The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and a year later, it seems clear that data protection and privacy rights are taking centre stage on a global scale and are not a strictly European phenomenon. Data and privacy professionals are counting the days until the California Consumer Privacy Act (CCPA) — similar to GDPR in its scope and requirements — comes into effect next year, and similar laws are being drafted in countries like Brazil and India.

The run-up to GDPR’s enforcement date last May was fraught with uncertainty as organizations scrambled to decide how they would adjust their operations to comply with the new regulations. Readiness for GDPR had to be implemented across several departments, creating multiple and unique compliance challenges. Fast forward to May 2019, and organizations are still trying to come to terms with GDPR’s practical impact, and department-specific compliance challenges remain a significant hurdle.

By the end of 2018, and six months after GDPR came into effect, a survey by the International Association Of Privacy Professionals depicted a mixed picture of the status of GDPR compliance. On the one hand, working towards compliance seems easier in practice than it was on paper. Three-quarters of respondents said they had appointed a data protection officer, and three in four claimed they had made changes to products and services for compliance purposes. However, more than half of respondents admitted they were far from achieving compliance, and nearly 20 per cent said full compliance might never be achieved.

As far as associations are concerned, GDPR compliance has prompted an overdue reconsideration of data security in their technical infrastructure, management systems, and member data collection and handling procedures.

GDPR Requirements

Here’s a review of GDPR’s requirements as they relate to the business events industry:

  • Consent — GDPR requires explicit consent to store and use data belonging to any EU resident or citizen attending your event. Organizers must specify their reasons to collect data, how data will be used, whether any third parties like suppliers, exhibitors, or sponsors will have access to such data, and for how long. During event registration, attendees must give specific consent to each and every activity that requires data collection, and they must be able to opt out.
  • Data-breach notification — Event organizers must have data-breach notification procedures in place and be able to demonstrate that they are doing everything in their power to safeguard attendee data. This includes training your entire team, defining best practices, and establishing incident reporting procedures.
  • Access — Upon request, you must give attendees free-of-charge digital copies of their data as well as details on where the data is being stored and for which purposes.
  • Right to be forgotten — EU citizens or residents can request that you delete their data. Proof of compliance is also required.
  • Portability — Upon request, you must securely transfer attendee data to a different data controller.
  • Data protection officers — When involved in the large-scale processing of data, controllers and data processors (which in the case of many event organizers are one and the same) must appoint a data protection officer.
  • Privacy by design — Privacy and data protection cannot merely be add-ons to your systems but must be integral to the entire organisation.

Where Do We Stand Now?

How far have we come in the meetings industry implementing the requirements above? There are noticeable changes across three main areas:

  • CommunicationsPrivacy, consent, and data protection now govern the interactions between event organizers and attendees, which requires the modification of communication strategies. New terms of service are usually communicated via email. Opt-ins and consent requests also required website or event tech app updates, which now must incorporate footers, banners, or checkboxes, detailing their privacy and cookie policy, as well as users’ rights.
  • Handling Requests — Organizations should be prepared to handle data access requests from attendees or members, who also have the right to request data deletion or amendment. Some organizations have taken a proactive approach and made changes to their association-management systems to enable them to handle these requests appropriately — even if they have had no requests so far.
  • Third-Party Services and Suppliers — Some event organizers use third parties as data processors, and GDPR compliance is expected from vendors and contractors too. In some cases, contracts have had to be rewritten, or suppliers had to be replaced.

These changes hint at a change of mindset among PCOs: For some, compliance is not purely a legal issue, but a matter of ethics and organizational culture, something that adds intrinsic value to an association or organization. This is a promising aspect of GDPR and likely to become even more critical in the future.

What’s Next?

