Events Council Blog

The General Data Protection Regulation (GDPR) is coming soon. Are you prepared?

Oct 27, 2017

Do you know what personal data you hold and why you are holding it? Do you know how you are securing personal data? What measures are you taking to make sure your entire team knows the importance of protecting data? Do you know how long you are holding data? If someone wanted their personal data removed from your system, how quickly and thoroughly could you respond? Do you have specific information on when individuals in your marketing database provided permission to send them communications? In order to comply with the General Data Protection Regulation (GDPR), you’ll need answers to these questions.

What is the GDPR?

gdpr-1-eic

The General Data Protection Regulation (GDPR) is a data protection law that regulates the collection, use, storage, disclosure, and other processing of “personally identifiable information” or “PII”. It was adopted by the European Parliament in April 2016 and comes into effect on 25 May 2018. It requires businesses to protect the personal data and privacy of EU citizens and applies to transactions within the EU as well as to transfer of data outside the EU.

Data Protection is not a new concept. It has been enhanced over a number of years across different parts of the globe. It has needed to accommodate the growth of the internet, availability of PCs and the mass availability of apps. In other words GDPR hasn’t suddenly come out of nowhere.

Why is this needed?

Protecting personal data is not only regulated, it is also the right thing to do. Consider your own personal information, and how you would like it to be secured. If you provide passport information, credit card numbers or medical information to an organization, how do you want that information protected?

Who is affected by the GDPR?

According to the GDPR website, “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” 

Does this mean that my company, based outside of the EU, is affected by GDPR?

Yes, given the global nature of the events industry, it is likely that most suppliers are affected, and that any events with EU attendees, regardless of whether or not the event is held in Europe, will also be affected. Verizon’s 2017 Data Breach Investigations Report found:

  • Accommodation (including hotels and restaurants) was the top industry for Point of Sale Intrusions in this year’s data, with 87% of breaches within that pattern
  • Retail and Accommodation combined to form 15% of all breaches
  • Breach timelines are concerning—with time-to-compromise being only seconds, time-to-exfiltration taking days, and times to discovery and containment taking months

PwC recently conducted a survey of 200 IOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies with more than 500 employees and found:

  • 54% reported that GDPR readiness is the highest priority on their data privacy and security agenda. Another 38% said GDPR is one of several top priorities.
  • 77% plan to spend $1 million or more on GDPR
  • 54% of respondents plan to de-identify European personal data to reduce GDPR risk exposure

What are the consequences of non-compliance?

Failure to comply with the GDPR can have significant financial implications. In addition to reputation damage, organisations also face significant potential fines for not meeting the requirements. According to the GDPR website, “Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts… It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.” 

While the fines and penalties are key issues, they need to be looked at in context. If your organisation is told to stop processing data it could put you out of business, which is far more severe than any fine will ever be. 

What constitutes personal data?

TThe information collected in typical registration forms or hotel reservations, including names, contact information, credit card details, as well as information on medical conditions or allergies, would be considered personal data. If you collect IP address information or “cookies” from visitors to your website, this data also needs to be protected. 
The GDPR website defines personal data as “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” 

What types of personal data do events industry professionals collect?

As part of day-to-day operations, events industry professionals collect a significant amount of personal data. See the table below for examples of data that is typically collected.
gdpr-chart

What rights of individuals exist under GDPR?

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

How does GDPR affect marketing practices?

Much like the Canadian Anti-Spam Legislation that are already in effect, the GDPR sets requirements for obtaining permission to send electronic commercial messages. Not only does it require consent, it also requires that organisations disclose how information will be used. GDPR also includes record keeping requirements to show how and when permission was obtained.

What do I need to do to comply?

The GDPR Awareness Coalition recommends the following six essential steps for GDPR Compliance:

gdpr awareness

Where do I go for more information?

Authors:

Paul Cook
Managing Consultant
Planet Planit Ltd

Michael Owen
Managing Partner, EventGenuity, Ltd&
Events Industry Council APEX Initiative

Mariela McIlwraith
Director of Sustainabilty
Events Industry Council