When the European Union passed the General Data Protection Regulation (GDPR) into law, it gave EU residents more control over the personal information that is gathered and how it is used. Now that it is in effect, how organizations deal with data has changed for everyone.
The penalties for failing to follow procedures are stiff. They can cost you 4% of worldwide annual revenue, up to $20 million Euros ($23 million U.S.).
Check Your Forms
The first thing you will want to do is to review all of your forms and privacy notices to make sure they are GDPR compliant. In addition, you will want to review your systems to make sure you are capable of handling user data and the laws specific provisions.
Opt-In, not Opt-Out
Make sure anyone that provides data gives you a clear explanation of how you will use the data and allow them to opt-in. Opt-out, where you can do what you want, but allow people the option to opt out of conditions is no longer acceptable. You need to have express permission from users in order to use their data in any form.
Make sure you have clear consent from participants before providing any data to any third party. This includes using your mailing list or sharing contact information with participants.
If you are purchasing mailing lists, make sure the company providing them to you will provide you with proof of consent and indemnification against claims if they violated GDPR.
There Is No Grandfathering
Don’t think that just because you already had the information in hand prior to GDPR’s effective data of May 25th that you are good to go. You will need to go get permission to use any previously gathered data. The best advice is to treat all personal information as if you don’t have permission and request it – with a clear explanation of how you will use it – before proceeding.
Key Provisions of GDPR
GDPR doesn’t just regulate how the data is used. It also covers the users right to access. Are you prepared to provide that data upon request? That’s just one of the key provision you will need to account for in dealing with data:
- Clear opt-in consent
- Use and consent must be in clear and plain language
- If event of a breach, users must be notified within 72 hours
- Users have the right to obtain a copy of the data collected at no charge
- Right to erasure (also known as the Right to be Forgotten)
- Data portability means allowing users to transmit that data to another company
- “Data minimization” means you can only use the data for its intended and stated purpose.
- Must have a Data Protection Officer responsible for compliance
Even if you are not a company in an EU country or doing business in the EU, the rules still apply to you if you process the personal data of EU residents. If your event allows international guests, this applies.
You may think you are safe from liability if you do business with a third-party vendor that does your data processing or fulfills some function, such as handlingmailings or registrations. However, GDPR places “equal liability” on the organizations that own the data (called data controllers) and outside organizations that help manage the data (data processors). If a third-party you work with is not in compliance, you can be held liable.
Make sure any company you work with will verify they are GDPR compliant and provide indemnification if they are found in violation.