and using a lot of personal data. This data may be about your attendees, your speakers, and other event stakeholders. Information like names, job titles, emails, even dietary preferences! All of this is data that will fall under the umbrella of the GDPR as of May 25, 2018. And the GDPR has some pretty specific requirements about the circumstances under which you can collect and use that data.
The GDPR identifies two key roles related to the collection, processing and usage of personal data: the Data Controller and the Data Processor. As the event’s organizer, you are a Data Controller. You decide and are responsible for communicating the purpose for which you are collecting personal data from attendees, speakers, and any other event participants. Any event technology providers that you employ will typically act as Data Processors in the context of your business relationship.
Let’s bust some myths right off the bat. Some of you may be hoping you can get away with turning a blind eye because your business doesn’t operate in the European Union. Or that you can ensure your compliance with the GDPR. You might do this by guaranteeing you work only with event technology providers that can verify they are GDPR compliant.
Unfortunately, neither is true. More on that to come, but the GDPR’s impact is global, and ensuring compliance goes beyond choosing the right event technologies. It includes the activities you carry out every day as part of your job.
That means event planners worldwide are going to have to learn at least a little bit about GDPR, whether they like it or not. Here are steps that you’ll need to take to protect your business from some pretty serious fines for non-compliance… If you don’t think that your business can take a hit of up to €20 million (or 4% of your global turnover, whichever is higher), then read on.
So where do we begin?
Before you read any further let’s get one thing straight: none of the below should be seen as a substitute for good legal advice! We also highly recommend you take a good look at the official GDPR website, the FAQs page in particular.
That said, one thing we do know well is the event industry and the people who work in it. As we’ve found ourselves answering many of the same questions repeatedly from our clients, we figured it was about time we share our tips for getting your house in order for the GDPR.
Will the GDPR really affect me and my event(s)?
The majority of those reading this blog post should probably assume the answer is yes. If the information you collect about your participants is provided while the individual is in the European Union, or the information is about someone who lives in the EU, GDPR likely applies. This is true even if your event isn’t taking place in the EU.
Now, if you’re hosting a small “locals only” event in North America and you’re not offering any tools or services that your attendees might use while they are in the European Union, then you perhaps don’t need to worry. But if you’d like to allow EU residents to participate in your future events, or are looking to offer event technology participants can use away from your venue, GDPR compliance should matter to you.
What do I need to do to ensure compliance with the GDPR?
There are a lot of implications of the GDPR, but to sum it up neatly: the way event marketers handle the personal data of their attendees and invitees will need to change. Here are the main areas we recommend event professionals focus their compliance efforts:
Running a Data Audit
It might be scary to admit it, but there are many event professionals who don’t fully know the origins of all their data. Some of the names on your list may have come from business cards dropped off at booths, from lists of previous event attendees, or even purchased email lists.
Most event marketing databases have been built over a long stretch of time and the data has been sourced using a variety of methods. Few of these databases would hold up to the GDPR’s requirements. These state that you must be able to prove that the people in your database have opted-in to have their information stored and used by you. This means you’ll need to validate the information in your databases if you want to ensure compliance. It may sound like a daunting task, but try to think of it as a chance to clean out the cobwebs and better target your efforts!
Reviewing How You Obtain Consent
If you want to keep collecting and using personal data for your future event efforts, you’ll likely need to change the way you obtain consent to use this personal data.
Many of our existing approaches wouldn’t pass the test, as the GDPR requires that requests for consent “must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent” (GDPR FAQs).
We recommend seeking legal advice to ensure your approach is in line with the GDPR. It is encouraged however to make two different lists to get yourself started. Firstly, identify and review all the different ways you gather personal information from people. This includes onsite at your event itself, in forms on your website, through an event registration portal, or within other event technologies. Secondly, ask yourself how you use this data. For instance, do you intend to share attendee information with event sponsors or exhibitors? Going forward, every time you gather personal data you will need to clearly state how that information will be used and enable attendees to opt in or out.