It seems clear that GDPR compliance will be an ongoing effort extending beyond the regulations’ enforcement date. On this note, enforcement will become increasingly rigorous: Fines for non-compliance are already being issued, signalling event organizers about the risks of complacency. Key takeaways from the fines already levied are:

  • There are now legal precedents, and the grace period is over. Regulators expect organizations to be proactive regardless of where their headquarters are located or who provides/maintains their data-management systems.
  • Proactivity means making demonstrable efforts to comply — the keyword being demonstrable. No organization is too small or too big to be exempt.
  • Implementing GDPR can get complex, but it’s helpful to focus on the seven basic requirements listed above and be ready to fine-tune them continuously — and not only when you are hosting events.

It is also essential to create mechanisms that reinforce cybersecurity. GDPR readiness audits can take so much of your time and resources that they may interfere or distract you from enforcing other security mechanisms.

Looking ahead, you should also be vigilant about the impact of GDPR on your marketing practices, in particular where email marketing, marketing automation, and public relations are concerned. These should be governed by the principles of GDPR: transparency, accountability, privacy by design, and freely given consent.

Frank M. Waechter is a Europe–based digital marketer specializing in the meetings, incentives, conferences, and events industry as well as associations and small- and mid-size businesses. His company’s services include digital engagement strategy; conference and event social-media marketing; live, on-site digital engagement; and training, digital transformation and speaking.

This article was first published on PCMA.

Social Media in the Hospitality Industry

The Pivotal Role of Social Media in the Hospitality Industry

Social Media in the Hospitality Industry. It can be argued that the hospitality industry is entirely unique in the fact that success or failure will often depend much more upon customer reviews as opposed to discrete products or...
Inspiration Hub Session at IMEX 2016

My Inspiration Hub Session at IMEX 2016

I am absolutely looking forward to my Inspiration Hub Session at next week's IMEX 2016 (click here for the session website): Social Media Marketing in the MICE Industry: it's about conversion, not branding! IMEX 16, Frankfurt...
digital transformation event industry

4 Concepts To Understand Digital Transformation in the Event Industry

As most meeting planners and event organisers know, technological disruption has brought profound changes to the MICE industry. Today, meetings, conferences, and exhibitions are increasingly being planned, organised and managed using digital tools. Digital tools are...
facebook

5 Effective Techniques to Market Your Conference on Facebook

  One of the biggest challenges for any conference or event organiser is ensuring good ROI. Also, making sure that their event is well attended and supported.   Achieving this is easier said than done. Yet, are you taking advantage of one of the largest opportunities...
Mobile App Marketing

Mobile App Marketing for your Business or Organisation

Internet searches on mobile devices overtook desktop searches already years ago. (Updated content, Jan. 2017) According to research done by Smart Insights 90% of time spent by mobile users was on a mobile apps. The internet usage...
ROI and KPI: Measuring The Success Of Your Conferences and Events

ROI and KPI: Measuring The Success Of Your Conferences and Events

Event planning and marketing are extremely important concerning ROI and measuring this impact can help professionals appreciate which tactics have worked and those that may need to be improved. Although this may appear to be common sense, many organisations and...
Content Performance Marketing

Content Performance Marketing: Making the Right Choices at the Right Times

Marketing is apparently not what it used to be. Online retailers are now vying for the attention of an increasingly demanding public; mainly about what can only be called a fickle millennial generation. Thus, it is very much "out with the old and in with the new" when...
marketing for associations

Does Your Associations’ Website Meet 2019 Standards?

When it comes to marketing for associations, having a website and online presence strategy allows you to market your association online. This allows you to engage with a wider audience and to establish credibility as an organisation. Are you planning on creating a new...
Social Media For Science And Research_ Current Trends And Future Possibilities

Social Media For Science And Research: Current Trends And Future Possibilities

It’s no secret that social networks are among the most widely adopted technologies of our times. Almost 40 per cent of the world’s population now uses social media and the figures only keep growing. Yet it seems that there is a gap between...
Facebook for Business

Facebook for Business

Nearly every business owner is aware of the important role that social media marketing, like facebook for business, can play towards boosting a particular marketing campaign. Sites like Facebook increase client engagement rates,...