We’re less than two months away from the compliance deadline for the European General Data Protection Regulation, known as GDPR, which takes affect on May 25, 2018. If you haven’t yet heard about – or taken action to get in compliance with – this wide-reaching legislation, now is the time. (For a bit of backstory on GDPR, check out this previous post.)
It’s amazing how many major companies are still taking the “ostrich” approach (one study shows less than 10 percent are fully prepared), perhaps thinking it doesn’t apply to them since they’re not based in Europe. But all indicators show that the EU will take action on any company, anywhere, that collects or stores any kind of personal data on EU citizens, no matter where they are in the world. This obviously includes many trade shows and conferences held within U.S. borders that attract visitors from EU countries (here’s a list of those, in case you’re not sure).
What counts as ‘personal data’? Things like name, address, phone, e-mail, IP address, website ‘cookies’ and more. (All the things you’re collecting from your attendees.) Even things like dietary restrictions and photographs are included.
Then there’s also the aspect of consent and the “right to be forgotten.” What this means is that EU citizens must be informed in very clear, specific, user-friendly language how their personal data will be collected and used, so that they can freely agree to allow it. Should they decide to withdraw consent, they have the right to request all their data be erased and no longer processed (by you or any third-party data collectors you work with). One survey of EU citizens indicates that about a third of them plan to exercise their right to be forgotten once GDPR becomes effective.
Essentially, you need to be transparent about how any data collected will be used and be accountable for the protection of that data. While I won’t attempt to cover all the aspects of this 200-plus-page legislation (after all, I’m not an attorney and have no intention to provide legal advice), here’s a quick list of things you can do to learn more and get prepared.
- Conduct a data audit to see what information you’re currently storing on EU citizens
- Ensure all third-party vendors are GDPR-compliant
- Revise data collection policies, as well as update privacy policy on company website
- Ensure you are obtaining consent (and storing evidence of that consent) before anyone shares their personal data with you
- Add a website notice alerting all visitors to the fact that ‘cookies’ may be collected (if you use WordPress, here’s a list of free cookie notice plugins you can use)
- Have a data protection plan in place, as well as a notification system in case any data breach happens
If you’re looking for a all-in-one reference for more information, Cvent has created a handy infographic. Meetings Today also recently held a webinar, “Beyond the Fear: Embracing Simplicity with the GDPR,” and you can access that replay (along with additional resources) here.