The European General Data Protection Regulation (GDPR) is designed to harmonize all existing regulations to provide a higher level of security for citizens of the European Union (EU). Slated to take effect on May 25, the GDPR will apply to any organization that does business with citizens of the EU, regardless of that organization’s location.

The GDPR includes regulations on the collection, use, transfer, monitoring, tracking and even viewing of personal data.

The “personal data” bucket is a big one and includes information you might not have taken into consideration. In addition to data points such as name, email, ID #, photo, location data and online ID (IP address, social media), it also includes any factors specific to physical, social and economic factors – in short, anything that possibly could be used to identify someone.

How does this impact the meetings and events industry? If you are an event organizer, chances are you may have at least one attendee who resides in the EU, even if your event is held in the U.S. or another non-European location. The GDPR will apply to collecting or sharing any personal data from EU-based attendees and sponsors.

Why should you be concerned? It’s not just about security breaches. If you are audited and fail to meet the criteria for compliance, you risk more than just losing business and goodwill. For non-compliance with administrative, processing or collection obligations, the penalty is either €20 million or a 4 percent fine on your annual global revenue – whichever is higher. 

Some key points to take into consideration:

• When structuring your event communications, including your website and registration, it’s important to be aware that you can no longer rely on implied consent. A general opt-in communications check box is no longer enough.
• Consent must be freely given, specific, informed and unambiguous. This will require you to make a statement up-front (prior to the collection of any data) specifying exactly how and why the data will be used, what the terms of use are, give EU residents the ability to withdraw their permission and have their data erased at any time. People must then be given the choice to opt-in or to decline.  
• The GDPR applies retroactively to any existing data you may have on EU residents. You’ll need to classify, label and destroy old data – or proactively gain informed consent from each person for the specific uses you may have for that information.
• It’s recommended that you check with any third-party suppliers you may be working with to learn their compliance plans. Work together with them on due diligence, investigate indemnification clauses with your legal team, and be aware that the level of data security will need to be increased across the organization and your events.

Chances are, compliance will be driven from a legal or security team within your organization. Most organizations will (or should) have a compliance director who is the main point of contact for disseminating relevant information and policy changes and ensuring GDPR compliance. However, anyone in a marketing function, including event managers, should familiarize themselves with requirements and best practices to avoid potentially costly mistakes.

The International Association of Exhibitions and Events (IAEE) will soon be releasing a whitepaper on the topic as part of its mission to inform members of changes in policy and law that may affect them.