The General Data Protection Regulation is a Europe-wide set of data protection laws. It’s a long-overdue standardisation of best practice in data handling across Europe, due to come into force in May 2018. Although they’re an EU directive, the current British government has supported GDPR and is likely to adopt similar standards to cover British citizens, post-Brexit.
Any business which holds the personal data of European citizens may find its practices challenged under GDPR, and could face a fine of 4% of their global revenues or €20 million (whichever is greater) for non-compliance.
You may be wondering why this concerns us – after all, isn’t data protection an IT thing?
No. It’s not. Corporate events involve “regular and systematic collection of personal data on a large scale”. If you’re collecting business cards, sign-ups or feedback forms, you’re collecting data that could be used to identify a given person, and so GDPR applies.
What does GDPR mean for event organisers and attendees?
If you’re collecting a person’s data, you need their explicit and informed consent. You have to tell them what information you’re going to collect, what you’re going to use it for, and how you’re going to communicate with them. You need their consent to collect the data, and you also need it for each use of the data – including any new initiatives you come up with later on.
In practical terms, this means no assuming that you can do what you like with someone’s details just because they gave you their card. You won’t be able simply to buy in a mailing list to market your event, as you may have done in the past. If this is something you do at the moment, make the most of the year you have left; buy in lists, warm them up, and get those opt-ins while you can. We predict that event promotion and marketing will become more ask-driven, as a means of securing consent – “would you like to know about X?” rather than “this is X, and we assume you’re interested because you’ve not told us you’re not”.
GDPR is retroactive – it applies to the data you’ve already collected in addition to brand new data. This means you have a year to recontact and warm up everyone whose data you hold, and secure their consent to remain on your list (and to any other correspondence you may want to send them). It also demands increased data hygiene – reviewing your backup practices for electronic data, and looking through physical records, including drawers full of business cards, to make sure you’re not holding ‘expired’ data acquired without consent.
If you’re attending an event, you’re probably networking – collecting contacts’ data in one form or another, whether it’s hard copy or digital. GDPR still applies here. Inform your contacts how you intend to contact them and what for – and then, in that first email or LinkedIn request, ask them for their consent to the next use of their data, like being added to your marketing database.
While much of the discussion around GDPR is digitally driven, one expert reminds us that a data breach can be as simple and physical as leaving a piece of paper on top of a printer, or an unsent email on a screen, or a card lying around on an event desk. The way we collect data at events needs to become more secure – think less “let me take your card” and more “let me put it on this tablet, encrypt it and screenlock it”. It’s going to be a little more cumbersome, but the point of GDPR is to make data handling a priority for businesses, and ensure that we treat our contacts’ data with the same care we’d demand for our own.
What should we do about GDPR right now?
Many brands already require their event agencies to adhere to stringent data handling practices that go beyond the needs of current data protection rules. If your agency is lacking behind in this way, the months before 2018 – when GDPR is implemented – provides the perfect excuse to catch up.
There’s a lot of prep work to be done. Firstly, there’s data hygiene – checking to see what you’re holding, how you got it and how you’re storing it. Secondly, there’s consent – contacting everyone on your list and ensuring they still want to be there. Thirdly, there’s planning how you’ll collect data in future. How will you make sure that the data you collect is secure? How will you confirm that people understand how you’re using it? How will you build consent into your networking and marketing process at every stage, without undermining your message?
GDPR is a serious matter, but at the bottom line it’s about individual rights and communication. Yes, businesses must be aware of the rules and the penalties for non-compliance, for not making data a priority – but it will help to see the opportunities in doing so, and the brand value that can be built.