What's a GDPR? Is it edible? A new app? At this point you may have already heard that GDPR stands for General Data Protection Regulation, and that it will be fully enforced from May 25th 2018 onward. How will this affect your life or work? Are you prepared, or do you need to bother at all?
Lyyti's GDPR-dudes Antti and Juho know all there is to know about GDPR, and with their help, you can too.
Let me begin with a short anecdote. Five years ago I attended an event management trade fair in Germany. There was a session about data protection, which the Germans are known for being quite good at. This was at a time when Finnish marketers trusted the mass email as their number one tool and happily perused all kinds of shady registers and mailing lists that may or may not have been bought somewhere online. Needless to say, the practice in Germany was from another planet. A lawyer, who possessed vast experience in both events and marketing, stood up and counted off at least 20 ways to get in serious legal trouble just by being sloppy when handling and storing personal information. I remember thinking I'd better get all future marketing permissions approved by way of signature, stamp and grabbing a friendly cup of coffee.
Many companies feel the way I felt. The EU-encompassing General Data Protection Regulation will swing into full force on May 25th 2018, after a couple of transitional years. The threat of extremely heavy fines hangs, like the sword of Damocles, over the head of every event and marketing professional. Or does it? Is the GDPR just another bureaucratic tripwire to make life harder for European entrepreneurs?
The purpose of the GDPR
Let's step back and take a good look at what this regulation is all about. The goal of the regulation is to give greater protection and rights to privacy to every single EU-citizen. The legislation harmonizes data privacy laws across Europe and gives the individual back control over how their personal information is handled by companies and organizations. Hands up, those who are not tired of constantly unsubscribing to random unwanted newsletters and marketing messages?
The right to privacy, that's the core of the GDPR. Ownership of your own personal information is, after all, an expression of your freedom as an individual. Freedom is an important building block of a democratic constitutional state. That's worth putting a little effort into, right?
Event management and the GDPR
How does the GDPR affect the work of an event manager or event organizer? As event organizers, we tend to collect personal information, in the form of registration details, from our participants. According to the GDPR, all organizations that collect, store and handle personal data are accountable for how they manage said data. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed. Let's have a look at some key points.
Collecting personal data
Collection of personal data is allowed only in situations where it's actually needed, and when the owner of the data has given their permission to do so, explicitly for the purpose intended. This means it's time to think about what kind of questions you ask your participants on various registration pages. Do I really need to know a post adress? Can I really motivate asking about the participant's gender? Rule of thumb: collect only the data you need, and only use it for the purpose you've clearly communicated to the participant.
Your customer database
This is a big one: is all my data in my existing customer care system off-limits? Do I have to delete everything and start over? Not at all, but a refresher may be in order. As long as you have permission from each data owner, you're free to do all the things you and the owner agreed upon to their data (providing that data security and other groundwork is in order). There are many ways to request that explicit permission when you need it, besides just asking for it straight up. You may have noticed some of these in action already. Have you entered a raffle, downloaded content in exchange of your details or renewed your subscription for a newsletter recently? They're all ways to activate a subscriber to get them to refresh their contact details while granting you permission to do what ever the fine print says you can with their deets. A clever marketer obviously uses these tricks to build trust, not to trick the customer into unsavoury agreements.
The GDPR adresses technology issues too. It contains a long list of rules for how data can be collected, how and when data needs to be deleted and how data can be transferred from one registry to another. One major point is that data can physically only be stored within the European Union. Do you know where all the apps and systems you use keep the personal data of their users? What about the user's clients' data? Where does your inbox actually live? Do you, yourself, store sensitive data on several units and networks?
We've got you
Please contact us if there's anything that worries you about GDPR compliancy in your event management work. You can rest assured that Lyyti is entirely GDPR compliant, but we can help and give advice when it comes to best practices and how to tackle other systems that may be relevant for your event data management. We'll keep adressing GDPR-related issues later this year and next spring as well, so keep following us here and on social media!
Antti Vaahtoranta, Global Sales Manager, Lyyti