Ready or not, May 25—the deadline to comply with the European Union’s GDPR—is almost here. And while there are many misconceptions about the regulation, one aspect event planners shouldn't ignore is the GDPR penalty they will incur if not compliant by the enforcement date.
There’s no warning, there’s no negotiation. If your organization isn’t compliant, you will face a fine ofup to €20 million or 4% of your annual global turnover, whichever is greater. A penalty that size shouldn’t be taken lightly, so it’s important to take steps to ensure you’re meeting GDPR standards.
In case you haven’t heard, GDPR or the General Data Protection Regulation includes new standards for the protection, consent, transparency, and storage of EU citizen data. You don’t have to be a European organization to be affected, as any business that handles data of persons residing in the EU must comply.
How can you avoid the GDPR penalty exactly? While it’s important to educate yourself on the new regulations, as well as consult with your organization’s lawyers and IT personnel, here are five key principles to keep in mind to ensure full compliance.
Discover: First, planners need to identify where personal data transits and resides in their ecosystem. You may think it's just in your event management software (EMS), but it’s often more extensive than that. Don't forget your event website, mobile app, marketing automation platform, CRM, accounting and HR departments, etc.
Manage: Not only do you need to document how personal data will be used and accessed, but you need to be able to explain it to your clients and attendees in order to obtain true consent. This is done by making certain disclosures to data subjects before collecting their personal information. This includes the purpose of data processing, recipients of the data, how long the data will be stored, and more.
Protect:From encryption to security, you need to take steps to prevent potential data breaches. That’s important for obvious reasons, but also because GDPR gets more specific as to what counts as a data breach. In the United States, for example, companies were only obligated to notify customers of data breaches if sensitive personal data such as social security numbers, or financial account information were leaked. Under GDPR, all personal data is subject to breach notification requirements.
Reveal: Whether they want to review their data or remove it, an important component of GDPR is giving EU citizens control of their data. Once a request is made to view/delete, it must be done promptly and efficiently. According to the “Right to Be Forgotten” under GDPR, data controllers must erase personal data “without undue delay” if the data is no longer needed, or if the data subject objects or requests it.
Report: Finally, if you aren’t already, take steps to track any related event data to comply with future audits. Technology like event management software can help planners greatly in this area, especially if it can help manage your entire ecosystem in one place.
As long as you follow these principles in your efforts to reach compliance, you’ll avoid the dreaded GDPR penalty, as well as become a better data advocate for clients and attendees. The latter is, of course, what GDPR is all about. Don’t think of it as another regulation to follow, rather a way to be more transparent about the data you collect and to respect the individual preferences of those affected.