Updating Your Privacy Policy and Privacy Notice
Once you’ve gone through the exercise of reviewing where and how you obtain consent, updating your privacy policy and privacy notice is the next step. These two terms have often been used interchangeably, but to ensure GDPR compliance it’s helpful to distinguish between them. Your event’s privacy policy is a document that tells your team how they should handle the personal data you’ve collected. In contrast, a privacy notice is the document you share with participants that informs them what personal data you are collecting and why. If you’re looking to see what these privacy notices look like in practice, the Information Commissioner’s Office of the UK is a good resource and offers examples of good and bad privacy notices.
Developing Awareness in Your Team
You might be a member of a marketing department, or the owner of an event management company, or perhaps you work for an association that invites its members to events throughout the year – regardless of your situation, odds are you work with other people. You want to make sure everyone is on the same page about the GDPR’s impact. This ensures that nobody is confused about how they need to approach the collection and use of personal data moving forward.
There are other areas you’ll want to review with your team. These include your data security practices and what you’ll do in the instance of a data breach. Another are to discuss is how you’ll respond to any potential requests for access to data or data deletion.
What should I be asking event technology providers?
[clickToTweet tweet=”The important question to ask your technology providers is not “are you GDPR compliant?” – the question you need to ask is “how will you help me ensure my GDPR compliance?” quote=”The important question to ask your technology providers is not “are you GDPR compliant?” – the question you need to ask is “how will you help me ensure my GDPR compliance?”]
Today’s event professionals are using a variety of technologies to collect, store and use their participants’ personal data. Event registration platforms and event apps are two common examples. This means event technology providers have an important role to play in helping ensure your GDPR compliance.
However, the important question to ask your technology providers is not “are you GDPR compliant?” – the question you need to ask is “how will you help me ensure my GDPR compliance?”
You may want to ask whether your event technology provider is capable of:
- Publishing your privacy notice
- Enabling you to collect consent to use personal data
- Documenting that consent to use personal data
- Allowing participants to control that consent over time
- Responding in a timely manner to requests for data access
- Acting on requests for data rectification or destruction
- Demonstrating that they hold and process your participants’ data securely
How EventMobi will work with customers to ensure GDPR compliance
Here at EventMobi, we’ve always had comprehensive policies and procedures for ensuring we store and process personal data securely. In preparation for GDPR, we’ve been reviewing and in some cases updating those policies and procedures, and conducting training internally.
As a result, we can assure our customers we’ll be able to respond quickly and effectively to personal data requests – whether these are for access to personal data or destruction of it.
As part of our GDPR preparation, we’ve also identified several opportunities to better support our clients’ compliance needs and are in the process of building these into our product.
These updates will allow EventMobi clients to easily publish their privacy notice and collect consent for their use of participants’ personal data – and prove when consent was provided.
EventMobi clients can sleep easy! We are prepared to fully support your compliance needs when the GDPR comes into effect May 25, 2018!
Final words: coordinate & communicate
Now that you’ve finished reading this post, hopefully you have a better sense of what you need to do to ensure GDPR compliance. But don’t forget to take the time to speak with your coworkers about coordinating your efforts!
In particular, reach out to your internal IT/Data Security experts. They may have already begun to document processes you should be taking into account. If you’re part of a larger marketing team, make sure you have an understanding about how your company’s approach to email marketing and collecting consent is evolving to address the GDPR requirements.
A final reminder that the above information has been provided to help you better understand EventMobi’s position on the GDPR and how we’ll be supporting your GDPR compliance. However, the information in this article is not legal advice. For many business, coordinating with legal representation is the best way to prepare for the GDPR.
No more putting it off! The countdown is on, and now is the time to get ready.
Trusted by more than 10,000 event planners, EventMobi is one of the most secure and reliable event technology platforms on the market. Learn more about our security features and policies on our Security page, or schedule a time to speak with someone from our team today!