What you’ve always wanted to know about the GDPR but were afraid to ask.
Here’s what every event organiser should know about the GDPR
The European Union General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. It aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different to the time when the 1995 directive was established. (www.eugdpr.org)
However, there is still some confusion around the GDPR topic in the exhibition world. At MBB-Media, we have created this White Paper to shed some light on the matter for clients and friends in the industry. It includes 12 action points for event companies to consider when preparing for the GDPR.
What is the GDPR?
In short, the GDPR intends to give individuals back control over their personal data and to ensure information in processed in a transparent and honest way. The main principle of the GDPR is that of accountability. Not only do companies need to ensure data security through various processes, they also need to demonstrate conformity through proof of evidence.
The GDPR was formulated by the EU with the intention of strengthening and harmonising data protection for all individuals. It aims to unify companies inside the EU (and outside the EU if they collect and/or process personal data of EU residents). It addresses the export of personal data outside the EU and makes it easier for non-European companies to ensure they comply with EU data protection rules.
The GDPR supersedes the Data Protection Directive 95/46/EC of 1995. However, it should not be considered a completely new set of rules, but rather an extension or improvement on the existing directive. The GDPR was adopted on the 27 April 2016 – from this point, organisations had a two-year transition period to adjust to the new requirements and must demonstrate compliance from the 25 May 2018 onwards.
As a result, if you are located within the EU, conduct business within the EU, or have clients who reside in the EU, you need to know about the GDPR and ensure that you and your company are compliant before the 25 May deadline.
How to comply – in 12 easy steps
1. Create awareness
It is imperative that the most senior decision-makers at Executive Management and Board Level are made aware of the regulation and the importance of ensuring compliance. It is also advisable to ensure all employees understand the GDPR requirements and how to adhere to documented standard operating procedures.
2. Conduct information audits
Conduct an information audit on existing databases, in line with the GDPR guidelines. Create a list of all applications, which must include: how data is collected, what data is stored and the reasons for storing the data. Ensure you know the legal background for using the specific data and why it is necessary to store such data. It is also extremely important to document where the data is stored, in which country, (note that the “cloud” is not considered a country), as well as how the data is stored (hard copies or electronic), processed and transferred, and how long the information is retained. Consideration should also be given to how redundant information is destroyed. Keep a clear record of who has access to what data within your company and the reason why they have special consent.
3. Communicate privacy information
Review your current privacy notices, make any necessary changes and ensure these are implemented in time. When collecting data, the target group must know who you are, why you require their information and how you intend to use it. You should also reassure them that their details will not be shared unless consent is given. The GDPR also stipulates that you need to advise your target group on how long their information will be retained and that they have the right to lodge a complaint if they believe that their data is not being managed correctly.
4. Understand Individuals’ rights
According to the GDPR, individuals have the right to be informed, have access to their information, be able to rectify any inaccurate data, have any information removed, restrict the processing of their information, have the right to object and the right not to be subjected to automated decision-making, including profiling. In order to ensure you comply and that future data follows suit, review all existing SOPs and ensure procedures are updated. The data protection risk procedure should include the definition of the scope, risk identification and how the risks will be analysed, evaluated, managed and monitored. Ensure you document steps on how individual information will be deleted.
5. Plan processes and systems
The measures to avoid violations must be well determined and described. If you implement effective and efficient processes and systems from the start it should ensure that future data is handled proficiently, minimising any additional time required to correct inaccuracy and/or non-compliance.
6. Review how personal data is processed
The principles of data protection are availability (and resilience), confidentiality and integrity. Identify a lawful basis for processing data, for example, data may be required for invoicing, marketing purposes, personal records and so on. Although consent does not necessarily need to be documented for financial reasons, such as invoicing, remember that transparency is key, so the more transparent you are in your purpose, the better. Remember that it is not only your databases that need to be compliant, but also your contracts where personal information is usually required. Review all templates and ensure the information included in contracts are relevant and in line with the GDPR.
7. Handle consent appropriately
Review your process of consent to meet the GDPR standard. You are not required to ask all your contacts to consent to receiving information as long as you can prove historical/legitimate interest. For example, if someone has attended the same show for the past three years, they have a legitimate interest in what you have to offer – and therefore consent by default. Ensure that all consent, whether by default or active consent, is documented accordingly.
8. Verify minors’ information
If your data includes minors, your system must be able to verify ages and prove parental/guardian consent for the processing of their data. This is always a sensitive area, so pay special attention to any information regarding minors.
