The General Data Protection Regulation is an EU law that comes into force on May 25, 2018. It is designed to protect the privacy rights of individuals in the European Union and give them greater control over the use and storage of their personal information. As a result, a greater burden rests on data collectors to ensure that their collection, storage, and use of personal information is transparent and designed for privacy protection. Any organization that collects or uses the personal information of individuals located within the EU is subject to this law, regardless of where that organization is located in the world. While this article contains information about the GDPR and how it might affect your business, it is not intended as and should not be used in place of legal advice. Consult an attorney for guidance specific to your business.
The short answer is that it will force us to be better at protecting the personal information we collect. What the GDPR mandates is actually a set of best practices that it benefits marketers to follow. At a basic level, it requires that you:
When you consider the best ways to connect with and engage your target audience, it becomes clear that these practices are not only ways to protect the people in your database; they are also important ways to enhance the effectiveness of your marketing efforts. However, marketers who have relied on tactics like buying or scraping email lists and sending out spam emails will need to make dramatic shifts in their practices. The fact that protecting privacy and being clear and transparent about how and why you use personal information is good business is one reason marketers should embrace the changes that the GDPR requires. The other reason is that failing to do so can result in heavy penalties. Depending on the violation, a company can be fined up to the greater of €20 million (approximately $24.5 million) or 4% of the preceding year’s worldwide revenue. So, if your company collects data on individuals located in the EU, adopting procedures to ensure GDPR compliance isn’t an option; it’s a necessity.
Due to the wide range of personal information that may be collected in relation to a virtual event, organizers must be especially mindful of GDPR requirements. Consider all of the information you might obtain from attendees, such as names, employers, locations, job titles, and even notes about accommodations for disabilities. Virtual event organizers must ensure that all of this information is collected, used, and stored in compliance with the GDPR. To do this, it’s necessary to ensure that the platform you use is designed to:
Because of the GDPR’s “Data protection by design and default” provision, it’s critical that any virtual event following the law’s effective date that involves the collection of data on persons located in the EU be hosted on a virtual event platform that has been built to comply with these requirements.
Preparing to comply with the GDPR first requires a review of your current practices for collecting, storing, sharing, accessing, and deleting personal information. You will also need to create a detailed disclosure of the nature and purpose of your data collection practices and provide the opportunity for individuals to decline to have their information shared.4 Below are some of the specific steps you should take before you become subject to the new law.
You must be able to articulate a legitimate reason for each piece of personal data you collect. As a result, you should review your data collection practices to ensure you’re not collecting more information than you need for your explicit purposes. If you find that you’ve been collecting personal data that has no current purpose, then it should be deleted.
Under the GDPR, you must obtain affirmative permission before emailing marketing materials. That means that if you currently have a system that automatically subscribes users to email lists when they take certain actions (such as downloading an ebook) or if your system requires users to check a box in order to opt out of emails, this will need to be updated. If you’ve collected emails under old, non-GDPR-compliant systems, then you must obtain consent from everyone on your current list who is covered by the law before you send out future marketing emails. Likewise, in the event that someone withdraws consent to receive emails, you must ensure that no more emails will reach them (even if they were prepared and scheduled prior to the withdrawal of consent). If email subscriptions are linked to another activity, then rather than an opt-out box, you should require users to check an opt-in box to receive emails. If you obtain a lead’s email address through a referral, then you may send that lead a notification of the referral, but they must provide active consent before you send them marketing materials. Obtaining email contacts by purchasing or copying lists will be prohibited.
The GDPR requires data collectors to provide information collected to the subject of that data6 and, in some circumstances, to delete it at their request (commonly referred to as the “right to be forgotten.”)7You must ensure that you are able to do this efficiently and effectively. The law also requires that data be deleted when it is no longer needed for its intended use. To do this, you will have to have a way of sorting personal information by purpose and deleting data for which you no longer have an explicit need.
Organizations that process or store large amounts of personal data will be required to designate a data protection officer (DPO) to oversee data protection and ensure GDPR compliance. If your organization may fall into this category, speak with an attorney to determine whether you must hire a DPO.
If you work with one or more outside organizations to collect, store, or use the personal information of people within the EU, then make sure that each of those organizations is fully prepared for GDPR compliance. You don’t want to find out after the law goes into effect that a system that you’re working with makes it difficult or impossible to fully comply with aspects of the law.