relevent/ marketing ideas
The new legislation kicks in on May 25, 2018. To learn more about the implications of the new laws as well as the steps that those in the events and meetings industry could take to ensure GDPR compliance, our President Rachel Stephan interviewed the amazing Kevin Iwamoto, Senior Consultant at GoldSpring Consulting.
Take note of his expert insights and practical advice by checking out the key takeaways below or listening to the full 30-minute interview at the bottom of the page.
KI: GDPR is short for General Data Protection Regulation. It replaces the 1995 EU Data Protection Directive, and provides a completely new framework for the way we collect, process, and protect the personal data of European residents. This includes residents in the UK until further notice. The laws are applicable starting on May 25, 2018.
KI: People tend to focus only on the negative aspects of preparing for GDPR. But it’s actually going to standardize the definition of what constitutes personal data, the guidelines and regulation across the 28 E.U. member countries. Every country has their own iteration of the rules right now, and GDPR will standardize this across the region, making it less expensive and confusing to regulate. In other words, GDPR will now be accepted as the baseline.
Another positive relates to the U.S., which is one of the worst countries in terms of data privacy regulation. GDPR compliance can allow them to match the rigor of other countries.
Finally, GDPR should go a long way towards cleaning up the outdated practices we see in the marketing world today. It will make it harder for companies to sell personal information, as well as ensure that companies ask for consent to access private information much more consistently. Companies should also put systems in place to allow for the deletion of private information upon request. These are all good things, in my opinion. They will help clean up some really bad practices that exist in our industry.
KI: Conferences and associations can’t do blanket consent anymore. For every new conference, you have to have consent from all of the people being sent invitations to register and from all those who actually register. Consent forms can’t be buried away. There needs to be a concise language used for consent, and an exit or “right for deletion” path outlined in the consent form for those looking to opt out. This applies regardless of host country: if there’s an E.U. resident in attendance, it applies.
KI: Whether upon membership renewal or first joining, the consent form needs to show how their information is being used, which suppliers have access to it, and how they will use it too.
For delegates, not only do you have to ask for consent, you need to document where and when the consent was given. Doing this digitally (i.e. ticking a box) makes this relatively easy to track. But when the consent is verbal or done through fax, for example, you have to manually record that which makes it more difficult.
RS: So if I give my business card out at a trade show, is that consent?
KI: I usually ask to join them on LinkedIn. This covers my access and utilization of their personal data. Either way, I can’t put them on a marketing communications list if I don’t have their explicit consent to do this. I would have to prove that the consent came from the exchange I had with them at the trade show…it’s a slippery slope. That’s the purpose of GDPR: to ensure that people don’t get added to a marketing distribution list without their consent.
KI: This has to be done through a rider, addendums to existing service letter agreements, or a separate attachment of GDPR compliance. Third parties are classified as “processors”. There should be an agreement in place between the association and all third parties that they will adhere to the regulations defined by GDPR, and that failure to do so will result in XYZ. Be sure to specify all this before May 25th, 2018 or you run the risk of being fined and entering a legal mess trying to figure out who is liable to pay.
KI: Companies around the world are adopting the stricter GDPR standard across the board as they revamp their consent forms and other practices, instead of creating separate processing paths for the diverse people on their list.
RS: Doesn’t that pose a risk of losing a big chunk of your database?
KI: If you declare what info you collect and why in transparent language, and provide a list of processing partners, you can still definitely collect people’s information if they consent to it.
RS: But for example, if my email database of 20,000 people already suffers from a very low open rate, and I proceed with a consent campaign, I’d be worried about losing a significant portion of my audience that chooses to ignore the reaffirmation of consent. That’s scary to any organization!
KI: I totally understand that concern. The way I see it, it levels playing field. Everyone now has to conform and make efforts towards GDPR compliance. Many lists like the one in your example are very outdated and suffer from a dismal response rate. The subscribers have moved on, changed, or are no longer interested. In such databases, the focus should be on quantity over quality. GDPR compliance improves the quality of your list, because you have to keep it current, so you only reach people that are truly interested.
KI: It would be through fines and assessments. The E.U. is not shy about going after any company, and they have been successful in collecting fines from companies in violation of existing laws (anti-trust/competition, etc). GDPR is no different; they’re very thorough and consistent in prosecuting those that violate their regulations.
RS: Are there geographical limitations to how far they could go?
KI: No, we live in a global economy. They can do company boycotts… there are so many things they can do in retaliation for lack of compliance. Going by past behaviour and success ratios of their fines and assessments, they have been very successful.
KI: You see what’s happened in the Cambridge Analytica case, which documented the unauthorized access and utilization of information. Companies like that have to change fundamentally how they collect and use information. Marketing firms will not be able to use personal information without consent. Companies that practice the revenue generation model of reselling lists will have to change their whole practice to remain legal.
RS: What about marketing initiatives through direct messaging on social media platforms?
KI: That’s still being evaluated. GDPR focuses on corporations’ use of information for practices other than what’s intended. Is that legal or not? I wouldn’t be surprised if that issue comes up sooner or later.
KI: Search for people internally who are aware of the new laws. If no one is, someone still has to take ownership of this. You can also hire a consultancy like mine. We can do a quick gap analysis, for example, and help get you GDPR ready.
I would also conduct a data and process audit and identify all gaps of suppliers and partners that currently collect customer data. Look at how and why they use it, and if or when they delete it.
I would then work on a service level agreement, the scope of work agreement, rider, or addendum about GDPR that outlines roles, responsibilities and liability if assessed by the authorities.
GDPR recommends that organizations have an internal GDPR Officer. Most companies have a Chief Information Officer or Data Protection Officer. Ideally, they would be able to make decisions at an executive level, so it shouldn’t be a lower-level IT person. Look to whoever is overseeing your information. Get everyone involved and create a working task force to ensure GDPR compliance, even in the sales and marketing departments. There’s already a GDPR Council in most companies, but the meetings and events side of the business tend to get forgotten. You need to put yourself on that council and get informed. Insist on being included because your area touches personal data information every day. You can compromise the company if you’re not a part of the conversation.
RS: Are associations like PCMA helping their members in providing guidelines for this?
KI: I’ve heard of a lot of informal activities that associations are doing. They should be leading a think-tank, or putting together a checklist for their members. There are resources that help with GDPR readiness; people should Google it. I’ve done a couple of webinars, and I have a couple more coming up. There’s a lot of info out there. If your association isn’t being proactive, go out and do the research yourself.
RS: Right, I know Dahlia El Gazzar has whitepapers, webinars and other resources collected on her website empowerment.events for those looking to learn more.
KI: Yes, Dahlia has been a good friend and a true ally, helpful in spreading the word and getting people serious about GDPR. There’s lots of extremely valuable info on her website, so I highly encourage people to take a look.
KI: I would say do not procrastinate anymore. There’s an ancient Chinese philosopher Lao-Tzu who said that the journey of a thousand miles starts with a single step. I would say in closing if you haven’t taken your first step, you’re really running out of runway. Don’t just step into it, run into it, and try to get GDPR compliance in motion as soon as you can.
— John Meyer (@JohndMeyer) April 21, 2018
3 Key takeaway from our #GDPR event last week. Compliance Is Continuous + It’s Not Too Late + Early Wins. Learn more here: https://t.co/tOd9GwYA1Z #eventprofs #eventmarketing #expochat #iaee #pcma pic.twitter.com/tP79LoKfSJ
— Bear Analytics (@BearAnalytics) April 11, 2018
This is one of the best GDPR articles I’ve seen yethttps://t.co/O7NBqHbeF0
— Mattias P Johansson (@mpjme) April 24, 2018