Preparing for General Data Protection Regulation (GDPR) Changes
Part of the modern events industry is knowing who should be there and who actually was there, down to every demographic they belong to. To better understand your clients, you might collect data about their ages, preferences, and locations. To communicate with them you might ask for their email addresses, phone numbers, or home addresses. Around an event, you might collect information about what sessions individuals attended or what size tee shirt they wear. However, the GDPR that goes into effect on May 25, 2018 is going to change how you can legally acquire, store, and use this data from citizens of the European Union. We have the answers to some of your most pressing questions about ensuring your business is compliant under the GDPR.
What is the GDPR?
The European Union Parliament passed the General Data Protection Regulation to secure personal data and to ensure that European Union citizens have complete control over their personal information. For these individuals, this means more rights to how their personal information is collected, transmitted, stored, and used, as well as their ability to access their information. GDPR states that customers “have a right to be forgotten” and organizations should be able to remove all of a person’s data within 24 hours.
The data that falls under GDPR could live in multiple environments inside your organization. Structured data, such as data in excel documents and accounting or CRM systems, is easily searchable and easier to protect. However, it is imperative that you find all the unstructured data that lives in your environment such as email, files, SharePoint, instant messaging, and find a mechanism of data analysis to monitor and protect the data that is subject to GDPR. Although this law exists in the EU, its reach will be global.
I don’t operate out of the EU or hold events there. Do I have to worry about this?
Yes. The changes to regulations focus on EU citizens’ personal data and how it is collected and used by businesses worldwide. If your business targets citizens of the EU for marketing, selling goods or services, or behavioral tracking, you must comply with the new regulations.
We only obtain basic information, so will this change affect us?
According to EU GDPR website, the definition of “personal data” has been expanded: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” This means that if you are collecting any information from EU citizens, you most likely will need to comply.
We include clauses about how we use the data in the fine print. Is that enough?
Perhaps. The GDPR includes providing clear terms of how personal data will be used. This means conditions cannot be buried in pages of fine print or presented in “legalese”; rather consent must be obtained legibly and transparently. Providing pre-ticked boxes, for example, does not show that the individual understood what they were agreeing to. Instead, there should be clear statements of consent that require active agreement to specific uses of information.
Does GDPR apply to U.S. based companies?
Most multinational companies, and of course EU-based companies should be in the process of ensuring GDPR compliance by May 2018. But what about if you are a US-based company with no direct operations in the EU? Do you think you are free of the GDPR’s reach? Think again! The meaning of “personal data” under the GDPR goes far beyond what you might expect considering how similar terms are defined in the U.S. Under the GDPR, “personal data” means information relating to an identified or identifiable natural person. A person can be identified from information such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs. US-based companies with no physical presence in the EU, but in industries such as e-commerce, logistics, software services, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance.
What happens if my business doesn’t comply?
This is one of the biggest—and potentially scariest—changes since the penalties for breaking these regulations are serious. An organization found in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, depending on the greater value. This could be devastating to the organization’s finances and reputation.
Other Important Changes to Know About:
- If there is a breach in personal data, it is mandatory to notify the affected individuals within 72 hours.
- EU citizens now have extended rights to know if their information is being processed and for what purpose. They can also request a copy of their data in an electronic format from the business.
- EU citizens may also withdraw their consent and request that their personal data is erased.
These new regulations usher in a revolution in the treatment of personal data, ensuring it is handled with the care it should be. Armed with the right information, your business will be ready for May 25th, 2018 when the regulations go into effect. It is vital to show regulators that your organization is taking all steps necessary to meet the new requirements.