Simon Clayton explains its importance to event organisersThe EU’s new data protection regime - the General Data Protection Regulation (GDPR) - will come into force in May 2018, when it will make EU data protection rules a lot stricter.
While the future of data protection law after the UK fully leaves the EU is as yet unknown, the fact remains that the exit is still many years away. In the meantime, the UK’s Information Commissioner has confirmed that the UK will go ahead with implementing GDPR into our own national regulations regardless of the Brexit vote.
Any post-EU data protection regime the UK may come up with on its own, which again is many years in future, would have to be fully adequate and equivalent to GDPR in order for the UK to continue trading with Europe. In other words, regardless of Brexit, GDPR is here to stay. GDPR is technically on the books now, but is not being enforced until the 25th of May 2018. This gives you plenty of time to adapt your business processes into full compliance so use this time wisely!
Good data protection practice in event organisation starts at the source: the event registration process. In our privacy-conscious times, conference delegates have changing expectations about the use of their registration information. Although delegates do, by and large, expect event organisers to resell their data for marketing purposes, they also expect that information to be shared safely, fairly and responsibly. Delegates also assume that information not required for marketing will be kept confidential and that sensitive personal information, such as support required for health issues, will remain safe.
Fortunately, good practice is easier than you might think. Approaching your events data from the perspective of responsible stewardship, rather than box-ticking, will save you from potentially embarrassing back-tracking later on. Part of responsible stewardship is staying abreast of your rapidly changing data protection obligations under evolving EU regulations.
Personal data in a changing landscape
Under current EU and UK data protection regulations, personal data is defined as data which identifies an individual. The use of that data by an organisation for business purposes is called ‘processing.’ Event organisers must obviously process personal data to do their job - registering delegates, producing conference badges, accommodating dietary requests and so forth. This concept is known as ‘fair processing’. Part of fair processing, however, means being open, transparent and accurate about what you are doing with the data you handle. Many of the somewhat careless practises about openness, transparency and accuracy which may be allowed to slip through at the moment will no longer wash after May 2018. One of the core principles being addressed in GDPR goes beyond ‘privacy by design’ to require ‘privacy by default’. Anyone dealing with data, be it in a registration form, a software application, or an exhibition stand, will need to get into the habit of capturing the minimum amount of data possible, while also shifting control over the use and retention of that data from the organisation collecting it to the person the data is about.
Another GDPR principle you need to get into the habit of honouring is that you must supply a legal justification for any personal data you collect in the events registration process. ‘We need it because we need it’ is no longer sufficient. This justification must be explained to delegates and clarified at the time of registration. For example, an event insurer may require you to ensure that all attendees are over the age of 18 and you may have to collect attendees’ dates of birth to comply with this requirement. Be sure to explain this, with the legal justification, in your registration terms and conditions.
For events industry professionals, the watchwords for the new data protection regime are clarity and consent. You must ensure clarity in the information you collect, as well as the information you provide and you must secure consent at all stages of your event. The new regime will require a change in mindset as well as everyday practices, but, in the long run, it will ensure a more responsible playing field for organisations and individuals.