9. Implement a data breach action plan
Ensure you have an efficient system in place to detect and react to any breaches in a timely and effective manner. In your initial set-up process, define the user rights (to change and/or delete information at their discretion in a timely manner). The process of updating records should take no longer than four weeks from the time of the request. Not only do you need to ensure that your process to address this is in place, but also that the response time remains within the prescribed timeframe. To guarantee an efficient process, consider what channel the data will follow subject to the request and ensure that the information is directed to the intended department and appropriate person responsible without compromising the integrity of the information. It is also your responsibility to ensure all documented information is secure, both internally and externally.
10. Understand the assessment cycle
The assessment cycle includes: planning – doing – checking – acting. Data protection impact assessments must appraise the lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, participation and access of information. The assessments must also evaluate the likelihood of a breach and address any areas of weakness. A plan of action should be readily in place for implementation if a breach does occur. The source of risk can be internal or external, both for human risk (e.g. hackers, employees) or non-human (e.g. water damage, power cuts). The assessment must address the legal requirements and be clear on when the impact assessment is mandatory – it is assumed that the data protection impact assessment does not have to be carried out for every individual procedure, but rather be the exception. A risk matrix is the most efficient way to assess risk, with the impact levels and likelihood starting from negligible to maximum risk.
11. Appoint a Data Protection Officer
Designate a DPO to monitor and ensure compliance. The DPO should not be involved in how data is processed, as this would be a conflict of interest, rather they should be seen as “controllers” of data. The DPO must have access at Board Level as and when required. They should be well trained on the GDPR and the role they are expected to fill. The DPO does not necessarily need to be an employee.
12. Take an international approach
If you carry out cross-border processing and have establishments in more than one EU member state, you need to determine your lead data protection supervisory authority. The lead authority is the supervisory authority in the state where your headquarters are established or where your organisation makes most of its significant decisions about its processing activities.
If this all seems a little daunting, start by prioritising the areas affected by the GDPR that will have the greatest impact on your organisation (and reputation). Another good piece of advice is to consider both your internal and external systems and processes. Most of us focus on the external factors, such as our clients, exhibitors, visitors and registration systems etc. However, internal data such, as personal data and accounts information, is just as important and probably poses the highest risk. Make sure you are managing this data within your organisation and implement systems to monitor access and address any internal breach, whether accidental or malicious.
If you have multiple databases, consider consolidating these into one central database, preferably using a suitable CRM tool. Not only will this be easier to manage, but it will also alleviate the risk of non-compliance due to a better, more streamlined management system. And don’t forget to keep a “portfolio of evidence” to demonstrate compliance and accountability, should you be audited.
Where to from here?
To demonstrate compliance with the GDPR, companies must implement measures that meet the principles of data protection by design and data protection by default. This means you must be able to demonstrate the compliance even if the processing is being carried out by a data processor on your behalf.
From the 25 May onwards, companies should consider how they will handle a breach if one occurs; what measures have been put in place to mitigate the risk of a breach; and what steps will be followed should a breach take place.
Start building a data map of your event-marketing database, for example. Review the current data, where and how it was obtained and how it is currently being used. Then decide what information is relevant, what is obsolete and what is unnecessary.
The GDPR stipulates that you should only have information that is required. No more. For example, if you are running a digital marketing campaign, there should be no reason to include the physical address of your target market.
The good news is that if any event organiser, supplier or venue has already implemented ISO 27001, they are already 40% compliant with the GDPR. There are also companies that can be contracted to assist with your initial data impact assessments and ensuring your systems and procedures comply.
As Marc Davies, Compliance Director for LiveBuzz, explains, “The GDPR is a good thing as it forces organisations, both large and small, to account for the data that they have and to ensure that they are using this data in the right way, for the right reasons.”
Think of this as “spring-cleaning” your database. You need to get rid of information that is redundant or not required for marketing/communication purposes and ensure the information that you do have is relevant. Not only will this ensure you are compliant, but it will also result in a higher quality database and most likely a better response rate.
It is unlikely that any company will be 100% compliant to the GDPR due to the regulation itself not adequately defining terms such as “risk” or when risk assessments should be carried out – leaving a lot open to interpretation. To ensure you are as compliant as possible, when considering the GDPR, ask yourself what is reasonable and how you can ensure ethical behaviour, both with internal and external processes. Complying with the GDPR is not only the right thing to do for your company, it also ensures and maintains the integrity of the industry as a whole.
Note of thanks: MBB-Media would like to thank Reinhard Schlager from Reed Exhibitions and Marc Davies from LiveBuzz for sharing their knowledge on data protection and security.
MBB-Media Ltd is a consultancy agency specialising in:
• Event Company, Portfolio or Show Strategy
• Event Sales and Rebooking Concepts
• Commercial Due Diligence and Market Research
• Digital and e-Business Concepts
• Education and Training
We are happy to provide testimonials and reference projects for each of these topics.
Select the “Contact Us” tab on this website to get in touch.