As of 25 May 2018, the GDPR will apply. What does this new privacy law mean for event organisers? Can they still collect exhibitor and visitor data? And what are the risks of failing to comply with the GDPR?
The media is loud and clear with its warnings: as of 25 May 2018 everyone must comply with the GDPR or risk high fines. However, the careful processing of personal data shouldn’t be based only on a fear of being fined. There are more important, business-related reasons to comply. For example, we should look to create value with the personal data we collect, also for exhibitors and visitors, and should refrain from harassing people unnecessarily. Negative publicity for handling personal data improperly is something any organisation should avoid. I will be discussing the GDPR and actions undertaken by RAI in order to be compliant as of 25 May at an upcoming Meeting of Meeting Professionals International and would like to share my insights here as well.
What is personal data?
The processing of personal data starts as soon as the registration for your event opens, if not sooner. Any collection of names, (email) addresses etc. qualifies as the processing of personal data… Even your rolodex of business cards is a collection of personal data. In the Netherlands, the Dutch Act for Protection of Personal Data (Wet bescherming persoonsgegevens or Wbp) dictates what we may and may not do with personal data since 2001. The most important rule to remember when processing personal data is that you must have sufficient grounds to do so (verwerkingsgrond). The grounds for processing personal data are listed in the Wbp (as well as the new GDPR). It may be necessary to process personal data in order to comply with an agreement: for example the processing of a bank account number of an employee so that you can pay his or her monthly salary. Furthermore, you may be required to process personal data based on a legal requirement: for instance, employers are legally obliged to provide certain personal data of their employees to the tax authorities. Another ground may be that you have been granted permission to process personal data by the data subject.
Why the new legislation?
So why is the regulation being redefined? The first goal is to ensure that the same legislation applies in all European countries. Secondly, a lot has changed in the way we collect and use personal data from a technological perspective. Almost everyone uses internet and more and more personal data is processed. There are greater risks: hacks of large companies have made that abundantly clear. This is why the new regulation is stricter and more explicit. In addition, the new regulation has as a consequence that non-European companies, which process a lot of the personal data of Europeans (i.e. Facebook, Instagram etc.), must comply with the European rules.
What will change?
By definition, event organisers collect a lot of personal data. At RAI Amsterdam we do the same for our own events. We register exhibitors and visitors and keep them up-to-date about the event. By collecting data on behaviour – such as click behaviour on a community platform – we can provide people with more specific information. Will this still be allowed by the new regulation? Yes, but only under certain conditions, the most important of which are explained below.
- Explicit and specific permission for many forms of direct marketing
The essence remains the same: explicit permission is required from visitors for direct marketing. You must inform someone of the extent of the permission they are giving and someone must act proactively to give their permission. You may not tick a permission box, the data subject must do so him or herself. And even when the box has been pro-actively ticked, this does not mean you can send out an unlimited amount of news or offers. These also require specific permission. This means that a so-called opt-in request at registration may include as many as four or five questions for the various categories. People may say: “If separate permission has to be actively given for everything, no one will bother and we may not be able to use any email addresses for news or ads.” That may be true but on the other hand, if people really want to receive offers, they will tick the relevant box and you will have motivated receivers. This is why asking for permission can be beneficial and not just about avoiding a fine. If and when you want to enrich personal data, you generally require permissions for that as well from the persons involved. It is not permitted to add Facebook profiles to you visitors’ data without permission.
At RAI Amsterdam we are now analysing all our processes to see how we ask for permission, if we inform correctly and sufficiently and whether we believe the permission granted to be explicit enough. Unfortunately, the regulation does not provide a precise list of our obligations, which is why we consult external experts to help us make choices. We also review the recently published European guidelines on the conditions for permission. Furthermore, the European regulation regarding direct marketing (the ePrivacy Regulation) is expected to be made more strict in 2018, which we will monitor closely.
