Nicola Rossetti is an expert on data protection and the upcoming GDPR changes happening on 25 May 2018.
Data collection plays an increasingly important role in the events industry. The more personal data event managers can collect about the people who attend their events, the better they can customise the event experience, as well as future products and services.
But there is risk associated with the collection and handling of all that data. That is why the EU approved the General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018.
For event planners, this means the personal data of EU citizens who attend their events or work in their companies must be handled in compliance with GDPR.
What is GDPR and why does it matter?
GDPR replaces and improves upon existing regulations, notably, the EU Data Protection Directive of 1995, and addresses developments in mobile and cloud technology. GDPR also combines various existing regulations into one harmonised and simplified set of rules for all EU nations.
GDPR gives EU citizens more insight into, and control over, how their personal information is collected and used. To ensure this, GDPR adds significant fines and penalties for non-compliant data controllers and processors of up to 20 million Euro or 4% of annual global turnover, whichever is greater.
Managing event data under GDPR
Event planners and agencies are data controllers. That is, they collect and control the personal data of their customers, in this case, event attendees. As data controllers, event planners must be prepared to perform the following processes in compliance with GDPR:
- Discover: Identify where personal data transit and resides in your ecosystem.
- Manage: Document how personal data is used and accessed.
- Protect: Prevent data breaches through data security technology and practices.
- Reveal: Give EU citizens access to, and control over, their data.
- Report: Track related event data to comply with regulator’s audits.
Because customer data is typically shared across multiple functions, such as sales, marketing and event management, compliance requires cooperation by the entire ecosystem of technology solutions, partners and employees with access to the data.
The role of technology vendors in GDPR compliance
Data processors – the technology vendors that process the data owned by the event planner – play a significant role in GDPR compliance, although the onus is on the data controller to define GDPR requirements to their technology partners.
Under GDPR, data controllers appoint a Data Protection Officer (DPO), responsible for ensuring compliance with GDPR. Vendors are also required to provide adequate staff training in principles of data protection and must employ a variety of encryption technologies to alleviate the risk of noncompliance, data breaches, security failures or lack of reactiveness.
While a good data processor will support adherence to GDPR standards, it’s worth noting the more solutions and vendors an event planner uses, the higher the risk to data security and non-compliance. Comprehensive technology platforms and end-to-end solutions can help alleviate the burden of compliance.
Now is the time to begin the journey to GDPR compliance
Meetings and events are highly exposed to complex data collection and management, which makes compliance with GDPR a must. Considering many 2018 events are already in the planning phase or have even opened registration, there is no time to delay. The road to GDPR compliance can be long and complex. All corporate and agency planners should begin the process now to ensure compliance before their next event takes place.
Disclaimer: This content is intended to convey general information only and in no way constitutes legal advice or opinion.
If you’re interested in registering for the 2018 C&IT Corporate Forum, find out more here.