General Data Privacy Regulations (GDPR) and the California Consumer Privacy Act (CCPA) are no joke.
Let’s understand what they are, what they mean for you, and how you can avoid serious penalties.
GDPR for Events
- GDPR affects Event Managers
- What Data Should I Be Worried About?
- To Wrap
- Need help with Event Software?
GDPR affects Event Managers
As our event privacy laws are getting stricter every year, for the sake of consumer protection, it is important that event planners and managers become cognizant of what is at stake as they hold attendee PII and PHI (Personally Identifiable Information and Personal Health Information).
If not, you place a huge risk on your company.
For example, for a severe GDPR penalty, the fine is 20 million Euros or 4% of Total Revenue, whichever is higher.
Now, does that have your attention? Let’s focus on how we can look at the new privacy laws affecting our events.
Privacy Laws continue to get stricter
A quick background on why laws like GDPR are being passed, and your title of event manager also now includes data custodian.
And yes, as someone who collects PII and PHI from your attendees, you are now a data custodian.
In 2013, news of massive data breaches started surfacing everywhere.
Chances are many of the places you shop lost your information to hackers – Your name, credit card number; maybe even your SSN, DOB, and Medical information.
Target, Home Depot, Neiman Marcus, and many, many MANY others hit the news, and continue to do so.
Remember a few years back when you would get a new Debit Card or Credit card in the mail every few months until finally, the new Chip-based cards came out that we all use today?
This was in direct response to those breaches.
The U.S. has typically had a reactive approach to protecting our personal information.
Well, more recently, large health care providers and credit bureaus like Anthem, Experian and Equifax were hacked.
This means that as an American, odds are your SSN, DOB, and maybe medical history are floating around with malicious hackers.
The penalties for losing data are enormous
The crappy part about all of this?
Well, aside from having all of your information and potentially your identity stolen…
Is that the laws that were in place to protect that information were outdated, and gave companies little more than a slap on the wrist for losing YOUR information.
So now, finally, other countries are leading the way for a new era of data and consumer protection.
The first big step is called GDPR (followed by CCPA for California residents), and it affects ANY business that acquires PII or PHI on an EU citizen.
And the penalty for even a small company is likely to be millions. For a mid or large size company losing their attendee’s data?
Many, many millions…
Again, going back to the potential fines and penalties, this is not a joke.
If you think there’s no way a small organization could be fined for losing someone’s personal information, think again…Actually, just Google GDPR fines.
Now, you can see the importance of GDPR for events.
Hopefully, this has created a necessary fear in you, but before I jump into how to protect your attendees’ information, and your business’ reputation and financial bottom-line, you should know that Governments everywhere are following the EU’s path.
The stakes are continuing to be raised
States like California and many others are now implementing their own laws that are essentially similar to GDPR for events, as nothing has been done at a US Federal level yet.
What this means is that even if you do not have European citizen attendees, chances are you could still be affected, and if not this year, most certainly in 2020 or 2021.
Point is, it is mission-critical that you begin implementing protocols to protect your information.
What Data Should I Be Worried About?
According to GDPR, and the other privacy laws the following suit: a name, a photo, an email address, SSN, Passport Numbers, insurance numbers, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
For an event manager, you should assume any details you collect on an attendee that can in any way identify that human being needs to be protected.
For some events, it may only be a name, but for others, such as an incentive trip, you’ll be collecting a lot more too: book flights, providing dining options re: food allergies, medications, names, Birthdays, and so much more.
Here are some of the basic rights, and realize that not all are completely relevant to your role as an Event Coordinator, Manager or Planner. Below that, I wrap up how you can protect yourself, your Business, and of course your Attendees.
The 8 basic rights of GDPR for Events:
1) The right to access –this means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered.
The company must provide a copy of the personal data, free of charge and in electronic format if requested.
2) The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
3) The right to data portability – Individuals have a right to transfer their data from one service provider to another.
And it must happen in a commonly used and machine-readable format.
4) The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered.
Consumers have to opt-in for their data to be gathered, and consent must be freely given rather than implied.
5) The right to have the information corrected – This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
6) The right to restrict processing – Individuals can request that their data is not used for processing.
Their record can remain in place, but not be used.
7) The right to object – this includes the right of individuals to stop the processing of their data for direct marketing.
There are no exemptions to this rule, and any processing must stop as soon as the request is received.
In addition, this right must be made clear to individuals at the very start of any communication.
8) The right to be notified – If there has been a data breach that compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Where to Focus
Again, as you read through these, some you can easily say, “ok, that directly applies to me”, or, “not apart of my role”.
Here’s the obvious for you, #2, the right to be forgotten.
Whenever you are done with the attendee information (i.e. if the event is over, or you have booked a particular service(s), and you no longer need the info) you must securely delete the attendee information.
If you put it away in Office365, forget it’s there, and not realizing it’s in a folder that’s open to everyone in the organization, I’d be willing to be in the next 5-10 years that information surfaces on the Dark web.
In addition to #2, the biggest applicable part of GDPR for events is to store the information securely until you need to securely delete it.
Get Your IT Department Involved!
Not sure what this means or how to do it? Ask your IT department!
This is apart of their job.
While you might be directly holding this information, apart of GDPR says that each organization that is subject to GDPR (again, does any kind of business with Europe) must have an appoint Data Privacy Officer.
Many times this Person is in IT or works directly with IT to ensure they are compliant.
Also, make sure they, and your IT security team that know you are collecting/holding that information.
A big part of GDPR is to have controls around the data to ensure only the right people have the right access to THAT data.
If your IT department knows you have that data, perhaps they have a secure location they want you to store it in, wherein only you have access to it.
**If they try to shrug off this duty, and you know that you have attendees from Europe, California, or soon to be many other States and Countries, let them know the risk involved.
GDPR and the new event privacy laws coming out are relatively new.
In fact, while GDPR has been planned since 2016, it actually just came into effect May of 2018, and as someone that worked for a Cybersecurity company trying to inform IT departments of the impending laws, know that your IT department can be very lazy when it comes to adopting new processes (many, not all).
But, I promise you, it is in your best interest to take this to heart to avoid a costly mistake.
Good luck out there, and if you have questions about how J.Shay Event Solutions handles GDPR for Events, please contact us here.
For even more information about the Privacy Laws, I recommend visiting their websites:
Need help with Event Software?
Registration, mobile, etc.