General Data Protection Regulation (GDPR) is set to make huge changes in the events industry, as of 25thMay 2018. Do you know what GDPR is? In short, it’s a regulation administered by the European Government, which is there to protect data for all European Union citizens. The regulations will apply to every company that holds information about people who reside in the EU. If a company fails to adhere to the terms set out, there is going to be severe consequences.
As an agency in the events industry, this blog will look at how, as a company, we (and others) should prepare for the GDPR changes, what measures we will put into place to ensure we adhere to the new compliance regulations, and how we will educate our clients on the matter.
So, as a business, how do we prepare for the changes?
Data protection is vital, and working within the industries that we do, we have to ensure that we are accountable for the data we hold and with which we interact. Whether that is 5000+ delegates at a conference, or our clients’ data that we encounter every day. Everyone must be ready to state what data they hold, where the data has come from, and who it is shared with, as well as confidentiality and consent. We all must justify how the data is going to be used.
As a business, we all should follow the current EU standards. We need to be smarter with the ways in which we store contacts and data. We must ensure that all our data is compliant with and follows EU procedures, or there can be weighty repercussions. The maximum fine for non-compliance in the UK is now approximately £500,000, and will rise to 20 million (Euros) in 2018.
How should we educate our suppliers and clients?
Brexit negotiations have only just started, so we are not exempt from the current legislations. The reality is that, for any organisation, no matter their country of residence, would be subject to these laws if they employ EU citizens. When we do leave the EU, we will have to be conscious of this, as companies that we would like to do business with through the EU will have to be GDPR compliant.
Clients should be collecting the required information only, and not go overboard with the information that they do store. If at any point clients come across a breach, it must be notified to the supervisory authority within 72 hours. It is essential that we create a simple and effective system, that enables data to be processed fairly and lawfully. The data and the system must be accurate and up to date.
We should all be extra vigilant when reading terms and conditions, and privacy terms, and be able to choose the kind of information we opt-in to receive. Sometimes, we are automatically opted into newsletters, weekly generated emails, or marketing materials, as we don’t really take the time to read what has been stated in the terms and conditions that we previously have agreed to.
For example, when registering for an event, you will input your personal information, email address and a password for your account. Often, there is a small box at the bottom of the page that you are asked to tick or untick. The small print will say something along the lines of ‘click here if you agree to our terms and conditions’. Without ticking this box, you probably wouldn’t be able to continue, but have you read those terms and conditions? It’s another key reason why we need to double check everything before handing over any form of confidential information.
Some companies may be required to appoint a Data Protection Officer (DPO). Whether a new employee comes on board, or a current member of staff migrates to this role, one will have to be appointed. A DPO’s main responsibility is to process operations that require regular systematic monitoring of important data subjects, as well as specified data categories and data relating to criminal offences and convictions. It will be a pivotal role to any company, as the officer in charge will oversee the data protection strategy and implementation to ensure it is in keeping with GDPR requirements.