May 25th this year will go down in history. That's when the General Data Protection Regulation steps into full force, marking the biggest change in European data privacy legislation so far. The purpose of the GDPR is to secure the individual's right to govern and manage their own personal information, and to unify data privacy legislation that has been quite varied in different member countries.
The GDPR has been on everyone's lips lately, and the discussion is set to intensify as May draws closer. If there's work to be done about GDPR-compliancy, now is the time.
The GDPR focuses on (among other things) increased transparency in the way companies handle personal data. This affects marketing and communication in particular. Event management relies heavily on the collection of personal information, so us event professionals really need to pay attention to the demands set by the data protection regulation. A guest list forms a register, or filing system, and that comes with certain responsibility.
This is how the GDPR will change things for event managers:
You're now officially a Data Controller
The GDPR isn't just for your IT team to worry about-it affects all departments within a company that have anything to do with the management of personal data. In the role of event organiser you're a data controller, and the software or service you use for data management is a data processor. Starting May 25th, these things are your responsibility as data controller:
Consent: Do you have explicit permission from the data subject to store and process their personal data?
Right to access: Are you able to retrieve and present a data subject's complete personal data on request, with reasonable effort?
Data portability: How do you provide the data subject with a copy of their data in a format that allows for easy use with another controller?
Right to be forgotten: What is the procedure when a data subject wants all their data erased from all your registers? Bearing in mind that this may include the filing systems of third parties as well.
Technology: You need to make sure the cloud services and other data processing systems You use for personal data processing are GDPR-compliant too.
Data Protection Officer: Has your company hired or named a Data Protection Officer who can help with your GDPR compliancy project?
Data collection and processing
When you collect personal data (i.e. receive registrations for an event), it's more important than ever to request permission to use that data for your purposes. At its simplest it's about the data subject (participant) agreeing to receiving messages from you-confirmation message, event reminders, feedback request etc. Events are, in fact, a prime example of how the new regulation needs to be followed on a practical level. Much of the participant data we collect is of a sensitive nature, which makes GDPR-compliancy a must rather than a recommendation.
Data storing and access
Event management is a collaboration. Several third parties will have to come in contact with your guest lists to make things work. You and your organisation might be 100% GDPR-proof, but are you sure your data processor is? For example, does your data processor process or store personal data outside of the European Union? If a european cloud service provider has servers outside the EU it can't, according to the GDPR, process the personal data of European subjects, unless they obtain permission from said subjects for their personal data to be transferred overseas.