As we gear up for our clients’ spring events and strategies for upcoming projects, GDPR is top of mind. And, as you may have gathered from the recent wave of industry webinars and events covering GDPR rules and compliance, we’re not alone. The industry is braced for impact, so what can we expect?
General Data Protection Regulation (GDPR)—European Union (EU) legislation that aims to protect its residents’ personal data—was adopted by the EU in 2016 and goes into effect May 25.
GDPR rules govern data protection and storage for any organization that handles the data of EU residents, and it could have broad implications on the association and event marketing industries. Hefty fines can result from non-compliance.
Under the new regulations, GDPR (this is not a complete list):
- establishes broader EU authority over organizations outside the EU in how they access and use residents’ data;
- expands EU residents’ rights to control the use of their data and the manner in which it’s transacted;
- broadens the definition of “sensitive data”; and
imposes stricter consent standards for companies accessing and using EU resident data.
In an Associations Now article, Carol Tullo, an association consultant in the United Kingdom, sums up the reason for these changes: “In this world of information and trade without boundaries, many organizations will be capturing data. That data is personal information, and the standard that GDPR is setting is to ensure that the individual and their data footprint is being treated with respect.”
So, what’s next?
At Fixation, we have been educating ourselves in preparation for GDPR’s enforcement next month so we can best serve and inform our clients. During two recent events hosted by vendors Bear Analytics and Feathr, subject matter experts shared some helpful thoughts and tips:
- Select someone from your company to be in charge of GDPR compliance and protocols.
- Review what data you currently have, and create a data map that pinpoints where and how the data flows.
- Analyze your company’s current processes and make any necessary adjustments to fit GDPR’s standards.
- Map out an access response plan with different options for residents’ access and usage of their data.
- Proactively reach out and gain explicit consent.
- Update privacy policies and publish them on your website.
- Consider self-certification under EU-US Privacy Shield.
The bottom line—be informed
Sources agree associations and marketers should do what they can to put themselves and their companies in the best position to meet GDPR’s requirements, like:
- Attend seminars and talk to your colleagues and peers about it.
- Seek professional or legal advice, if necessary.
- Understand what your vendors and partners are doing to be compliant.
There’s a lot of information out there right now, and some of it is very complicated. Here are a few articles we think do a good job demystifying some of the more nuanced aspects of the rules and provide clear recommendations:
- “4 Data Issues to Act on Now, as GDPR Looms,” Associations Now
- GDPR Q&A
- Yes, The GDPR Will Affect Your U.S.-Based Business
This is not legal advice. Before you make any changes to your processes, protocols or policies, please consult a GDPR expert.