You plan events. We get the word out.

relevent/ marketing ideas

How can my organization become GDPR compliant?

The General Data Protection Regulation (GDPR) legislation is a cause for concern for many associations, event planners, and event marketers that deal with the private data of their members or event attendees. It is the most important change in data privacy regulation in 20 years, but only one-third of businesses have a plan in place to ensure GDPR compliance. The main thing to remember is that GDPR affects organizations that manage the data of European residents in any way. Any organization with worldwide reach would, therefore, need to pay attention. Even if your organization is small, it’s still a good idea to comply with the rules set out by the new policy. By doing so, you’ll avoid any issues down the road and your marketing communications endeavours may even improve as a result.

The new legislation kicks in on May 25, 2018. To learn more about the implications of the new laws as well as the steps that those in the events and meetings industry could take to ensure GDPR compliance, our President Rachel Stephan interviewed the amazing Kevin Iwamoto, Senior Consultant at GoldSpring Consulting.

Take note of his expert insights and practical advice by checking out the key takeaways below or listening to the full 30-minute interview at the bottom of the page.

Can you give a brief description of what GDPR is and who is affected by it?

KI: GDPR is short for General Data Protection Regulation. It replaces the 1995 EU Data Protection Directive, and provides a completely new framework for the way we collect, process, and protect the personal data of European residents. This includes residents in the UK until further notice. The laws are applicable starting on May 25, 2018.

How can GDPR be seen as a positive practice that can benefit the association or meeting planner? (1:18)

KI: People tend to focus only on the negative aspects of preparing for GDPR. But it’s actually going to standardize the definition of what constitutes personal data, the guidelines and regulation across the 28 E.U. member countries. Every country has their own iteration of the rules right now, and GDPR will standardize this across the region, making it less expensive and confusing to regulate. In other words, GDPR will now be accepted as the baseline.

Another positive relates to the U.S., which is one of the worst countries in terms of data privacy regulation. GDPR compliance can allow them to match the rigor of other countries.

Finally, GDPR should go a long way towards cleaning up the outdated practices we see in the marketing world today. It will make it harder for companies to sell personal information, as well as ensure that companies ask for consent to access private information much more consistently. Companies should also put systems in place to allow for the deletion of private information upon request. These are all good things, in my opinion. They will help clean up some really bad practices that exist in our industry.

How does GDPR affect international conferences that share legacy lists from year to year as they change host country? (4:38)

KI: Conferences and associations can’t do blanket consent anymore. For every new conference, you have to have consent from all of the people being sent invitations to register and from all those who actually register. Consent forms can’t be buried away. There needs to be a concise language used for consent, and an exit or “right for deletion” path outlined in the consent form for those looking to opt out. This applies regardless of host country: if there’s an E.U. resident in attendance, it applies.

Are members of associations exempt since they have given consent by joining an association? Are previous delegates also exempt? (6:18)

KI: Whether upon membership renewal or first joining, the consent form needs to show how their information is being used, which suppliers have access to it, and how they will use it too.

For delegates, not only do you have to ask for consent, you need to document where and when the consent was given. Doing this digitally (i.e. ticking a box) makes this relatively easy to track. But when the consent is verbal or done through fax, for example, you have to manually record that which makes it more difficult.

RS: So if I give my business card out at a trade show, is that consent?

KI: I usually ask to join them on LinkedIn. This covers my access and utilization of their personal data. Either way, I can’t put them on a marketing communications list if I don’t have their explicit consent to do this. I would have to prove that the consent came from the exchange I had with them at the trade show…it’s a slippery slope. That’s the purpose of GDPR: to ensure that people don’t get added to a marketing distribution list without their consent.

How can an association or meeting planner ensure that their third-party partners (registration, housing, etc.) are compliant? (8:56)

KI: This has to be done through a rider, addendums to existing service letter agreements, or a separate attachment of GDPR compliance. Third parties are classified as “processors”. There should be an agreement in place between the association and all third parties that they will adhere to the regulations defined by GDPR, and that failure to do so will result in XYZ. Be sure to specify all this before May 25th, 2018 or you run the risk of being fined and entering a legal mess trying to figure out who is liable to pay.

Any organization which processes and holds personal data of subjects residing in the E.U. are obliged to abide by the laws set out by GDPR. What if you do not have information on where the people in your database reside? How do you recommend handling this if, for example, you hold an annual event in Canada but you know that 10% of your database is from the E.U., based on IP addresses collected through MailChimp? (10:32)

KI: Companies around the world are adopting the stricter GDPR standard across the board as they revamp their consent forms and other practices, instead of creating separate processing paths for the diverse people on their list.

