What can we learn from the GDPR fines so far?
For the events industry, the major potential weak point when it comes to GDPR has always been guest data. If lists of attendees are ever leaked or hacked into, fines would be fast to follow.
Now, as it stands, no event business has yet received a fine for GDPR non-compliance (indeed only a handful of companies in any industry have been hit so far), yet there are some important things we can learn from those organizations which have been affected.
Here are some of the most pertinent GDPR cases for the events industry so far:
January 2019: France initiates fining Google EUR 50m for privacy breach
In January France’s data authorities made headlines for bringing the first GDPR claim against one of the big tech giants, announcing a EUR 50m fine against Google for failing to provide information to users about how their data was being used.
The search giant was targeted because essential information about the purposes of data processing, data storage and the kinds of information used in ad personalization were spread out across multiple documents, making it hard for customers to find.
Takeaway for events: This case makes it clear that regulators will take it seriously if a company seems not to be complying with the spirit of the GDPR, and the scale and publicity of this case will likely paint it as a clear precedent-setter.
Given the focus of the case on privacy preferences and data usage, always explicitly ask event attendees for their consent for communications or data collection. And, perhaps more challenging for event data, find solutions for making guest data usage transparent and easy to access when the situation calls for it.
November 2018: German social network fined EUR 20,000 following hacking attack
German regulators handed out their first GDPR fine in November last year, following a hacking attack on Knuddels.de, a social networking site. In September the company announced that over 800,000 email addresses and passwords had been stolen, after the data was kept in plain text in their systems rather than being scrambled as is industry standard practice.
Takeaway for events: Given the size of the breach, the EUR 20,000 fine was surprisingly limited. However, the German data authorities noted that the firm had responded in full compliance with the GDPR, immediately notifying users with clear communications, contacting their DPA and upgrading their security processes fast.
For events the takeaway is clear – if you do get a breach, notifying affected contacts and the authorities immediately is essential, and can be one of your most effective tools for mitigating the damage.
July 2018: Portuguese hospital fined EUR 400,000 for poor account management practices
In July 2018, a Portuguese hospital became one of the first large organizations to receive a GDPR fine after it was discovered that they had failed to manage access to accounts correctly.
Hundreds of doctors had been given permanent access to patient files via access accounts on the hospital’s system, yet only around a third of these doctors were actually employed at the hospital. What’s more, any doctor had access to any patient’s information, regardless of their specialty.
Takeaway for events: This was clearly an avoidable error – the hospital should not have allowed this level of unrestricted access to sensitive information. For event teams, guest databases should be kept secure and access should be layered so that only the data pertinent to a given role’s work is accessible.