GDPR compliance tips for event planners
On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect, making it now the primary law regulating how companies from around the world protect the personal data and privacy of citizens and visitors of European Union. The GDPR’s legal framework aims to give EU citizens and residents more control over their personal data, particularly at a time when scandals have recently plagued many major global brands, such as Facebook’s recent issues with Cambridge Analytica.
And the GDPR is likely to revolutionize the way event marketers, event planners and DMCs deal with the data from attendees hailing from the EU.
Geneviève Gagné, a seasoned lawyer with the Jolicoeur Lacasse legal firm, has extensive experience in international affairs and arbitration. Over the years, she has developed a unique expertise regarding the GDPR. We sat down with her to get her perspective on what the GDPR means for event planners and DMCs.
What is the GDPR?
“The GDPR has replaced the former EU Directive 95/46; it is more detailed and addresses issues arising from a rapidly evolving digital world,” said Ms. Gagné. “In today’s digital era and due to the sheer volume being generated, data has a great economic value. Governments, advocacy groups and, in particular, individuals, are becoming increasingly concerned about data privacy. The GDPR was designed to strike a balance between companies’ need to obtain data to conduct business and the safeguarding of people’s personal data and privacy.”
- EU attendees (and delegates from any country for that matter,) must explicitly consent to provide data to the event organization.
- The event can only legally collect data that it absolutely needs to conduct business. For example, an event cannot collect the gender of attendees unless it is required to organize the event—not just for statistical purposes.
- The event must also oversee the GDPR compliance of all sub-contractors and third parties, such as venues, F&B suppliers, audio visual partners, sponsors, ad agencies etc.; in other words, sub-contractors must adhere to the same high levels of GDPR standards as the events themselves.
Ms. Gagné did add that “Despite the stiff rules, the GDPR governing body understands that it is an ongoing, evolving journey. Being able to demonstrate a willingness to respect the law is already a huge step forward in the right direction.”
At the end of the day, respecting GDPR rules can be a distinct competitive advantage for event planners and DMCs looking to organize conferences and conventions with delegates from the EU. As the new adage goes, ‘No privacy, no trust. No trust, no business’.
How to conform to the GDPR
There are many ways to get up to speed on GDPR:
- Educate the entire event management team, suppliers, partners and sponsors on the importance of GDPR and their compliance.
- Conduct an internal audit to determine what data you currently have on attendees, speakers, sponsors, etc. who live in the EU. Pinpoint where your data collection or processing methods need to be improved. If required, work with a legal and IT professional to ensure that whatever improvements you make, they adhere to the law.
- Set up the appropriate IT infrastructure to more effectively manage and protect EU attendee data, including antiviruses, firewalls, etc.
- Develop a data breach notification processes (under 72 hours) and determine a process to take the right corrective course of action.
Ms. Gagné also mentions that event planners and DMCs should not cut and paste GDPR measures from other companies or event planning businesses. The measures have to be applicable and make sense for your event planning organization. She recommends talking to experts in international and digital law who have the necessary GDPR expertise to accompany event organizations on the road to GDPR compliance.
“At the end of the day, respecting GDPR rules can be a distinct competitive advantage for event planners and DMCs looking to organize conferences and conventions with delegates from the EU. As the new adage goes, No privacy, no trust. No trust, no business.”