The General Data Protection Regulation (GDPR) going into effect May 25 will have an immediate impact on your data collection for EU attendees as it relates to financial information (credit card data), health (such as food allergies), passport and VISA data and even contact information—all deemed “personally identifiable information.” We broke it down.
The GDPR focuses on six bases to define data collection and data processing: 1. the vital interest of the individual; 2. the public interest; 3. contractual necessity; 4. compliance with legal obligations; 5. unambiguous consent of the individual; 6. legitimate interest of the data controller. These six bases carry the same weight and are exclusive from one another.
The key for registration processes is explicit consent. Moving forward, planners must require EU citizens to actively opt in and offer explicit consent to store and use their data. They must explain what the data will be used for, who they will share it with, and for what length of time.
The law cuts even deeper than that when it comes to the “who.” Registration information can be shared with suppliers, for example, so the forms must include an opt-out for those people who do not want it to be shared with suppliers, as well as various other categories.
With hacking now a routine happening, GDPR takes a strong stand on data breaches, giving organizations just 72 hours after they discover a breach to notify authorities and users.
If EU attendees ask for access to their data, it needs to be supplied within 30 days, and if they ask that it be deleted, it needs to be deleted and proof given that it has been. So planners need to be able to export the data as requested.
GDPR also requires permission to send electronic commercial messages. Not only does it require consent, it also requires that organizations disclose how information will be used. The implications for the e-mail marketing industry are far-reaching.
There are many additional resources for meeting planners, among them: