If you have not heard about it or really didn’t take the time to educate yourself about the new European regulation called General Data Protection Regulation (GDPR), on May 25th a new data protection legislation goes into force and it affects everyone collecting the personal information of EU citizens. If you are doing business or have website visitors from the EU then this is something you need to know as it greatly affects your business. GDPR is a “far reaching” legislation that doesn’t just affect the European Union (EU). It affects virtually every country in the world that does digital business and marketing where an EU citizen can become a customer, user, or provide their personal information to you.
Recently you may have noticed that you are receiving a lot of emails from various service providers (for example Google, Microsoft, Apple, Facebook, Twitter, etc) announcing updates to their privacy policies. These updates are largely a result of the GDPR regulations.
If you are not compliant with the General Data Protection Regulation (GDPR) legislation, it could mean fines of up to 20 million EURO, or 4% of annual sales, whichever is greater. So it’s vital for website owners and marketers to understand the new GDPR requirements. This new legislation applies to everything from contact us forms, newsletter signups, mobile event apps, online surveys to social media. It even includes manually collecting business cards at conferences.
A recent study by a large legal firm, Irwin Mitchell, found that only 34% of advertising and marketing firms were aware of the new data protection laws. To aid and prepare you, we have put together an overview to the most crucial aspects of GDPR that you need to know.
It’s not as bad as you might think. GDPR really is a good thing and once you understand it, the better off you’ll be.
So, what is GDPR?
The new EU General Data Protection Regulation (GDPR) was adopted last year, and was implemented May 25, 2018.
It has been noted as the most important change in data privacy regulations in 20 years and aims to give EU citizens more control over how their personal data is used.
You can read the GDPR at the following link.
Why was GDPR introduced?
The legislation that was previously in use was put in place before the Internet and cloud technology completely changed the way companies use “personal data” and the more updated GDPR aims to address that.
The EU also wanted to give businesses a more simple and clear legal environment in which to operate where they only have one law to comply with instead of the previous 28 laws across different EU countries.
What is “personal data” under GDPR?
In Article 4 (1) GDPR defines personal data as follows:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Essentially, if data can be used to identify a person, then it is classed as personal data under the laws of the GDPR. That includes information you are likely to collect from your event attendees such as names, addresses, birth dates and email addresses.
I do not live in the EU, so who do these regulations apply to?
The short answer is, ALL organizations that are collecting and handling personal data of European Union (EU) citizens (or residents) have to comply with GDPR.
A very important part of the GDPR has do with the geographic scope of this new law. To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.
Two points of clarification.
- First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Good luck trying to figure out and accurately track if they were in the EU when they provide their information.
- The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” as part of a marketing survey, then the data would have to be protected per the GDPR requirements.
What Are the GDPR Requirements?
GDPR requires website and web store owners to inform visitors of the following things:
- What personal data is being collected.
- What the data is being used for.
- Who is handling the data.
- How the data is collected and obtained.
- How and where the data is stored.
Here are some examples:
- An e-mail address field on a contact form or checkout page.
- People can register and log in to your website. Even if it’s just in the back-end so all sites with a CMS like WordPress and Joomla have to comply.
- Database with order information.
- Event registrations.
- Mailing list sign-ups.
It is important to note that the GDPR focuses on the rights of individuals rather than companies. What exactly does GDPR entail?
- Consent: Companies will be required to get their users’ consent to store and use their personal data, as well as explain how it will be used. Consent must be an active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs. It’s something you need to do if this isn’t already part of your event registration process.
- Breach Notification: GDPR makes it compulsory to notify both data and users protection authorities within 72 hours of discovering a security breach. Failure can result in heavy fines.
- Access: You need to be prepared, if requested, to provide digital copies of private records to attendees that request their personal data that your organisation is processing, where the data is stored and what you are using it for.
- Right to be Forgotten: EU citizens at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (sponsors, suppliers, hotels, venues etc.). You will also need to notify those 3rd party organizations as they will also be obliged to stop processing it.
- Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. This means that upon request, you need to be ready to export the data you have on your attendees in a commonly used digital format.
- Privacy by Design: GDPR requires that organisations have to have data security built into products and process from the very start. This applies to all the tech systems and software that you use to gather and manage personal data of your event attendees.
- Data Protection Officers (DPO): Some organizations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.
How Does GDPR Impact My Company?
- Event Registrations: Registrations are a key way to collect attendee data that can be useful in designing an effective campaign for your event. A perfect event registration form can help you create a comprehensive and exhaustive database of all your event attendees.
With the GDPR in place, registrations for EU citizens will now be heavily moderated. Companies have to be selective in terms of the information they ask for, keeping in mind the user’s “Right to Privacy”.
- Consent: A main concern in this case is user consent when it comes to the collection of data. With the new regulations in picture, a simple check-box won’t do. Companies must actively seek consent before collecting information.
Users must declare that they consent to their data being utilized by the company within the regulations. A difficult statement stating conditions and terms would no longer be an option. They must be specifically agreed to by the registrants. The agreement should be easily accessible and comprehensive to the attendees.