If you have not heard about it or really didn’t take the time to educate yourself about the new European regulation called General Data Protection Regulation (GDPR), on May 25th a new data protection legislation goes into force and it affects everyone collecting the personal information of EU citizens. If you are doing business or have website visitors from the EU then this is something you need to know as it greatly affects your business. GDPR is a “far reaching” legislation that doesn’t just affect the European Union (EU). It affects virtually every country in the world that does digital business and marketing where an EU citizen can become a customer, user, or provide their personal information to you.

Recently you may have noticed that you are receiving a lot of emails from various service providers (for example Google, Microsoft, Apple, Facebook, Twitter, etc) announcing updates to their privacy policies. These updates are largely a result of the GDPR regulations.

If you are not compliant with the General Data Protection Regulation (GDPR) legislation, it could mean fines of up to 20 million EURO, or 4% of annual sales, whichever is greater. So it’s vital for website owners and marketers to understand the new GDPR requirements. This new legislation applies to everything from contact us forms, newsletter signups, mobile event apps, online surveys to social media. It even includes manually collecting business cards at conferences.

A recent study by a large legal firm, Irwin Mitchell, found that only 34% of advertising and marketing firms were aware of the new data protection laws. To aid and prepare you, we have put together an overview to the most crucial aspects of GDPR that you need to know.

It’s not as bad as you might think. GDPR really is a good thing and once you understand it, the better off you’ll be.

So, what is GDPR?

The new EU General Data Protection Regulation (GDPR) was adopted last year, and was implemented May 25, 2018.
It has been noted as the most important change in data privacy regulations in 20 years and aims to give EU citizens more control over how their personal data is used.

You can read the GDPR at the following link.

https://www.eugdpr.org/the-regulation.html

Why was GDPR introduced?

The legislation that was previously in use was put in place before the Internet and cloud technology completely changed the way companies use “personal data” and the more updated GDPR aims to address that.
The EU also wanted to give businesses a more simple and clear legal environment in which to operate where they only have one law to comply with instead of the previous 28 laws across different EU countries.

What is “personal data” under GDPR?

In Article 4 (1) GDPR defines personal data as follows:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Essentially, if data can be used to identify a person, then it is classed as personal data under the laws of the GDPR. That includes information you are likely to collect from your event attendees such as names, addresses, birth dates and email addresses.
I do not live in the EU, so who do these regulations apply to?
The short answer is, ALL organizations that are collecting and handling personal data of European Union (EU) citizens (or residents) have to comply with GDPR.

A very important part of the GDPR has do with the geographic scope of this new law. To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification.

  1. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Good luck trying to figure out and accurately track if they were in the EU when they provide their information.
  2. The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” as part of a marketing survey, then the data would have to be protected per the GDPR requirements.

What Are the GDPR Requirements?

GDPR requires website and web store owners to inform visitors of the following things:

  • What personal data is being collected.
  • What the data is being used for.
  • Who is handling the data.
  • How the data is collected and obtained.
  • How and where the data is stored.

Here are some examples:

  • An e-mail address field on a contact form or checkout page.
  • People can register and log in to your website. Even if it’s just in the back-end so all sites with a CMS like WordPress and Joomla have to comply.
  • Database with order information.
  • Event registrations.
  • Mailing list sign-ups.

It is important to note that the GDPR focuses on the rights of individuals rather than companies. What exactly does GDPR entail?

  1. Consent: Companies will be required to get their users’ consent to store and use their personal data, as well as explain how it will be used. Consent must be an active, affirmative action by the individual, rather than passive acceptance through pre-ticked boxes or opt-outs. It’s something you need to do if this isn’t already part of your event registration process.
  2. Breach Notification: GDPR makes it compulsory to notify both data and users protection authorities within 72 hours of discovering a security breach. Failure can result in heavy fines.
  3. Access: You need to be prepared, if requested, to provide digital copies of private records to attendees that request their personal data that your organisation is processing, where the data is stored and what you are using it for.
  4. Right to be Forgotten: EU citizens at any time will be able to ask you to not only delete their personal data but to also stop sharing it with third parties (sponsors, suppliers, hotels, venues etc.). You will also need to notify those 3rd party organizations as they will also be obliged to stop processing it.
  5. Data Portability: The new regulation states that individuals will have the right to transmit their data from one data controller to another. This means that upon request, you need to be ready to export the data you have on your attendees in a commonly used digital format.
  6. Privacy by Design: GDPR requires that organisations have to have data security built into products and process from the very start. This applies to all the tech systems and software that you use to gather and manage personal data of your event attendees.
  7. Data Protection Officers (DPO): Some organizations that frequently monitor large amounts of data or deal with data relating to criminal convictions will also be obliged to have a DPO, who will be in charge of GDPR compliance. That means ensuring internal data protection policies are updated, staff training is conducted and that processing activities are always documented.

How Does GDPR Impact My Company?

  1. Event Registrations: Registrations are a key way to collect attendee data that can be useful in designing an effective campaign for your event. A perfect event registration form can help you create a comprehensive and exhaustive database of all your event attendees.

With the GDPR in place, registrations for EU citizens will now be heavily moderated. Companies have to be selective in terms of the information they ask for, keeping in mind the user’s “Right to Privacy”.

  1. Consent: A main concern in this case is user consent when it comes to the collection of data. With the new regulations in picture, a simple check-box won’t do. Companies must actively seek consent before collecting information.

agree checkbox

Users must declare that they consent to their data being utilized by the company within the regulations. A difficult statement stating conditions and terms would no longer be an option. They must be specifically agreed to by the registrants. The agreement should be easily accessible and comprehensive to the attendees.

