One Year Of GDPR And The Outlook For Your Organisation

GDPR for your organisation. The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. A year later, it seems clear that data protection and privacy rights are taking centre stage on a global scale. And the demands are not a strictly European phenomenon. Data and privacy professionals are counting the days until the California Consumer Privacy Act (CCPA). Comparable to GDPR in its scope and requirements, it comes into effect next year. Similar laws are being drafted in countries like Brazil and India.

The run-up to GDPR’s enforcement date last May was fraught with uncertainty. Organisations scrambled to decide how they would adjust their operations to comply with the new regulations. Readiness for GDPR had to be implemented across several departments, creating multiple and unique compliance challenges. Fast forward to May 2019, and organizations are still trying to come to terms with GDPR’s practical impact. Department-specific compliance challenges remain a significant hurdle.

By the end of 2018, and six months after GDPR came into effect, a survey by the International Association Of Privacy Professionals depicted a mixed picture of the status of GDPR compliance. On the one hand, working towards compliance seems easier in practice than it was on paper. Three-quarters of respondents said they had appointed a data protection officer. Three in four claimed they had made changes to products and services for compliance purposes. However, more than half of respondents admitted they were far from achieving compliance. Nearly 20 per cent said full compliance might never be achieved.

As far as organisations are concerned, GDPR compliance has prompted an overdue reconsideration of data security. In their technical infrastructure, management systems, and member data collection and handling procedures.

GDPR Requirements

Here’s a review of GDPR’s requirements as they relate to the business events industry:


GDPR requires explicit consent to store and use data belonging to any EU resident or citizen attending your event. Organizers must specify their reasons to collect data, how data will be used, whether any third parties like suppliers, exhibitors, or sponsors will have access to such data, and for how long. During event registration, attendees must give specific consent to each and every activity that requires data collection, and they must be able to opt out.

Data-breach notification

Event organizers must have data-breach notification procedures in place and be able to demonstrate that they are doing everything in their power to safeguard attendee data. This includes training your entire team, defining best practices, and establishing incident reporting procedures.


Upon request, you must give attendees free-of-charge digital copies of their data as well as details on where the data is being stored and for which purposes.

Right to be forgotten

EU citizens or residents can request that you delete their data. Proof of compliance is also required.


Upon request, you must securely transfer attendee data to a different data controller.

Data protection officers

When involved in the large-scale processing of data, controllers and data processors (which in the case of many event organizers are one and the same) must appoint a data protection officer.

Privacy by design

Privacy and data protection cannot merely be add-ons to your systems but must be integral to the entire organisation.

Where Do We Stand Now?

How far have we come in the meetings industry implementing the requirements above? There are noticeable changes across three main areas:

  • CommunicationsPrivacy, consent, and data protection now govern the interactions between event organizers and attendees, which requires the modification of communication strategies. New terms of service are usually communicated via email. Opt-ins and consent requests also required website or event tech app updates, which now must incorporate footers, banners, or checkboxes, detailing their privacy and cookie policy, as well as users’ rights.
  • Handling Requests — Organizations should be prepared to handle data access requests from attendees or members, who also have the right to request data deletion or amendment. Some organizations have taken a proactive approach and made changes to their association-management systems to enable them to handle these requests appropriately — even if they have had no requests so far.
  • Third-Party Services and Suppliers — Some event organizers use third parties as data processors, and GDPR compliance is expected from vendors and contractors too. In some cases, contracts have had to be rewritten, or suppliers had to be replaced.

These changes hint at a change of mindset among PCOs: For some compliance is not purely a legal issue, but a matter of ethics and organizational culture. Something that adds intrinsic value to an association or organization. This is a promising aspect of GDPR and likely to become even more critical in the future.

What’s Next with GDPR and your Organisation?

It seems clear that GDPR compliance will be an ongoing effort extending beyond the regulations’ enforcement date. On this note, enforcement will become increasingly rigorous: Fines for non-compliance are already being issued, signalling event organizers about the risks of complacency. Key takeaways from the fines already levied are:

  • There are now legal precedents, and the grace period is over. Regulators expect organizations to be proactive regardless of where their headquarters are located or who provides/maintains their data-management systems.
  • Proactivity means making demonstrable efforts to comply — the keyword being demonstrable. No organization is too small or too big to be exempt.
  • Implementing GDPR can get complex, but it’s helpful to focus on the seven basic requirements listed above and be ready to fine-tune them continuously — and not only when you are hosting events.

