On 3rd July 2017 I co-hosted #EventPlannersTalk Twitter chat with Johnny Martinez, Head of Marketing & Business Development at Shocklogic about the forthcoming General Data Protection Regulation (GDPR). This regulation concerns data protection of individuals within the EU and its export outside the EU and will apply to all industries. As many industries, event sector also heavily relies on data – collection, processing and sharing it with the various stakeholders, so by the time this regulation comes into force on 25 May 2018, event businesses should be ready to implement any necessary changes to their data handling. Unfortunately, there is still very little information and training available in our industry, so the aim of the chat was to find out what implications it will have on our business.
Shocklogic provides online event management technology solutions and services to companies across different industries, supporting organisers who manage events of 50 – 50,000 participants. Their range of different products, including registration, programme and membership management, mobile apps, online accommodation managements, online registration, polling and others, require them to be on top of all latest regulations to both implement into their day-to-day business but also to educate their clients.
Here is what we discussed with @johnDmartinez, @AssnExecs, @SandeepMendi, @ML_Riley, @weareintheevent, @RebeccaDavisEM, @planetplanitbiz, @mikemcsharry, @GroupDynamics and myself, @themiceblog.
How much of an impact will GDPR have on you?
The GDRP will impact all businesses, including start-ups, small and large businesses. The impact will be significant as GDRP is a regulation and not a directive. GDPR will change the way we collect and store data and how we communicate with our audience. Furthermore, it will change how companies work with 3rd parties, for example, events registration and cloud application hosting companies.
The regulation will be welcomed by many as they see it as an opportunity to eradicate email spam and achieve more transparent marketing objectives. At the same time, event professionals will have to become very careful about how they send communications as individuals’ rights will prevails. On the positive side and as a result, this has the potential to push digital marketing from quantity to quality and shift data strategies from lazy to smart. For the events industry this is an opportunity to develop creative solutions to better reach the audience.
How is your organisation currently preparing for the changes coming via GDPR?
It’s a data revolution for companies and Shocklogic has extensive IT audits in place to guide the users in data collection strategies. Additionally, they’ve assigned a data protection officer and a GDPR implementation team.
What are the consequences of GDPR non-compliance and where can you find help?
The consequences and penalties will be huge, including 2 – 4% of global revenues or up to €20 million! To avoid such penalties, companies should get familiar with Information Commissioner’s Office (ICO) code of practice on Privacy Impact Assessment and the latest from the Article 29 Working Party.
How are you using technology to adapt your digital strategy around the changes coming from GDPR?
Event companies can run automated vulnerability scans in their IT network regularly, provide risk scores and assign dedicated administrators. The GDPR will bring in a lot of sanity and ethical ways of treating customer data and in turn win their trust. It’s time to start treating the people in the database like real people.
An example of company that took a drastic action is JD Wetherspoon by deleting all their existing email database. As stated in this article “On a risk basis, it’s just not worth holding large amounts of customer data which is bringing insufficient value, says Jon Baines, chair of The National Association of Data Protection and Freedom of Information Officers. This could be the case even where the organisation is clear on which customers have given consent to marketing and which haven’t.”
Instead of sending monthly newsletters, J.D. Wetherspoon said that they will shift their marketing efforts to social media, specifically Twitter and Facebook.
How will this affect your relationship with clients and third parties?
If companies make privacy as the foundation of their relationship with clients, they will win their trust and loyalty. Furthermore, companies must be able to assure clients that they are compliant and diligent and 3rd parties will be jointly responsible for any data breach of GDPR. Companies shouldn’t collect unnecessary data and use only trusted technology partners.
When looking for an event tech provider, ensure that they provide you with a GDPR implementation strategy. Because a well implemented GDPR strategy will put you in a confident position.
Database-selling will be an activity of the past because the key is how to protect data and not hot to distribute it. Ensuring privacy is a great way to guarantee a solid relationship with clients! Same goes to social media, if you capture client data through social media you will have to prove contact authorisation.
What do you think is the biggest impact the new regulations will have in the events industry as a whole?
It will stop some organiations claiming big numbers of circulation lists and event industry will have to become data and relationship driven. Currently, the bigger companies should be most concerned as they have been collecting more data for longer time.
Now it’s the time for all event professionals to revamp their data management systems and start maintaining impeccable data hygiene.
GDPR discussion at Event Huddle
There are still many question marks in regards to this topic so to gain further insights I watched a recent Event Huddle episode about GDPR. The session was chaired by Kevin Jackson from The Experience Is The Marketing and panellists were Hellen Beveridge from Circdata, Christina Zammit from BreachAware and Sandeep Mendiratta from Acrotrend.
The speakers said that with the GDPR, the responsibility for data goes along the entire “food chain”, from those who own the data to the suppliers they use. Therefore, data must be shared in a secured manner at all times (for example sending unsecured spreadsheets via email is considered a data breach).
When the new regulations takes effect, organisations should have the ability to respond to consumers who want to be forgotten and should do this quickly and know all the interactions at each moment.
Companies will have to undergo full compliance, this means, to get data audit, get risk assessment and have evidence why they have the data. Companies will have to be robust, audible and agile (If there is a breach for example, they must be able to respond within 72 hours).
This regulation is a major change for event marketers. Going forward, for any data collection they will be obliged to say what do they use the data for and why they collect it. Most importantly, they shouldn’t collect data they might not use, such as demographic questions. Most importantly, the permission should be put up front. If companies want to share delegate lists they must have consent from attendees, and make it clear to them in a simple language.
The new regulations will put some companies out of business, either because they can’t sell their data anymore or because of big fines, but on the other hand it’s also an opportunity to do things differently. Kevin Jackson concluded this session by saying “We all want to be treated as individuals. It’s about protecting people’s privacy, protecting people’s data and treating people as you want to be treated yourself”.