The marketing function is particularly vulnerable where data protection is concerned, given the large amount of information that is often shared by, and amongst, numerous different stakeholders in numerous different countries. Data is utterly key to running successful marketing activities, events, conferences and trade shows, not to mention proving your marketing and event ROI.
The new regulations around data privacy and protection were adopted on 27th April 2016, but will officially come into force on 25th May 2018 after a two-year transition period, and while there’s nothing to be feared, they’re certainly something that every marketer, event planner or event agency should start planning for now in advance of 2018.
So what is it and what does GDPR mean for marketers and event professionals?
GDPR. What even is it?
The General Data Protection Regulation is designed to simplify the current hotch-potch of European directives around data protection, and give citizens back control of their personal data. It replaces the data protection directive passed in 1995, and will bring the regulatory environment up-to-date with how 21st century businesses now collect, process, and use customer data.
But won’t Brexit mean this has nothing to do with the UK?
Hard Brexit or not, GDPR will affect any company handling EU residents’ data - regardless of where in the world your company is headquartered. And it won’t just be Britain that needs to be aware of the new regulations.
If you’re a US-based event agency for example, but run occasional events or conferences in Frankfurt, Lisbon, or anywhere else in the EU, you’ll still need to make sure you comply with the new regulations if any of your delegates are based in EU member states.
OK, so what does it actually cover?
Broadly, these 6 areas:
Data breach notification
Unlike Yahoo, who managed to keep their calamitous hacking on the down-low for 5 long years, customers and data controllers will need to be notified within 72 hours of any data breaches. A breach can be a leak, a hack, or even just a forgetful intern leaving a laptop or USB stick in a cab.
Right to access
Individuals now have the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where, and for what purpose. Data controllers (that’s the company that owns the personal data) must provide a copy of this data (free of charge) if requested. Moreover, individuals have the right to question and fight decisions affecting them that have been made on a purely algorithmic basis eg. targeted marketing based on algorithmic segmentation.
Right to erasure
The right to be forgotten means that individuals can have the data controller delete their personal data, stop any further dissemination of the data, and have third parties stop processing the information.
Individuals now have the right to receive their personal data back from the controller in an electronic format (a ‘commonly used and machine readable format’), and transmit this data onto another controller. This is very much designed to make it easier for individuals to move over to alternative service providers.
Privacy by design
Previously a best-practice procedure, it’s now a legal requirement to include data protection and privacy compliance from the very start when designing new systems, rather than simply bolting these on later. And this isn’t just a consideration for UX and UI designers. Both organisational and technical processes need to be implemented so that personal data is kept securely, and only data that is deemed ‘absolutely necessary for the completion of duties’ is held and processed.
Data Protection Officers
Rather than notifying local Data Protection Authorities of their data processing activities, under the new regulation internal record keeping is instead prioritised (a big relief for multi-nationals previously attempting to navigate their way through multiple national bureaucracies). Any public companies, or those whose core activities include systematic monitoring and processing of data, will now need to appoint a Data Protection Officer.
But I only store attendee registers - that’s not personal data is it?
The EU defines personal data as any information related to a person or ‘data subject’ that can be used to directly or indirectly identify the individual. It can be anything from a name, email address, photo, or computer IP address to more detailed information on medical conditions, dietary requirements and social media posts. And badging companies take note - even photos of attendee badges displaying individual QR codes would fall into this category.
Are there any penalties?
Yes - and significant ones at that, which is exactly why GDPR has become an issue being discussed at board-level, highly relevant to CMOs, rather than simply a new and minor legal change. Penalties are tired, but companies can be liable for up to 4% of their annual global turnover.
What does it mean for me as a marketing and event professional?
In a lot of cases it’ll be your marketing technology and SaaS suppliers (the data processors) that will need to make sure they’re compliant, and have the requisite measures in place internally to securely manage the data they store and process for you.
That said, for anyone storing data captured from employees and clients at events, we’ve compiled our recommendations in this simple checklist.
What should I check with my suppliers?
The average European enterprise company uses 608 cloud-based apps, yet consistently underestimates this figure by a whopping 90%. So your first step should really be to audit any third party tech solutions you currently use!
From there we’d recommend:
- Asking your suppliers to provide you with detail around how they will store and process any data for you, and how they make sure they’re compliant with GDPR.
- Have an agreed process and a point of contact at each side, so that should a data breach occur you and your suppliers can respond and work together quickly to communicate this to customers.
- Make sure any new suppliers deals negotiated include reference to data protection and privacy in line with new GDPR regulations, as you need to make sure that by 2018 any companies handling your delegate data are up to speed and can be relied upon.
- Collect only necessary data, and limit the processing of ‘special’ data. Think about how crucial it is to collect information on race, ethnicity and political and religious convictions for example.
- Make sure you can delete the data when you stop using the app. Make sure any terms state that you can download your own data immediately, and delete your data when/if you terminate the service.
What happens after my event? How long can I hold onto data after an event?
Because all events are different, there’s no set rule on the length of retention, but event planners should think about whether the data they’ve captured is still relevant, and how long it’s necessary to keep it. So for example, do you really need to store individual dietary requests after the event, or can this more sensitive personal data be deleted after the event?
Make sure any data you hold onto is only being used for the intended purpose too. So for example be careful about selling event attendee lists onto advertisers if you weren’t given explicit consent to do this at the outset.
How can using technology like Glisser help?
A recent CIM/YouGov poll found that only 11% of businesses have systems in place to ensure compliance, while just 5% of marketers say they fully understand what GDPR means for their business.
As a SaaS company and proud member of the martech and eventtech communities, we think this just isn’t good enough.
Rather than fearing the new changes, we think it’s a great opportunity for marketers and event technologists and planners to stay ahead of the curve and in-step with the changing demands of the digital world, placing the consumer at the heart of what they do.
We believe that technology like Glisser is key to capturing the right information and appropriate permissions from your delegates - right there in the room. What’s more, Glisser provides a well structured and manageable record of these permissions, which can be integrated into your CRM databases, to ensure your company can operate compliantly and prove it!