One Year Of GDPR And The Outlook For Your Organisation

GDPR for your organisation. The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. A year later, it seems clear that data protection and privacy rights are taking centre stage on a global scale. And the demands are not a strictly European phenomenon. Data and privacy professionals are counting the days until the California Consumer Privacy Act (CCPA). Comparable to GDPR in its scope and requirements, it comes into effect next year. Similar laws are being drafted in countries like Brazil and India.

The run-up to GDPR’s enforcement date last May was fraught with uncertainty. Organisations scrambled to decide how they would adjust their operations to comply with the new regulations. Readiness for GDPR had to be implemented across several departments, creating multiple and unique compliance challenges. Fast forward to May 2019, and organizations are still trying to come to terms with GDPR’s practical impact. Department-specific compliance challenges remain a significant hurdle.

By the end of 2018, and six months after GDPR came into effect, a survey by the International Association Of Privacy Professionals depicted a mixed picture of the status of GDPR compliance. On the one hand, working towards compliance seems easier in practice than it was on paper. Three-quarters of respondents said they had appointed a data protection officer. Three in four claimed they had made changes to products and services for compliance purposes. However, more than half of respondents admitted they were far from achieving compliance. Nearly 20 per cent said full compliance might never be achieved.

As far as organisations are concerned, GDPR compliance has prompted an overdue reconsideration of data security. In their technical infrastructure, management systems, and member data collection and handling procedures.

GDPR Requirements

Here’s a review of GDPR’s requirements as they relate to the business events industry:


GDPR requires explicit consent to store and use data belonging to any EU resident or citizen attending your event. Organizers must specify their reasons to collect data, how data will be used, whether any third parties like suppliers, exhibitors, or sponsors will have access to such data, and for how long. During event registration, attendees must give specific consent to each and every activity that requires data collection, and they must be able to opt out.

Data-breach notification

Event organizers must have data-breach notification procedures in place and be able to demonstrate that they are doing everything in their power to safeguard attendee data. This includes training your entire team, defining best practices, and establishing incident reporting procedures.


Upon request, you must give attendees free-of-charge digital copies of their data as well as details on where the data is being stored and for which purposes.

Right to be forgotten

EU citizens or residents can request that you delete their data. Proof of compliance is also required.


Upon request, you must securely transfer attendee data to a different data controller.

Data protection officers

When involved in the large-scale processing of data, controllers and data processors (which in the case of many event organizers are one and the same) must appoint a data protection officer.

Privacy by design

Privacy and data protection cannot merely be add-ons to your systems but must be integral to the entire organisation.

Where Do We Stand Now?

How far have we come in the meetings industry implementing the requirements above? There are noticeable changes across three main areas:

  • CommunicationsPrivacy, consent, and data protection now govern the interactions between event organizers and attendees, which requires the modification of communication strategies. New terms of service are usually communicated via email. Opt-ins and consent requests also required website or event tech app updates, which now must incorporate footers, banners, or checkboxes, detailing their privacy and cookie policy, as well as users’ rights.
  • Handling Requests — Organizations should be prepared to handle data access requests from attendees or members, who also have the right to request data deletion or amendment. Some organizations have taken a proactive approach and made changes to their association-management systems to enable them to handle these requests appropriately — even if they have had no requests so far.
  • Third-Party Services and Suppliers — Some event organizers use third parties as data processors, and GDPR compliance is expected from vendors and contractors too. In some cases, contracts have had to be rewritten, or suppliers had to be replaced.

These changes hint at a change of mindset among PCOs: For some compliance is not purely a legal issue, but a matter of ethics and organizational culture. Something that adds intrinsic value to an association or organization. This is a promising aspect of GDPR and likely to become even more critical in the future.

What’s Next with GDPR and your Organisation?