It is also essential to create mechanisms that reinforce cybersecurity. GDPR readiness audits can take so much of your time and resources that they may interfere or distract you from enforcing other security mechanisms.

Looking ahead, you should also be vigilant about the impact of GDPR on your marketing practices, in particular where email marketing, marketing automation, and public relations are concerned. These should be governed by the principles of GDPR: transparency, accountability, privacy by design, and freely given consent.

Frank M. Waechter is a Europe–based digital marketer specializing in the meetings, incentives, conferences, and events industry as well as associations and small- and mid-size businesses. His company’s services include digital engagement strategy; conference and event social-media marketing; live, on-site digital engagement; and training, digital transformation and speaking.

This article was first published on PCMA.

Social Media Strategies Conferences

Developing Social Media Strategies for Conferences & Events

When we talk about social media strategies for conferences and events, we have to take a look at communication. Communication in the twenty-first century has changed beyond all recognition. Even a few decades ago, the idea that...
Social media marketing productivity

Social Media Marketing Productivity: Putting Your Best Foot Forward

The role of a social media marketer is now more in demand than ever before. Managing a social media platform takes a unique alchemy of skill, experience, insight and the ability to think outside of the digital box. Having said this, the ultimate goal is still the...
exhibition marketing

2019 Exhibition Marketing Template

Whether you are a business exhibiting your brand at a trade show, or a professional conference organiser arranging an exhibition for a client, the key to your success lies in your planning - that’s why you need an exhibition marketing plan template to guide you. In...
inspiration hub imex 2016

My Inspiration Hub Session at IMEX 2016

My Inspiration Hub Session at IMEX 2016 I am absolutely looking forward to my Inspiration Hub Session at next week's IMEX 2016 (click here for the session website): Social Media Marketing in the MICE Industry: it's about conversion, not branding! IMEX 16, Frankfurt...
Content Marketing for Associations, inbound marketing for organisations

Content Marketing for Associations: How to Grow Membership in the Digital Space

Content Marketing for Associations. Associations are increasingly looking to the online world to bolster their membership numbers: the lower overheads, and the increased reach of association messaging over the web, are two of the...
Social Media Event Communication Plan

A Quick Guide To Integrating Social Media Into Your Event Communication Plan

A Quick Guide To Integrating Social Media Into Your Event’s Communication Plan. Compelling and engaging communication is an essential aspect of conference marketing, as it plays a crucial role in driving genuine engagement. Since social media marketing is a...
ROI and KPI: Measuring The Success Of Your Conferences and Events

ROI and KPI: Measuring The Success Of Your Conferences and Events

Event planning and marketing are extremely important concerning ROI and measuring this impact can help professionals appreciate which tactics have worked and those that may need to be improved. Although this may appear to be common sense, many organisations and...
How To Make Facebook Ads Work For You

How To Make Facebook Ads Work For You

More than 3 million companies now advertising on Facebook, a figure that suggests that Facebook ads can complement the online marketing strategy of every business. When properly designed and managed, Facebook ads can give your company exposure...
Health Awareness Days 2017

Health Awareness Days: Keeping the World Informed to Make a Change

Health awareness days are global events created to recognise the impact of these conditions and to raise greater public understanding. There is no doubt that the medical community has made some truly stunning breakthroughs during...
marketing for associations Google Analytics

Marketing for Associations: 4 Reasons to Use Google Analytics

You may be wondering what the purpose of Google Analytics is. Well, when it comes to marketing for associations, it is a highly effective tool for collecting and tracking important data connected to your website. When interpreted, this data is an indication of who is...
Frank M. Waechter |
Digital Marketing, Social Media Marketing, Inbound Marketing, Growth Marketing, Data Analytics for the Meetings Industry, Events Industry and Associations. Conference and Event Activation, Live Marketing, Onsite Engagement.
Carrer del Mestre Joan Corrales 107-109 08950 Esplugues de Llobregat, Barcelona, Spain
Phone: +34 691 328 572

© 2015-2019

Turning Digital Marketing into Action