What is the GDPR?
The General Data Protection Regulation is an EU law that comes into force on May 25, 2018. It is designed to protect the privacy rights of individuals in the European Union and give them greater control over the use and storage of their personal information. As a result, a greater burden rests on data collectors to ensure that their collection, storage, and use of personal information is transparent and designed for privacy protection. Any organization that collects or uses the personal information of individuals located within the EU is subject to this law, regardless of where that organization is located in the world. While this article contains information about the GDPR and how it might affect your business, it is not intended as and should not be used in place of legal advice. Consult an attorney for guidance specific to your business.
What Does The General Data Protection Regulation Law Mean for the Marketing Industry?
The short answer is that it will force us to be better at protecting the personal information we collect. What the GDPR mandates is actually a set of best practices that it benefits marketers to follow. At a basic level, it requires that you:
- Collect, store, and use personal information only insofar as it is compatible with your purpose for collecting it
- Obtain active permission from recipients before you send marketing materials, and
- Disclose and/or delete an individual’s personal information at their request.
When you consider the best ways to connect with and engage your target audience, it becomes clear that these practices are not only ways to protect the people in your database; they are also important ways to enhance the effectiveness of your marketing efforts. However, marketers who have relied on tactics like buying or scraping email lists and sending out spam emails will need to make dramatic shifts in their practices. The fact that protecting privacy and being clear and transparent about how and why you use personal information is good business is one reason marketers should embrace the changes that the GDPR requires. The other reason is that failing to do so can result in heavy penalties. Depending on the violation, a company can be fined up to the greater of €20 million (approximately $24.5 million) or 4% of the preceding year’s worldwide revenue. So, if your company collects data on individuals located in the EU, adopting procedures to ensure GDPR compliance isn’t an option; it’s a necessity.
What Does the GDPR Mean for the Virtual Event Industry?
Due to the wide range of personal information that may be collected in relation to a virtual event, organizers must be especially mindful of GDPR requirements. Consider all of the information you might obtain from attendees, such as names, employers, locations, job titles, and even notes about accommodations for disabilities. Virtual event organizers must ensure that all of this information is collected, used, and stored in compliance with the GDPR. To do this, it’s necessary to ensure that the platform you use is designed to:
- Protect privacy
- Use personal information only as necessary for a specific purpose, and
- Require active consent before using personal information for the transmission of marketing materials (such as email marketing).
Because of the GDPR’s “Data protection by design and default” provision, it’s critical that any virtual event following the law’s effective date that involves the collection of data on persons located in the EU be hosted on a virtual event platform that has been built to comply with these requirements.
How Should I Prepare for GDPR?
Preparing to comply with the GDPR first requires a review of your current practices for collecting, storing, sharing, accessing, and deleting personal information. You will also need to create a detailed disclosure of the nature and purpose of your data collection practices and provide the opportunity for individuals to decline to have their information shared.4 Below are some of the specific steps you should take before you become subject to the new law.
Data Collection
You must be able to articulate a legitimate reason for each piece of personal data you collect. As a result, you should review your data collection practices to ensure you’re not collecting more information than you need for your explicit purposes. If you find that you’ve been collecting personal data that has no current purpose, then it should be deleted.
Email Opt-In
Under the GDPR, you must obtain affirmative permission before emailing marketing materials. That means that if you currently have a system that automatically subscribes users to email lists when they take certain actions (such as downloading an ebook) or if your system requires users to check a box in order to opt out of emails, this will need to be updated. If you’ve collected emails under old, non-GDPR-compliant systems, then you must obtain consent from everyone on your current list who is covered by the law before you send out future marketing emails. Likewise, in the event that someone withdraws consent to receive emails, you must ensure that no more emails will reach them (even if they were prepared and scheduled prior to the withdrawal of consent). If email subscriptions are linked to another activity, then rather than an opt-out box, you should require users to check an opt-in box to receive emails. If you obtain a lead’s email address through a referral, then you may send that lead a notification of the referral, but they must provide active consent before you send them marketing materials. Obtaining email contacts by purchasing or copying lists will be prohibited.
Data Retrieval and Deletion
The GDPR requires data collectors to provide information collected to the subject of that data6 and, in some circumstances, to delete it at their request (commonly referred to as the “right to be forgotten.”)7You must ensure that you are able to do this efficiently and effectively. The law also requires that data be deleted when it is no longer needed for its intended use. To do this, you will have to have a way of sorting personal information by purpose and deleting data for which you no longer have an explicit need.
Data Protection Officers
Organizations that process or store large amounts of personal data will be required to designate a data protection officer (DPO) to oversee data protection and ensure GDPR compliance. If your organization may fall into this category, speak with an attorney to determine whether you must hire a DPO.
Partner Compliance
If you work with one or more outside organizations to collect, store, or use the personal information of people within the EU, then make sure that each of those organizations is fully prepared for GDPR compliance. You don’t want to find out after the law goes into effect that a system that you’re working with makes it difficult or impossible to fully comply with aspects of the law.
