With widespread focus on consumer protection arising from Facebook CEO Mark Zuckerberg’s testimony in the US, the implementation date of the EU’s General Data Protection Regulation (GDPR) comes at a time when data has become a rather dirty word.
On 25 May this legislation will replace the Data Protection Directive 95/46/EC, a piece of legislation that, for the sake of poignancy, precedes not just Facebook but the formation of Microsoft’s Hotmail almost a decade before it. The world of data collection and management has changed immeasurably in this time, so it is no surprise that GDPR has been conceived to harmonise data privacy laws across Europe, protecting and empowering EU citizens through data privacy and the reshaping of the conduct of organisation pertaining to transparency and – ultimately – trust.
New benefits and obligations
There are of course many benefits of the new legislation for operators in the global events industry. It will improve transparency for attendees, pre-event communication for those who opt in will be more effective, and perhaps the most important of all, it will lead to improved attendee confidence in the digital components of our business.
GDPR will make it incumbent on companies either operating in the EU or partnering with companies in the EU to account for the data they have, and ensure they are using it correctly.
Companies must now notify their customers of any data breach without undue delay and within 72 hours of becoming aware of the breach. They must also, upon request, provide confirmation on whether personal data concerning them is being processed, where and for what purpose – including making available a copy of the personal data in an electronic format free of charge.
Clients have a right to data erasure, in essence to be forgotten not just by an organiser but potentially by any third parties processing the data on their behalf. It is not just the data itself that is being erased, but the future dissemination of it, by the company in possession of that data.
Data held on clients must also be stored in such as way that it can be provided to them in a commonly used and machine-readable format, and that they have the right to transmit this information to another company.
Revisiting data capture
The new regulation is about more than the way data is handled. It is also about revisiting the mechanisms put in place to capture and disseminate data in the first place. While Privacy by Design is not a new concept, with GDPR there is an expectation that new data capture systems have this written into them from the outset. Article 23 of the regulation calls for companies to hold and process only the data absolutely necessary for the completion of their duties, and in addition limiting the access to personal data to those needing to act out the processing.
It follows then that data protection officers must be appointed, either internally or as a third party. These will need to be appointed on a local basis, with several potentially required for a large multinational and each given the necessary resources to carry out their tasks. This is not only in terms of remuneration and access, but also in terms of matters such as the consolidation of corporate records into one central location, enabling them to make good on all of the above.
There are significant benefits that accompany the enforcement of GDPR. Online networking and matchmaking services for attendees who opt in mean that metrics and analytics will be more meaningful, because by virtue of having elected to share their data, attendees will also be showing a willingness to become a part of the discussion surrounding the event and adding value in the process.
In our industry, personal data is typically collected during registration, browsing the show site or via a mobile app, during which time data will be acquired through cookies, IP addresses and even social media log-in details. Therefore organisers and contractors should begin by paying attention to these areas of their business, which will have the greatest impact on your organisation.
However, GDPR necessitates looking inwards as well as outwards. Internal factors such as employee and personnel data and accounts have renewed sensitivity and must be handled accordingly.
May seems an appropriate time for a spring clean of our data in Europe.