DISCLAIMER: this article is meant to be a guide to help you understand the implications of GDPR on your business as an event marketer. We are not lawyers. This is informational only and not legal advice. We recommend you contact your legal representative before taking any action to ensure GDPR compliance.
On May 25th, 2018, the European Union enacted the General Data Protection Regulation, better known as GDPR. While these new regulations were written specifically for countries in the European Union (EU) and European Economic Area (EEA), they have serious implications for American event marketers who do any sort of business with people in Europe. The most essential elements of event marketing such as lead capture, email marketing, and any other type of promotion involving personal data are required to be in compliance with GDPR.
Event Marketing and GDPR Checklist
View the infographic for a quick overview on what GDPR is, how it impacts event marketers, and what steps are required for compliance. And if you like what you see, please don't forget to share.
What exactly is GDPR?
GDPR has a direct affect on American event marketers because it means that the use of any EU citizen’s personal data by anyone in and outside of the EU and EEA is now strictly regulated. Which also means that every EU citizen you’ve ever acquired as a lead or contact is now subject to regulation. Be mindful that the law doesn’t just apply to data you’re capturing at future events, it also applies to any data you captured at any event, ever. So while you have to consider the new regulations for all of your events going forward, it’s equally important to get all of your data on European citizens in compliance with GDPR as soon as possible.
How does GDPR impact event marketing?
When considering the practical impact all of this will have on your event marketing business, think of GDPR as having three pillars: consent, centralized data management, and oversight.
You are now required to obtain proactive consent from every EU citizen you wish to conduct any ongoing communication with. This means you’ll need to get their permission to send them any promotional materials before, during, or after your event. It’s important to remember this doesn’t just apply to emails, but to all forms of communication (including direct mail).
Make sure you’re also obtaining clear consent on any written forms, or when using any apps that capture data (such as badge scanners). If the app itself doesn’t ask for consent, have your staff ask for it verbally before scanning any information. Use signage next to fishbowls collecting business cards. Clearly indicate that by giving their business card they are also giving consent to future communications.
Be cautious when using shared or 3rd party lists. Remember, you must have a record of explicit consent from the contact in order for your company to communicate directly with them. Consent applies whether you purchased the list, got it for free, or received it as part of a sponsorship package — always get an opt-in.
2. Centralized data management
This refers to three fundamental elements of how you maintain your data: privacy, security, and access.
When referring to privacy, this point has often been called “the right to be forgotten.” Simply put, it means consumers can insist you delete their data, or not share it with any third parties. Regulations require strict records be kept of these requests (and your compliance with them), so be diligent.
Data security issues are also strictly regulated. Your IT department will need to be able to demonstrate compliance if audited by the authorities. If there is a breach in your security, you’re now required to quickly notify all of the people who have been potentially exposed to any kind of risk.
Finally, an individual’s access to their own data is now required. This has several major implications. First, it means you’ll need to be proactive in giving EU residents an easy way to opt-out of your lists. You’ll also be required to give them complete access to the data you have on them, how you’re currently using it, and how you plan on using it in the future.
3. OversightThe new regulation requires that someone in your organization be appointed the Data Protection Officer, or “DPO”. This person has very specific duties under the law, and is required to have an expert-level knowledge of GDPR.
The DPO is responsible for monitoring compliance with the regulation for every single part of your business. They’ll also be required to report to the highest levels of your organization and are the designated point of contact when dealing with the authorities. If you have any questions about your event marketing activities being in compliance with GDPR, your DPO should be your main point of contact for resolving these issues.
An event marketers checklist for GDPR compliance
Now that you understand the spirit of the regulations, it’s time to take action. Even though the May 25th, 2018 deadline has passed, that doesn’t mean it’s time to take your foot off the gas. You may be currently in compliance, but staying on the right side of the law will require continued diligence. Review the five items below and make sure you’re doing everything you need to protect your organization.
1. Conduct a data audit
You need to know exactly what data you have on EU citizens. A rigorous data audit should be done in cooperation with your IT department, and they will require as much information as possible from the events marketing team. They’ll need the contact information you have on every single EU citizen from any of your lists (including attendees, guest speakers, sponsors, vendors, and partners). You’ll also need to identify how you captured their information, how it’s being stored, and how you’ve used it in every single instance. If you’ve shared any of this data with a third party (such as an event sponsor), you’ll not only need to disclose that information, you’ll also need to contact that party and find out how they’ve used it.
