Regulations Follow Widespread Breaches of Data Privacy
Billed for the better part of a year as an impending calamity for every business with a customer database or even a drawer full of business cards, the official implementation of the General Data Protection Regulation (GDPR) on May 25 was met more with head-scratching than anything else—particularly for businesses outside of the European Union that were trying to decipher whether they needed to care about GDPR or not. After all, the new rules for handling personal data were not exactly a short read at 261 pages, 11 chapters and 99 Articles, and while virtually everyone in the free world had heard the GDPR acronym by the time it was enacted, comparatively few knew exactly what the new regulations meant.
The short answer is that if a company does no business with anyone residing in the EU, then it is not affected by GDPR, which is entirely constructed to protect the private information of EU citizens. However, if even one person on a company’s mailing list is an EU citizen, then the regulations are technically supposed to be followed. For exhibitors collecting attendee information on the show floor, the rules are almost certainly in effect due to the likelihood that residents of the EU will attend a show. And for companies from the United States who want to exhibit it overseas, adherence to the new policies is crucial. But what exactly are those regulations? For those still wondering, a handful of experts have broken it down into bite-sized bits.
According to Peter Gillett, CEO of Mobile Lead Capture app creator Zuant, the concepts of GDPR are simpler than the 261 pages would imply. “The whole idea behind GDPR is to ensure that contact data is retained and used in the way that individuals require, and also to make sure that their privacy in maintained and that information is not used by other third-party organisations for any purpose,” Gillett says.
In practical application, GDPR regulations are multi-pronged, explains Rob Brazier in his blog for London-based event contractor Rapiergroup. “GDPR compliance is basically a three-stage process,” he says. “First, there’s data hygiene—checking to see what you’re holding, how you got it and how you’re storing it.” Once that assessment is complete, a company must evaluate and justify what data it is collecting from individuals and it must create a storage architecture that keeps the information secure but easily accessible for those who request it be removed.
“The way we collect data at events needs to become more secure—think less ‘let me take your card’ and more ‘let me put this on a tablet and screen-lock it.’ It’s going to be a little more cumbersome, but the point of GDPR is to make data handling a priority for businesses and ensure that we treat our contacts’ data with the same care we’d demand for our own,” Brazier writes.
These regulations were adopted after widespread data breaches within large corporations put the personal information of millions at risk, and experts say they expect similar regulations to be adopted elsewhere around the globe to force better data security. “Really, it’s not the small-to medium-sized companies that have been using data incorrectly,” Gillett says. “It is the large corporations who have not been managing their data correctly and allowing it to fall into third-party hands. There are endless cases such as Facebook, Uber and UnderArmour, just to name a few. As a result, it is to be expected that there will be some significant, large fines issued when any of these big breaches happen again as a way of showing that the new laws have teeth.”
Those fines can go as high as $23 million or four percent of a company’s turnover—whichever is greater. As a result, the Events Industry Council reports that 77 percent of U.S companies surveyed that have more than 500 people are planning to spend in excess of a million dollars implementing new systems to assure compliance with GDPR. But for smaller companies, following the law should be significantly less onerous. “There is certainly no need to purge records from your systems,” Gillett says of companies that have collected attendee data in the past. “But simply have in place a regular series of opportunities to re-engage and confirm not only that they want to receive information, but also the type of information, channel and frequency is advisable.”
Going forward, exhibitors will need to clearly communicate to attendees what information they want to collect and what they are going to do with it. Barcode scanners will likely go the way of the dinosaur, Gillett says, as each individual must give express, documented permission for their personal information to be collected and used for any purpose at all, including email communications and research.
And what constitutes personal information? Basically everything, the Events Industry Council says, from IP addresses to food preferences and all data point in between. For many companies, however, staying on the good side of the GDPR laws will simply require some thoughtfulness about how data is collected, stored and used. The Events Industry Council and the International Association of Exhibitions and Events have both created clearinghouses of information for people still unsure of their status with GDPR compliance. But for most, Gillett adds, compliance—i.e., communicating openly with attendees about their personal information, protecting it, and only using it as originally promised—can usually be achieved with a change in mindset about data and a dose of common sense.