  1. Data sharing: Companies must make known plainly to the attendees regarding the handling of their data. Attendees should be mindful with regards to where their information is being shared and regarding just what intent is it being used . At the time of asking, it is the organizer’s responsibility to provide those records in a digital format.

Independent from this, the regulation also consists of the practice of data portability. If these individuals want , data portability provides the right to the subject to access their data anytime and transfer it from one controller to the other.

  1. Data-breach notification: No company is a stranger to cyber attacks. You must have seen or heard cases of breaches in terms of data which in turn mistreated at the hand of cyberpunks.

It is essential that organizations take all preventative measures essential to protect against the same. If a data breach takes place, organizers must report the breach within 72 hours after the organization is aware of the same and notify the necessary authorities as per the law.

  1. Opting out: The user data that is being collected and used for marketing campaigns have the right to opt out at any time. They have the authority get their records totally removed from each and every database in which it is held at any given point .

The organizations must honor this specific request and remove all records of the attendees that choose to opt out. Users, therefore, hold the ‘Right to be Forgotten’ by means of GDPR.

How do I seek consent for marketing under GDPR?

People have been thriving in an Uncontrolled Wild West of not getting proper consent for marketing purposes, and GDPR is changing this. Gone are the times of stealthy pre-ticked opt-in boxes or confusingly phrased opt-in statements. People can also forget about adding each and every single event registrant and attendee marketing lists.

Here and now, consent has to be a ‘freely given, specific, unambiguous and informed indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data pertaining to him or her.

When it comes to implementation it’s not really quite as distressing as it seems. The ICO have summarized consent as ‘putting individuals in charge.’ An un-ticked opt-in box during your online entry that clearly states what an entrant is opting in to with a link to your privacy policy should do the job.

Remember, seeking clear and freely given consent is a really good thing. While your marketing lists may decrease in overall size, they will likewise significantly increase in quality. Marketing to one qualified prospect is significantly more effective than marketing to 100 individuals that couldn’t care less.

How will GDPR affect my existing marketing data?

One of the most substantial implications of GDPR is that it is retroactive. As of May 25th, 2018, all data you store and process for your event will need to comply with the regulations set out by GDPR.

This means you’ll need to perform a full audit on the data you currently store to check that it will be compliant in advance of GDPR. Any data that doesn’t meet the guidelines by May 25th, 2018 will need to be deleted.

Whilst many organizations and marketers are panicking about this mass loss of data, you should actually see this as a good opportunity for some digital housekeeping. It’s likely that this data is no longer of any use to you, and it will no doubt be costing you money to carry on processing it.

Can I share data with my event sponsors?

Until you have clear, freely-given consent from an individual to do so, you can’t share their information with third parties. You should be checking any sponsor agreements now to ensure you’re not promising the supply of information in which you can’t lawfully provide.

If you have previously shared event data with sponsors that will not meet the consent requirements of GDPR, then you will need to inform those sponsors and request that they cease processing that data.

My organization is in the UK – will the UK be excluded from GDPR after Brexit?

There were rumors circulating that Brexit would be a get-out-of-jail-free card for businesses in the UK when GDPR was first announced. Surely if the UK was no longer part of the EU, after that an EU-led legislation like GDPR wouldn’t apply to UK companies?

The ICO quickly stated this wouldn’t be the case, and the UK Government confirmed their stance in August 2017 with the announcement of the updated Data Protection Bill. One of the main aims of this Bill was to ‘bring the European Union’s General Data Protection Regulation into UK law.’ That means even post-Brexit, GDPR will still apply to UK-based events.

Impact for American businesses

Research not long ago performed by Censuswide has revealed 35% of American business organizations are not ready to satisfy the GDPR requirements in time for the due date. Regardless of how American companies may believe about GDPR, if they want to operate in Europe or attain contacts from EU citizens they have no choice but to become compliant. Organizations that neglect to do so run the danger of steep financial penalties that can reach 20 million EURO or 4% of global annual revenue.

GDPR versus CAN-SPAM

Because the principles that undergird them are very different, the U.S. and EU rules on privacy protection diverge strongly. The protection of personal data is considered an important basic right in Europe while First Amendments rights of businesses are sacrosanct in the United States. This means that the GDPR is opt-in legislation (citizens need to explicitly give consent) while CAN-SPAM legislation is opt-out legislation (commercial mailings are allowed till the recipient says he or she no longer wants them).

So the bottom line here is that CAN-SPAM laws still apply as long as your list does not include EU citizens in your mailing lists. Good luck figuring that one out.

Will I need to make changes to my Privacy Policy in time for GDPR?

Yes, you’ll most likely need to change or add information in your existing Privacy Policy. Thankfully, the ICO has provided a comprehensive guide to producing a GDPR compliant Privacy Policy.

This will walk you through what your Privacy Policy should include, where and when to display it, and how it should be written. As long as you follow all of the points they outline and use clear, straightforward language, you won’t have any problems.

A nice site to review for generating a GDPR compliant privacy policy is here:
https://dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de/?lang=en

Conclusion

As pointed out previously, GDPR is retroactive. Getting the following things updated will keep you GDPR compliant for marketing to past, present, and future customers.

  • Email Marketing Lists: If you have an email marketing list and it does not comply with any of the legal premises for handling mentioned above, sending emails to that list will be in breach of GDPR as of May 25th, 2018. You may want to seek updated consent from data subjects ahead of the deadline if this is the case.
  • Privacy policy updates: Make sure your privacy policy is up to date and includes all the listed items mentioned above in a very clear, open, and concise verbiage that is easy to understand.

Following these simple steps will greatly increase your GDPR compliance with regards to your efforts.