It does not matter when you obtained the contact’s information. GDPR is applicable to all contacts in your database. If you don’t have documented consent now (regardless of when you obtained their data), you will need to get them to opt-in in order to continue communicating with them.
2. Update your privacy policies and notices
Review how you’re currently communicating your policies on all of your marketing materials. This includes any sort of registration emails, apps or your website. In order to comply with GDPR, you need to inform people how you’re planning on using their information, who you specifically plan to share it with, and how long you plan on keeping it for. And no hiding it in the small print, either. The regulations stipulate that the language you use must be clear and easy for anyone to understand.
3. Obtain consent from customers
The key phrase to remember when dealing with GDPR issues is “proactive consent.” You must obtain proactive consent to collect or use their data in any way, shape or form. As for any EU contacts in your database that have not provided their explicit consent, you will need to delete that information (keeping a record that proves you did) or get them to provide their consent ASAP. Always check with your own legal counsel to determine which course of action your company feels is the safest way to proceed.
4. Educate your team on new policies
Getting and staying compliant with the GDPR is going to take a coordinated effort from people representing many different parts of your organization. As an event marketer, you may need to work more closely with your IT and legal teams than you’ve ever worked with them on any project in the past. As you go through the process, keep a written record of your best practices and communicate what you’ve learned with everyone on your team.
5. Maintain and document best practices for compliance
Now that you’re all squared away and in compliance, you need to make sure it stays that way. Much of this work should be done by your IT department (such as maintaining a minimum standard of security on your own servers). But event marketers have a role to play here, too. It’s important that you continue to obtain proactive consent in all of your future marketing efforts. No exceptions — even when you’re producing a small or “causal” event. You’ll also need to be aware of who you’re sharing data with and how they’re using it. If you’ve shared personal data with a partner or vendor and they use it (without consent) in violation of the rules, you could be held equally accountable. So make sure you’re aware of their privacy and security policies before sharing personal data with them.Finally, make sure to communicate the importance of continued compliance to everyone on your team who might touch personal data. It’s going to take a lot of diligence and hard work to stay compliant. But over time, you’ll just see it as another natural part of doing business.
The cost of non-compliance
The consequences for not being in compliance for GDPR vary from mild to grave, including potentially massive financial penalties. The European authorities review potential violations of GDPR based on 10 different criteria. These are designed to determine whether a business has willfully defied the regulation, or has just made a mistake either by accident or over site. They’re also designed to measure how heavy a penalty to place on your business.
Simply put, if you’re not serious about following the rules laid out in GDPR, you can be assured that the European authority definitely is. Unless you feel comfortable suspending all of your business in Europe or paying out €20 million, you need to get serious about compliance.
GDPR and the future of event marketing
For event marketers, GDPR means new procedures must be put in place in order to do business in Europe. While this presents challenges, ultimately it can actually improve how you promote events and communicate with prospects and customers. On the downside, requiring more proactive consent to market to individuals means you’re certain to see a decrease in the number of people you’re allowed to contact. On the upside, the people who give you their active consent are going to be much more qualified leads. Ultimately, the goal of GDPR is to protect the rights of individuals. By respecting these rights, your organization has an opportunity to create more meaningful and trusting relationships with your audience in the future.
Additional GDPR Resources:
Official EU overview on GDPR
Official EU advice for small businesses
Complete text of GDPR
GDPR information portal
GDPR Web learning resource
Information on Data Protection Officers (DPO)
Information on collecting consent through email marketing
Information on fines and penalties
Information on conducting a data audit
The General Data Protection Regulation: GDPR – A Guide for Marketers
The Uncomplicated Guide to GDPR and Event Marketing
Register for on-demand webinar
Learn more about, "What Marketers Need To Know About GDPR," with our on-line training series.
Need help with your event marketing efforts?
Fortunately, you don’t have to go it alone. You have several options.
Whether you need a single event marketing consultant, a fully managed outsourced team of event marketers, or recruitment services to hire marketers directly, Crawford Group can help. We offer a full range of event marketing services designed to help marketers just like you.