Designed to bring consistency, clarity, and conformity to the way companies handle the data of EU citizens, the GDPR will supercede all national data protection policies of EU member states, including the UK’s Data Protection Act.
GDPR is big news for the events industry, where vast quantities of data is collected in a broad variety of ways. This data is often not anonymised, making it vital that events companies and anyone who uses events in their sales and marketing mix know their data handling and processing responsibilities inside out.
Why do we need new regulation?
We’re living in a world where data is much more freely shared through a huge number of channels and methods. Most of the existing guidance concerning the handling of data was developed decades ago, and is therefore not designed to address the various ways in which information is now captured and distributed. The Data Protection Act (DPA), for example, was implemented in 1998 and followed the EU Data Protection Directive of 1995 – a good few years before things like email spam became commonplace.
According to eugdpr.org, the GDPR was created “to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy”.
How will it work?
The GDPR was actually approved in April 2016, but organisations were granted a two-year period to become compliant before the regulation becomes enforceable on 25th May 2018. After this date, all companies that handle the data of individuals within the EU, regardless of industry or size, will be expected to comply with strict data protection requirements or face hefty fines. In essence, the GDPR will force companies to process data lawfully, transparently, and for a specific purpose. Once that purpose has been met, the company will be obliged to remove the data from their records.
GDPR isn’t just about being seen to process and store data correctly – it’s also about the rights of an individual to have control over their own information. Anyone can ask what data a company holds on them, why they have it, how long it’ll be stored for, and who can see it. They can also request that data be rectified or deleted if it’s not necessary or they no longer consent; this also means you have to stop sharing it with third parties (such as venues or partners). As you may imagine, this has broad-ranging implications.
“The GDPR was actually approved in April 2016, but organisations were granted a two-year period to become compliant before the regulation becomes enforceable on 25th May 2018”
Who will be affected?
Every company that handles personal or identifying data of EU residents will be required to observe the GDPR, but the buck specifically stops with ‘controllers’ and ‘processors’ of data within a company. A controller (a company, organisation or individual) dictates how the personal data should be processed, whereas the processor actually carries out the handling of the data. In addition, controllers have a duty to ensure their processors abide by data protection law, and processors must adhere to the rules and maintain accurate and up-to-date records.
Controllers and processors don’t have to be specific individuals – within the context of the events industry, for example, almost any company could be defined as a controller, whereas sales and marketing teams handling personal data could be processors. For marketers and salespeople, consent will be one of the biggest issues they face, as this has to be explicitly given (not assumed), and a record must be kept. Marketers who favour an ‘opt out’ approach will need to change tack and give customers and prospects the opportunity to opt-in to receive communications.
Anyone who uses events as a key sales and marketing channel may face big changes in the way they operate. Pre-GDPR, it wasn’t uncommon for sales teams to send cold emails to individuals they wanted to meet with or invite to their stand; under the new regulations, this might land you in hot water if you can’t prove that individual has given you explicit permission to use their contact details. During events, teams capturing data will also have to be very clear what they intend to use it for, and ensure they have proof of consent. Gone are the days when you could take someone’s business card and add them to your mailing lists without thinking about it!
What if I don’t comply?
Plenty of companies will find they have a lot to do in order to become fully compliant with the GDPR and may be tempted to turn a blind eye to avoid the extra work. However, for the first time ever, those that do run the risk of facing extremely hefty fines if they don’t comply or fail to notify the relevant authorities of data breaches. For example, UK companies that fail to notify the ICO of a data breach that risks people’s rights and freedoms within 72 hours of becoming aware of it could be liable for fines of up to 2% of their annual global revenue or €10m, whichever is higher. The punishment is even worse for not processing data correctly or refusing to adhere to rules about deleting/transferring data, with fines of up to 4% of revenue or €20m. These are significantly higher than fines dealt out under the DPA.
The buck no longer stops with the controller, as processors are also more liable than they were under the DPA, so it’s in everyone’s best interest to ensure they toe the line.
But hang on, aren’t we about to leave the EU?
There’s a common question about if Brexit means UK companies won’t have to abide by the GDPR because it’s an EU regulation. Unfortunately, the 44% of companies who are thinking along these lines could be in for a nasty shock – since the UK will be an EU member state when GDPR enforcement commences, the law still applies.
There will potentially be an opportunity for the UK to opt out later, or come up with a similar national regulation (which may be similar to the 2017 Data Protection Bill), but the many UK companies that have customers in the EU will still be required to adhere to the GDPR when handling their data post-Brexit. There’s also the school of thought that says adhering to GDPR now will make it easier for data to move freely between the UK and EU once Brexit has taken place.
Companies also should be aware that the GDPR has been put in place to protect the data of individuals in the modern digital age, so sticking with the regulation – or something similar – after Brexit may potentially be in the best interests of your customers.
What you can do to work towards GDPR compliance
Start by carrying out an internal data audit to see what kind of information you collect and how you currently handle it. It may be that you’re already ticking many of the boxes! It’s important to fully understand the scope of the data you collect through all of your activities – even things like IP addresses count as personal data under the GDPR as they’re unique identifiers. Think about it like this: anything that could contribute to an identifiable profile comes under this regulation and needs to be handled accordingly.
Transparency is also a big part of the GDPR, in terms of both how you collect and process data and the way in which you communicate this. Make sure your systems and language are as clear as possible, and anyone in a processing role understands their responsibilities. You may decide that you handle so much data that it’s in your best interests to hire a dedicated Data Protection Officer – someone who’s dedicated to ensuring you don’t fall foul of the regulation.
GDPR will fundamentally change the sales and marketing landscape, and the way teams gather and process information.