Feb 22, 2019 by Len Williams

GDPR’s First Year: How Has It Affected Events?

After all the buildup for the launch of the EU’s GDPR (General Data Protection Regulation) last year, trends are finally starting to emerge. Here’s our first look at GDPR developments nearly one year out and what it means for event professionals.

Since May 25th 2018, Data Protection Authorities (DPAs) in most countries have been fairly conservative about handing out fines for non-compliance. Even in cases where there was a clear breach, penalties were relatively small (the vast majority staying under EUR 1 million), compared to the potential weight GDPR could throw around.

But, if anyone had been lulled into complacency the bubble was finally burst in mid-January of 2019 when the French data regulator turned its attention on Google, handing out a 50m Euro ($57m) fine to the tech giant for alleged GDPR violations.

Although enforcement has not yet directly made splashes in the events world, we can already start to learn from fines and interpretations happening in the greater data privacy sphere.

What are the big GDPR themes for events?

In case you haven’t had to deal with the rules that GPDR introduces as directly, or are still getting a grip on how its changes to data privacy laws affect events, here’s a quick recap of some of the big items:

 

 

Collecting consent: If you checked your email during May 2018, you probably received a flood of tools, newsletters, and brands scrambling to inform you that their privacy policies had been updated.

This was tied to the onset of GDPR, and one of its central tenets: if you are an entity that collects personal data, you need explicit and informed consent from each person whose data you collect.

In the events world, especially for invitation-only events, this can open up big questions on when and how you can collect guest data.

 

 

Handling guest databases: As zkipster CEO David Becker argued, the event industry has always struggled with handling data. In a profession of tight deadlines and solutions-oriented workarounds, data security and data health can be among the first to suffer.

But with guests at the core of event management, the practices for creating, filling, and maintaining guest lists and databases is now a higher stakes aspect of the work than ever.

 

 

Sharing guest data: In a highly collaborative team setting, guest and event information can pass from vendors, to digital tools, to sponsors, to consultants, and more.

Now, in a post-GDPR world, that free flow of data comes under tight scrutiny. In a nutshell, just because the event host collected consent doesn’t mean that every tool and event sponsor gets automatic access to the same guest data.

In a profession of tight deadlines and solutions-oriented workarounds, data security and data health can be among the first to suffer.

Click to tweet

What can we learn from the GDPR fines so far?

For the events industry, the major potential weak point when it comes to GDPR has always been guest data. If lists of attendees are ever leaked or hacked into, fines would be fast to follow.

Now, as it stands, no event business has yet received a fine for GDPR non-compliance (indeed only a handful of companies in any industry have been hit so far), yet there are some important things we can learn from those organizations which have been affected.

Here are some of the most pertinent GDPR cases for the events industry so far:

 

January 2019: France initiates fining Google EUR 50m for privacy breach

In January France’s data authorities made headlines for bringing the first GDPR claim against one of the big tech giants, announcing a EUR 50m fine against Google for failing to provide information to users about how their data was being used.

The search giant was targeted because essential information about the purposes of data processing, data storage and the kinds of information used in ad personalization were spread out across multiple documents, making it hard for customers to find.

Takeaway for events: This case makes it clear that regulators will take it seriously if a company seems not to be complying with the spirit of the GDPR, and the scale and publicity of this case will likely paint it as a clear precedent-setter.

Given the focus of the case on privacy preferences and data usage, always explicitly ask event attendees for their consent for communications or data collection. And, perhaps more challenging for event data, find solutions for making guest data usage transparent and easy to access when the situation calls for it.

 

November 2018: German social network fined EUR 20,000 following hacking attack

German regulators handed out their first GDPR fine in November last year, following a hacking attack on Knuddels.de, a social networking site. In September the company announced that over 800,000 email addresses and passwords had been stolen, after the data was kept in plain text in their systems rather than being scrambled as is industry standard practice.

Takeaway for events: Given the size of the breach, the EUR 20,000 fine was surprisingly limited. However, the German data authorities noted that the firm had responded in full compliance with the GDPR, immediately notifying users with clear communications, contacting their DPA and upgrading their security processes fast.

For events the takeaway is clear – if you do get a breach, notifying affected contacts and the authorities immediately is essential, and can be one of your most effective tools for mitigating the damage.

 

July 2018: Portuguese hospital fined EUR 400,000 for poor account management practices

In July 2018, a Portuguese hospital became one of the first large organizations to receive a GDPR fine after it was discovered that they had failed to manage access to accounts correctly.

Hundreds of doctors had been given permanent access to patient files via access accounts on the hospital’s system, yet only around a third of these doctors were actually employed at the hospital. What’s more, any doctor had access to any patient’s information, regardless of their specialty.

Takeaway for events: This was clearly an avoidable error – the hospital should not have allowed this level of unrestricted access to sensitive information. For event teams, guest databases should be kept secure and access should be layered so that only the data pertinent to a given role’s work is accessible.

Increasing data privacy is a good reminder: every guest in the crowd is a person, not just a number on a spreadsheet.

What event professionals should look out for in 2019 and beyond

While in its first year GDPR has only started to stretch its muscles, it would be unwise to assume the legislation is more bark than bite. As with the example of the French accusations against Google, building case evidence can take months, so expect many more fines as cases mature and come to court.

 

 

Let’s take a look at 3 key issues to keep an eye out for in the coming months:

Growing awareness: As cases like the Google fine create headlines, public awareness on GDPR and the state of data privacy will grow. And, across the global tech sector, the growing conversation surrounding data privacy, regulation, and predatory usage will only intensify these considerations.

Stay abreast of big-name cases that come to light, and the opinion pieces that follow, to track the bellwether of where GDPR enforcement is headed.

Keeping on top of tools: Not all event tools support GDPR compliance equally, and more will likely run into data privacy hiccups in the coming months, particularly tech companies with less global backgrounds that may be slower to react to shifting compliance laws around the world.

Local laws catching up: GDPR, as an EU law with a mandate broad enough to have global implications wherever EU citizens are, is a paradigm shift in data privacy law.

But it’s not the only one – local laws, on a state-level in the US and elsewhere, are starting to follow suit, and will expand the reach of similar types of regulation. Take the case of California, which passed its own version of GDPR in June 2018. Keeping track of relevant local laws and regulations is a key counterpart to tracking national and global developments.

Building case evidence can take months, so expect many more fines as cases mature and come to court.

All in all, the first year has shown significant signs of what to come, but the real meat of GDPR enforcement and interpretation looks to still be ahead of us.


Len Williams is a UK-based freelance writer who covers tech, engineering, energy and other technical topics.