There's a new regulation taking effect May 25 which may affect you, but it isn’t state or federal. It’s a regulation in European Union (EU) law. If you're living in the United States, you're probably thinking, "Why would I be concerned with an EU regulation?"
What is GDPR and Who Does It Affect?
The General Data Protection Regulation, or GDPR, was passed on April 14, 2016. The GDPR is designed to protect EU residents, businesses and employees with a comprehensive framework of rules governing the use of personal data. The new law replaces the Data Protection Directive 95/46/EC with an eye towards data management in the 21st century and beyond. It harmonizes the approach of the individual EU member states.
The GDPR is applicable to any company or non-profit located or operating within the borders of the EU. It's notable that GDPR also applies to any organizations outside the EU that offer goods or services to individuals in the EU. Those organizations must, in turn, ensure that their suppliers adhere to the GDPR requirements. As a result, the GDPR has a broad extraterritorial reach. If you handle personal data, it probably applies to your organization in some form.
Pay Attention Event Marketers
As an event marketer, your ingestion of personal data might be analogous to “drinking from a fire hose.” So the new rules are especially important:
- “But that event I ran is done and dusted!” Beware: the personal data you have on file from past events is regulated. Even if you don’t have international events planned in the immediate future, the GDPR still applies to how you use or store personal data of past EU participants.
- The events you are mindlessly planning today are the personal data snafu of tomorrow. Looking ahead to an upcoming event that’s already driving registrations? Now is the time to get GDPR compliant.
- Compliance equals better engagement and conversion from your events. This is about more than just following the law—being forthright about how you use personal data will foster trust among your participants. Complying can help improve the impact and success of your marketing.
- Don’t forget about online events. Really. The GDPR applies to that participant data in your database, too. If you’re conducting online events which include EU participants, heads up, even if you never actually set foot in the EU.
New Roles and Responsibilities
There are several steps that companies must take also in order to comply with the GDPR. Where you stand depends on where you sit in the personal data food chain. If you are a controller, you run the data show. The controller defines how personal data records will be effectively processed, spelling out the processes and procedures that its processors must follow. As the controller, you are the master of your personal data destiny. And your practices better check out. If you’re a processor, you may only feel like a pawn in the game of life. But certain rules still apply: you need to adequately safeguard your controller’s personal data, and follow their instructions. No funny business. Know your role to understand the scope of your accountability.
Data Subject Rights
Perhaps the most significant aspect of the GDPR is the expanded control EU individuals have over their own data. Treating personal data with dignity is a fundamental concept. Under the GDPR, individuals, who are called data subjects, have the right to access their data from the controller. They have the right to have their data forgotten. The data subject can transmit their personal data from one controller to another. Was your system designed to accommodate this? Time to prepare.
Data Protection by Design
So many systems have grown without consideration of what happens to the personal data flowing through them. The GDPR requires you to understand where your personal data goes, and control it. To keep it private, and record what you do with it. You may view this as an administrative burden, but consider the cost of not complying. Better late than never.