It seems clear that GDPR compliance will be an ongoing effort extending beyond the regulations’ enforcement date. On this note, enforcement will become increasingly rigorous: Fines for non-compliance are already being issued, signalling event organizers about the risks of complacency. Key takeaways from the fines already levied are:

  • There are now legal precedents, and the grace period is over. Regulators expect organizations to be proactive regardless of where their headquarters are located or who provides/maintains their data-management systems.
  • Proactivity means making demonstrable efforts to comply — the keyword being demonstrable. No organization is too small or too big to be exempt.
  • Implementing GDPR can get complex, but it’s helpful to focus on the seven basic requirements listed above and be ready to fine-tune them continuously — and not only when you are hosting events.

It is also essential to create mechanisms that reinforce cybersecurity. GDPR readiness audits can take so much of your time and resources that they may interfere or distract you from enforcing other security mechanisms.

Looking ahead, you should also be vigilant about the impact of GDPR on your marketing practices, in particular where email marketing, marketing automation, and public relations are concerned. These should be governed by the principles of GDPR: transparency, accountability, privacy by design, and freely given consent.

Frank M. Waechter is a Europe–based digital marketer specializing in the meetings, incentives, conferences, and events industry as well as associations and small- and mid-size businesses. His company’s services include digital engagement strategy; conference and event social-media marketing; live, on-site digital engagement; and training, digital transformation and speaking.

This article was first published on PCMA.

digital transformation event industry

4 Concepts To Understand Digital Transformation in the Event Industry

As most meeting planners and event organisers know, technological disruption has brought profound changes to the MICE industry. Today, meetings, conferences, and exhibitions are increasingly being planned, organised and managed using digital tools. Digital tools are...
Conference Promotion

5 Key Elements for Successful Conference Promotion

Conference planning is a demanding task to manage and implement. From the months of preparation to the environment leading up to it and balancing the needs of delegates and speakers on the day. There is nothing more disappointing to a conference planner than having...
Social Media For Science And Research_ Current Trends And Future Possibilities

Social Media For Science And Research: Current Trends And Future Possibilities

It’s no secret that social networks are among the most widely adopted technologies of our times. Almost 40 per cent of the world’s population now uses social media and the figures only keep growing. Yet it seems that there is a gap between...
advanced data analytics

Advanced Data Analytics: One of our Data-Sets is Missing!

Advanced Data Analytics: One of our Data-Sets is Missing! Advanced Data Analytics. One of our Data-Sets is Missing! There is a false maxim, which still does the rounds, that blights any industry that uses computational models to analyse its marketplace. Interestingly...
Mobile App Marketing

Effective Mobile App Marketing

Effective Mobile App Marketing Internet searches on mobile devices overtook desktop searches already years ago. (Updated content, Jan. 2017) According to research done by Smart Insights 90% of time spent by mobile users was on a mobile apps. The internet usage via...
digital transformation event industry

Digital Transformation in the Meetings and Events Industry

I wrote a piece in 2017 about the foundations of the digital transformation in the events industry. At that time, the mice industry was trailing behind and had a lot of work to do. Two years on, and technology has advanced rapidly. So, does the events industry stand...
content marketing

Formulating an effective approach to Content Marketing

An effective approach to content marketing. Many consumers are unmoved by traditional methods of advertising; they watch streaming TV to avoid ads or record TV programmes to skip past the ads, turn the page of a magazine ignoring the advert and use ad blockers online...
GDPR association

One Year Of GDPR And The Outlook For Your Organisation

One Year Of GDPR And The Outlook For Your Organisation GDPR for your organisation. The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. A year later, it seems clear that data protection and privacy rights are taking centre stage on a...
ROI and KPI: Measuring The Success Of Your Conferences and Events

ROI and KPI: Measuring The Success Of Your Conferences and Events

Event planning and marketing are extremely important concerning ROI and measuring this impact can help professionals appreciate which tactics have worked and those that may need to be improved. Although this may appear to be common sense, many organisations and...

Why Millennials Aren’t Joining Your Association

Marketing for associations can be tricky especially when your target audience is made up of Millennials. Are you struggling to attract millennials to your association? You’re not alone. With millennials coming of age, and now comprising a third of the world’s...