Momice blog: tips and tricks from the event industry

Start preparing for the new EU data privacy law (GDPR)

Written by Rutger Bremer | 10/16/17 8:48 AM

As of 25 May 2018, all organisations in the EU must observe new privacy laws: the General Data Protection Regulation (GDPR) will be in force. This new legislation influences your work as an event professional, as event registration involves a lot of data processing. If you do not follow the new guidelines with great precaution, your company will risk high fines.

In this blog, we explain briefly why the legislation is changed, what the implications will be for you - and what to keep in mind when organising events, according to the new laws.

Why a new EU data privacy law?

The goal of the new legislation is to better protect the privacy of people within the EU. Personal data are sensitive and therefore need careful handling. Due to the enormous digitization and use of the cloud for storing data, the risks of a so-called 'data breach’ are increasing. The new legislation gives organisations more responsibility when it comes to storing and processing personal data. Hence, Europeans are better protected - and for you, as an organisation, it implies you have to follow only 1 set of laws.

What will change?

The current legislation also involves rules regarding the protection of personal data. In other words, it is already important to pay attention to data processing. However, because the legislation will become stricter, many organisations only now feel the urgency to take action.

These are the most relevant changes for you as event professional:

  1. Up until now, only personal data were covered by the privacy law. As of May 2018, the rules also apply to data associated with electronic devices, such as MAC addresses and cookie information. As an organisation, you have to be able to explain why you’re recording these data, what you’re doing with them, where you’re storing them and with whom you’re sharing them. The new legislation will apply to all your event websites. When deciding to use cookies, you must clearly state this in a transparent privacy statement.

  2. As of May 2018, organisations must document all their data processing activities. A file containing which data are processed, for what purposes and how are protected should be kept at all times. For you as an event organiser, this mainly concerns data from your event registration form. Name, email, company and job title are common data to ask for. Please note that dietary information, passport numbers and credit card information are regarded extraordinary personal data: these require a higher level of security! Ask your colleague responsible for the privacy policy (Data Privacy Officer) what information you may ask of your attendees.

  3. You must close a data processing agreement with all suppliers that process data on your behalf. For events, these include Registration Software Partners and Email Service Providers (ESP). They process and store data supplied by your contacts. The data processing agreement is very similar to the current agreement - however, the new agreement is mandatory and contains more topics. Data processing, obligations, responsibilities and liability are covered. In the next blog, we will dive deeper into the topics of a data processing agreement.

  4. The new GDPR obliges the organisation to document a data breach internally and notify the European Supervisory Authority within 72 hours. If you haven’t processed the data carefully, your organisation will risk a fine up to €20 million - or 4% of your global revenue (which can add up to an even higher amount). Event professionals run a considerable risk of losing personal data, as you are processing a lot of data, on different locations, and involving multiple suppliers. In a next article, we will help you minimise the risk of a data breach.

  5. Because your organisation is responsible for the personal data of your contacts, your supplier (i.e. your event software partner or Email Service Provider) is obliged to report a possible data breach to you. The notification must be made within 72 hours.

  6. As of May 2018, each supplier should be able to provide an export of the database in a standard format at any time. Hence, the data can easily be transferred when you switch suppliers.

  7. In case you are working with partners that process or store data outside the EU, make sure the organisation is in a country that is certified by the European Commission (eg. the US). Be aware that most Dutch / European companies require that processed data remains within the EU. Take this into account when considering working with US (software) suppliers.

Is your event software GDPR ready?

A good Event Software supplier ensures that personal data is processed and stored safely - and helps you make your events GDPR ready. If you are not using Event Registration Software yet, it is wise to start using it before the new privacy laws are applicable. If you are using Event Registration Software, it's a good idea to start preparing - in collaboration with all internal and external parties involved - so you will be GDPR ready in time!

Conclusion

As of 25 May 2018, a new EU privacy law (GDPR) concerning personal data protection will apply. This law also affects event professionals, as they process personal data on a daily basis. By starting the preparations now, you will be GDPR ready in time!

This is the 1st of 3 blogs on preparing for the new privacy law. Read more in our next blogs:

 

Download the GDPR white paper