Finally, everyone must have the chance to withdraw their permission at any time. This means that there must be an easy opt-out link underneath every mailing or newsletter. - Sharing personal data with partners
Exhibitors and sponsors like to receive the visitors’ data for events in order to approach them themselves. May organisers provide such personal data regarding visitors? Yes, they may, but only under strict conditions. The relevant visitors must have given permission to use their personal data for this purpose, and this permission must be explicit. A general statement such as “do you want to receive news from carefully selected partners?” does not suffice. A better option is “from participants in this exhibition” with a specification of who those participants are. Better yet is a further refinement by type of information.
If you provide personal data to partners, you must make sure your partner does not use the personal data for more purposes than for which permission was granted. RAI Amsterdam uses agreements vis a vis its partners, which clearly specify what these partners may and may not do. It is important to note in this respect, that European legislation does not apply in the US or Asia so that you will need stricter agreements if you work with partners outside Europe. The EU has drawn up model contracts for this purpose, which we have been using at RAI Amsterdam for some time. The authorities have the right to check the data processing agreements used. - Knowing which personal data you collect and where it is stored
The new regulation also prescribes that most organisations should, among others, note exactly which personal data they collect, where and how it is stored, for how long and how the personal data is protected. An overview must be available to the relevant authorities at any time. Drawing up such overview may be a challenge as personal data may found anywhere in your company. Where possible, it may be beneficial to centralise the personal data. One clear central database is preferable over various sub-databases in different locations. The logic is clear: to properly protect and manage personal data you must know where it is. That way it is easier to calculate the risks surrounding a data breach. - Storing personal data and the rights of parties whose personal data is being processed
Personal data may be stored as long as you have a good reason for doing so. For annual events, for instance, this may be two or three years after the last participation. For biennial events, this may be longer. There are no timelines but personal data should not be kept, in a non-anonymous form, for longer than necessary for the purposes for which it was collected.
Everyone has the right to know what you know about them. As such, you must be able to supply this information when asked. People may amend their personal data if it is incorrect. Under several circumstances, people have the right to be forgotten, which means that their personal data must be deleted on request. Can you do this with your current system? It is important to set up internal procedures setting out how your organisation handles these various rights, especially because the new regulation prescribes strict deadlines within which one must comply with such requests. - Protecting personal data and implementing a data breach protocol
Protecting files against loss, hacking and misuse is clearly a must, both now and in the future. Parties must have proper firewalls and clear protocols on who has access to which personal data, and these must be strictly enforced. A simple example: personal passwords should be immediately deactivated when employees leave the company.
The GDPR also demands that each organisation which collects personal data must have a data breach protocol. This is not new: specific rules regarding the management of data breaches exist in the Netherlands since 1 January 2016. You need to know how you will respond should a data breach occur. Whether it involves a hack or someone leaving their laptop on a train, every breach and the measures taken must be reported to the relevant authorities. It is often also necessary to inform the parties whose personal data has leaked. Any failure to do so is a violation. Uber was recently found out for not reporting a data leak. The result: negative publicity, investigations by privacy authorities in several European countries and possible high fines. - Enforcement measures
It is expected that measures enforcing privacy regulation will increase as of May 2018. Until now the authorities have mainly taken action after receiving a complaint or after media coverage. We need to be prepared that they may perform checks more proactively. And the fines may be steep, as high as 4% or EUR 20 million of a company’s global annual turnover.
Start now
It may seem like a lot of work, but don’t let that scare you. Action is needed if you haven’t already started updating your privacy policy. Remember the following in order to keep oversight:
- Make sure you know which personal data you collect why, where it is stored and for how long.
- Familiarise yourself with the GDPR and train your staff. You are not done after May 2018: compliance is an ongoing process.
- When collecting personal data, make sure you specify for what purposes you will use the personal data and only use it for that purpose. Provide information through a privacy statement.
- Do you provide personal data to third parties? Clearly define what they can and cannot do.
- Invest in protecting personal data. Draft a data breach protocol and check your internal authorisations.
- Review whether you actually still need all the personal data you are storing. Establish policy and procedures for storing and supplying personal data as well as the manner in which you comply with requests form parties (also from you own employees!) whose personal data you are processing.
New opportunities
Again, don’t just comply because of the possible fines or to satisfy the legislator. Comply for the benefit of your organisation. Handle personal data carefully to the benefit of yourself as well as your clients and other relations. This prevents problems and creates new opportunities.