GDPR for Event Planners – Proceed with Caution
As if your job as an event planner isn’t stressful enough, along comes the General Data Protection Regulation (GDPR) in all its complicated glory. Over the last several months, you need to have been living on a desert island to not have noticed lots of information and warnings about GDPR and its effect on the events industry (among others). The information that’s out there offers a wide range of advice, from taking a “wait and see” approach to encouraging outright panic!
While these new regulations mostly affect companies established in the EU as well as conferences that take place in the EU or that target attendees from the EU, similar laws may someday be enacted in other parts of the world, including the US. And while I’m loathe to contribute to all the noise, every event planner should find these tips useful while preparing for May 25, 2018—GDPR go time!
Because there’s always been and will continue to be a high level of personal data involved in executing events—email addresses, preferences, meal selections, payment card information, travel information—there’s soon to be an increased amount of liability that now comes with event planning. Per the rules of GDPR, as an event planner, you are a “data controller”, and the systems/software that you use to register your attendees and manage your events are “data processors.”
Some Do’s and Don’ts
Don’t stick your head in the sand.
We know you’re busy, but there’s a lot at risk, and the penalties for not complying can be devastating. The GDPR can impose stiff fines on data controllers and processors for non-compliance, up to €20 million or 4% of worldwide annual revenue from the prior year, whichever is greater.
Do arm yourself with knowledge. There are many resources available from parties with an obligation to understand and comply with GDPR, including your technology solution providers and third-party agencies (like Opus Agency).
Don’t be a victim.
While your solution providers can be a great resource, you can’t rely on them entirely to do this for you—they protect themselves first and you second. Yes, they’ll help you as much as they can by providing tools for data protection, easy means to expedite requests, etc. (they’re required to), but certain things will be your responsibility.
For example, if you plan to share attendee data with third-party vendors, you must get explicit, opt-IN approval from your attendees for EACH of those vendors, whether it’s badging companies, mobile apps, or polling/survey companies. Most registration platforms won’t even provide you with boilerplate consent copy, as they may be restricted from offering any information that could be viewed as legal advice.
Do be proactive and be clear on the roles of controller and processor.
Do find out where your software vendors’ responsibilities end and yours begin.
For example, under GDPR, EU citizens can ask you to reveal, correct, or erase their personal data. Your attendees may be coming to you with these requests—you have a responsibility to comply. Understand how your solution providers will handle these requests so you can help your attendees navigate the process.
Don’t be careless.
Do be vigilant. Encrypt your data, use a secure cloud-based document sharing solution recommended by your trusted information security team to share usernames, passwords, and contact lists.
Do prepare and respond to requests to delete personal information, detail how data is being shared, and other requests regarding attendee data.
The GDPR is not going away; it represents a shift in how you’ll need to operate going forward. The best thing you can do now is adopt these regulations as the new status quo for your events.
For additional help, I’d suggest reaching out to your agency or Legal teams. You might also want to watch this helpful webinar on GDPR that was produced by the talented folks at Opus Agency