Good gracious, GDPR is coming up quickly. We’ve even had to take a pause from created RFID name badges to pay attention and get ourselves up to speed. The General Data Protection Regulations come in to force on May 25th 2018.
Why do we need GDPR?
GDPR builds on existing data regulations, known as the data protection act (DPA). Currently, you can be fined up to £500,000 for incorrect or dangerous handling of someone’s personal data.
In the digital age, information (or data) is King. That’s why GDPR is coming in to place. It’s aim is to give you control over your own data in a world where everyone seems to want a piece of it. The new regulations are designed to protect people’s personal information, or data. This means that it will become a lot harder for companies to store information about you (including address, email or personal preferences) unless you give them direct permission.
GDPR gives you the right to be forgotten. If a company is holding personal data about you, you will be able to request that they remove it from their systems. To remain in a GDPR defensible position, they will need to do so within 72 hours of receiving your request. If they fail to do so they could face fines of up to £17million or 4% of global turnover, whichever is higher.
The new regulations must be upheld by any company who is gathering or storing ‘personal data’ about EU citizens (regardless of Brexit), so almost every company in the UK will be impacted, including #EventProfs. The regulations represent the biggest change to EU privacy law in more than 20 years.
In the past, concerns have been raised that many companies are not taking DPA regulations seriously and are not being responsible with the data they handle. In August 2013, Yahoo experienced a hack which led to the theft of thousands of peoples’ personal data. Instead of admitting to the hack and alerting those impacted, it took them 3 years to release the information. GDPR should ensure that this type of breach is dealt with quickly and efficiently.
What are the new rules?
Some of the new regulations that companies will need to comply with include:
- Individuals are entitled to transparent information about what data is being stored about them and how it could be used
- Individuals can request a copy of the data that is being stored about them at any time
- Only data that is deemed to be ‘absolutely necessary for the completion of duties’ should be stored
- If there are any hacks or data breaches, the local data protection authority must be notified within 72 hours.
- Companies who are regularly monitoring and processing data will need to appoint a Data Protection Officer to ensure the company are following compliance regulations
- Simple, transparent language should be used when asking people for their consent to use their data
Why is data such a big issue?
Up until now, companies have gladly received and stored as much information about their consumers as they can. The new changes will ensure that companies can only gather and store your data with your express permission.
Ever heard the term ‘data currency’? It refers to the value of your data. Companies are so desperate to get information about you that they’re often willing to give you free stuff in return. The value of the data you supply is your ‘data currency’. It’s how companies like Facebook operate. You can use their service for free and in return they get loads of really useful information about you and how you behave online.
GDPR will allow people to have more control over their own data and information about them that is stored on company databases. It’s a great move for regulating the rapidly growing data-driven world we live in.
What counts as personal data?
There are three main categories of data: standard data (age, company, job title etc), personal data (name, email, date of birth, NI number, credit card number etc), sensitive data (gender, religion, medical information, biometric data etc).
Under GDPR, ‘personal data’ includes any data that could be used to identify an individual. That could include data that is attached to a name, photograph or email address, or even data that could be used to work out who you are, such as your IP address. It also covers more detailed information such as medical conditions, dietary requirements or social media posts.
What do #EventProfs need to know about GDPR?
Do you store mailings lists or data about your guests, clients or delegates? If you do, you need to make sure it’s GDPR ready. Under the new regulations, almost all forms of stored data need to be encrypted. When in doubt, assume your data needs to be encrypted.
Data is a key component for most event businesses and is becoming increasingly sophisticated and important for #EventProfs. It’s not difficult to become GDPR ready, and given the value of great data collection, it’s a good idea to make sure you’re on the right side of the law.
If you are collecting data during the course of an event via an event tech provider, they should ensure that the data is collected in a fully GDPR defensible way. If you’re unsure, take a look at these 5 questions to ask your event tech supplier about GDPR. But don’t get too complacent. You must also remember that as soon as they send the data over to you, you will be responsible for ensuring that you store and process it in ways that continue to be GDPR defensible.
At Noodle Live, we’ve spent the last few months working on becoming GDPR ready ahead of the new regulations. Here are some of our top tips:
- Do a data audit to find out where data is stored and used in all departments of your business.
- Train your staff. Get training for employees at all levels to ensure everyone is aware of how serious these data regulations are.
- Storing data on Excel spreasheets? If you email spreadsheets or keep them in the cloud, they could be vulnerable to a hack. In the future, you should think about encrypting all data before you send it or store it.
- Do a security review of all existing data storage systems to check if they are vulnerable to hacks.
- Rewrite all of the copy you use to ask people to sign up for mailing lists or to submit their personal data. Ensure you are completely transparent about the ways in which you might use their data.
- Consult an expert! Talk to your lawyers and consider hiring a consultant to help if your Data Protection Officer needs some advice. As well as consulting our CTO Glyn Roberts, we also talked to the guys over at Stephens Scown. They were super helpful and knew the regulations inside and out.