RS: Doesn’t that pose a risk of losing a big chunk of your database?

KI: If you declare what info you collect and why in transparent language, and provide a list of processing partners, you can still definitely collect people’s information if they consent to it.

RS: But for example, if my email database of 20,000 people already suffers from a very low open rate, and I proceed with a consent campaign, I’d be worried about losing a significant portion of my audience that chooses to ignore the reaffirmation of consent. That’s scary to any organization!

KI: I totally understand that concern. The way I see it, it levels playing field. Everyone now has to conform and make efforts towards GDPR compliance. Many lists like the one in your example are very outdated and suffer from a dismal response rate. The subscribers have moved on, changed, or are no longer interested. In such databases, the focus should be on quantity over quality. GDPR compliance improves the quality of your list, because you have to keep it current, so you only reach people that are truly interested.

How does a failure to comply come to light? How do you think they can enforce GDPR compliance in countries like the U.S. and Canada? (14:42)

KI: It would be through fines and assessments. The E.U. is not shy about going after any company, and they have been successful in collecting fines from companies in violation of existing laws (anti-trust/competition, etc). GDPR is no different; they’re very thorough and consistent in prosecuting those that violate their regulations.

RS: Are there geographical limitations to how far they could go?

KI: No, we live in a global economy. They can do company boycotts… there are so many things they can do in retaliation for lack of compliance. Going by past behaviour and success ratios of their fines and assessments, they have been very successful.

How is social media communication and marketing affected by GDPR? (16:42)

KI: You see what’s happened in the Cambridge Analytica case, which documented the unauthorized access and utilization of information. Companies like that have to change fundamentally how they collect and use information. Marketing firms will not be able to use personal information without consent. Companies that practice the revenue generation model of reselling lists will have to change their whole practice to remain legal.

RS: What about marketing initiatives through direct messaging on social media platforms?

KI: That’s still being evaluated. GDPR focuses on corporations’ use of information for practices other than what’s intended. Is that legal or not? I wouldn’t be surprised if that issue comes up sooner or later.

What are the qualifications of the person who can help implement a policy and ensure GDPR compliance? (22:47)

KI: Search for people internally who are aware of the new laws. If no one is, someone still has to take ownership of this. You can also hire a consultancy like mine. We can do a quick gap analysis, for example, and help get you GDPR ready.

I would also conduct a data and process audit and identify all gaps of suppliers and partners that currently collect customer data. Look at how and why they use it, and if or when they delete it.

I would then work on a service level agreement, the scope of work agreement, rider, or addendum about GDPR that outlines roles, responsibilities and liability if assessed by the authorities.

GDPR recommends that organizations have an internal GDPR Officer. Most companies have a Chief Information Officer or Data Protection Officer. Ideally, they would be able to make decisions at an executive level, so it shouldn’t be a lower-level IT person. Look to whoever is overseeing your information. Get everyone involved and create a working task force to ensure GDPR compliance, even in the sales and marketing departments. There’s already a GDPR Council in most companies, but the meetings and events side of the business tend to get forgotten. You need to put yourself on that council and get informed. Insist on being included because your area touches personal data information every day. You can compromise the company if you’re not a part of the conversation.

RS: Are associations like PCMA helping their members in providing guidelines for this?

KI: I’ve heard of a lot of informal activities that associations are doing. They should be leading a think-tank, or putting together a checklist for their members. There are resources that help with GDPR readiness; people should Google it. I’ve done a couple of webinars, and I have a couple more coming up. There’s a lot of info out there. If your association isn’t being proactive, go out and do the research yourself.

RS: Right, I know Dahlia El Gazzar has whitepapers, webinars and other resources collected on her website for those looking to learn more.

KI: Yes, Dahlia has been a good friend and a true ally, helpful in spreading the word and getting people serious about GDPR. There’s lots of extremely valuable info on her website, so I highly encourage people to take a look.

Any last tips or recommendations? (31:40)

KI: I would say do not procrastinate anymore. There’s an ancient Chinese philosopher Lao-Tzu who said that the journey of a thousand miles starts with a single step. I would say in closing if you haven’t taken your first step, you’re really running out of runway. Don’t just step into it, run into it, and try to get GDPR compliance in motion as soon as you can.


Listen to the full 30-minute interview with Kevin Iwamoto, Senior Consultant at GoldSpring Consulting

Tweets From our Community

Share this post