GDPR comes into force on the 25 May 2018. No it is not a new punctual rail service for the UK, it is new European legislation called the General Data Protection Regulation (GDPR). It is directly applicable in all EU member states and will replace the current UK law the Data Protection Act 1998.
The European Commission’s intention is to create a “one-stop-shop” for data protection, with a common set of rules applying across the European Union. It is also a regulation (rather than a Directive) which means that it will have direct effect in all EU member states, although member states will have the power to legislate domestically. You may want to check the specifics if you work in particular EU states. The GDPR equals more data protection regulations for organisations with enhanced rights for individuals.
What about Brexit I hear you shout, sorry that doesn’t matter. Firstly GDPR will come into force well before Brexit ever happens and the British government will be rolling out their own version under the Data Protection bill. The short version is you need to comply from day 1 as there are hefty fines for those that don’t.
Thank God it doesn’t apply to us, I hear my non-EU friends shout with glee! Wrong, rest of the world this also applies to you if you do any of the following:
a) offer goods/services to individuals in the EU (irrespective of whether a payment is required); or
b) have a website which uses a language (with the possibility of ordering in that language) or which prices its good/services in a currency generally used in an EU country; or
c) monitor the behaviour of individuals in the EU (eg. cookies/tracking/profiling).
So basically, if you are an events manager or company who attracts an EU audience to your event or supplies services within the EU you need to comply. Don’t run and hide from this as it could cost you your business, better to do something and show willing than nothing at all.
So what are the principles of the GDPR?
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
So what should you be doing now?
Firstly, do not be taken in by all these companies that are offering brilliant new software to help you with GDPR. You don’t need to spend millions on new systems, there is nothing wrong with using excel spreadsheets and keeping data in them, you just have to manage what you have in them and how you use it. Look at the following key points and use them as your starting point
Understand and “cleanse” the data which you currently hold (databases, CRM systems etc.) If you have a database filled with attendees from events you ran 10 years ago, the chances are it is out of date and they are incorrect. You may be better to delete everything that is over 2 years old and especially anyone who has not responded on attended any events in that time.
Consider whether to obtain fresh consents and/or rely on alternative grounds for processing. You may notice an influx of emails or even post, yes youngsters that is still a method of communication, from companies asking if you wish to opt in to still receive marketing materials from them. These companies are obtaining fresh consent. If you are going to do this and include an opt in /opt out button on your current communications please remember that it must be opt in. You can no longer have the box pre-selected for individuals have to unselect it to unsubscribe.
Review data-sharing contracts and ask other companies you are working with how they are storing and managing any data which you may be supplying them with. This can also mean third party suppliers if you are using registration sites such as Eventbrite. Ensure if you are working in partnership that you have a signed Non Disclosure Agreement in place so that any information shared between you both is protected.
Update/implement data protection policies. If you haven’t done this already you will need to start recording your data protection policies. For example it should include how you process any information that is received when a person registers for an event. What is legitimate information to ask for and hold, how long you will keep the information for, how you process any hard-copy information receive, any security software you have in place etc.
Finally, you need to train your staff so that are fully aware of what the GDPR is and what they should be doing with the data they manage. Ignorance is no excuse when it all goes horrible wrong.
For more information visit the ICO website were you will find more detailed information and guidance on how to make sure you are GDPR compliant.
Lets keep the events industry compliant.
Happy Planning xx