Discussing data protection is a good cure for insomnia, but event planners will need to keep their eyes open when the General Data Protection Regulation (GDPR) comes into force this month. Anyone found violating the directive could face severe fines. But don’t worry, we’ve sifted through the detail to identify the pertinent points
What is GDPR?
The General Data Protection Regulation (GDPR) is a new piece of legislation that governs how organisations use the personal data of EU citizens. It takes effect on 25 May. It applies to any company that holds data on EU citizens, even if that company is not based in the EU.
Does it apply to my business?
If your business collects personal data – we’re talking names, addresses, phone numbers; anything that identifies living individuals in the EU – you’ll be deemed a controller of personal data and must abide by GDPR.
Look at what data you are collecting and what your justification is for keeping it
What about the Data Protection Act?
It’s defunct. GDPR will replace the UK’s Data Protection Act, which was passed in 1998 and, frankly, isn’t fit for the digital age.
What constitutes a breach of GDPR?
Hoarding personal data without reason, passing it on to third parties or allowing it to fall into the hands of others through negligence (such as failing to update anti-malware software or leaving a USB on the train) could all be considered a breach of GDPR. Fines would almost certainly follow.
Are the fines steep?
In the event of a data breach, the Information Commissioner’s Office (ICO), which will oversee the legislation in the UK, has the power to issue fines of up to €20 million (£17.6m), or four per cent of a company’s global annual turnover, whichever is greater. Ouch. However, the legislation stipulates that fines must be ‘proportionate’ to the data breach, and it is important to note that these figures are a maximum. The ICO also has scope to issue warnings where it deems fit.
It should make organisers better at protecting the data they’ve got
Is the ICO mean?
It gets a bad press, but the figures speak for themselves: ‘In 2016/17, the ICO investigated 17,300 cases and issued just 16 fines,’ explains Simon Clayton, chief ideas officer at event registration company RefTech, who gives lectures on GDPR. ‘The ICO is a fair and balanced organisation. They’re good guys who want to encourage responsible stewardship of data.’
What should I do in the event of a breach?
Contact those affected and inform the ICO within 72 hours of discovering the breach. That deadline is important: those who don’t meet it could face a penalty of up to two per cent of their annual global revenue or €10 million (£8.8m), whichever is higher.
How should I prepare for GDPR?
‘You’ve got to look at what data you are collecting and what your justification is for keeping it – that’s the starting point,’ says Clayton. ‘Under GDPR, companies are encouraged not to think of people’s data as theirs: you are borrowing it from your subjects.’
How might GDPR change the events industry?
‘It should make organisers better at protecting the data they’ve got and it should make them think more carefully about how long they are keeping data for,’ says Clayton. ‘That’s one of the biggest problems in our industry: organisers will keep data for 100 years just because they can. GDPR doesn’t want you to do that. It wants you to have valid reasons for keeping that data and to explain that to those whose data it is.’
Do I need consent to keep holding personal data?
In order to justify keeping people’s personal data, planners must be able to satisfy one of six criteria. ‘Don’t believe anyone who tells you that you must have consent to store personal data,’ says Clayton. ‘That’s a big misconception – there are other justifications for processing personal data.’
Six justifications for keeping delegates’ personal data
Under GDPR, consent to process personal data means having a positive opt-in from individuals, such as a statement of consent. Pre-ticked boxes will no longer cut it. It also has to be easy for people to withdraw consent.
2. Legitimate interests
‘Legitimate interest’ is a somewhat vague term, but essentially it means that the processing of personal data should be in the legitimate interests of a planner – in other words, necessary to execute an event.
3. Legal obligation
Storing personal data is fine if you have a legal or statutory obligation to do so. ‘For example, if you’ve bought a ticket to my event, I have to keep your details on record because HMRC wants me to prove who gave me the money,’ says Clayton. ‘That’s a legal obligation.’
4. Performance of contract
You can rely on this justification if you need to process someone’s personal data to fulfil your contractual obligations to them – or because they’ve asked you to do something before entering into a contract (i.e. provide a quote).
5. Public task
This permits the processing of personal data ‘in the exercise of official authority’. This is only likely to apply to planners who organise public functions.
6. Vital interests
If you need to process someone’s personal data in order to save their life then that’s a vital interest. Not likely to apply to anyone in events.