General Data Protection Regulation (GDPR)


What is GDPR?

The General Data Protection Regulation (GDPR) will replace the Data Protection Directive (DPD) to harmonise data protection laws across Europe, and was approved by the EU Parliament on 14 April 2016. The enforcement date is 25 May 2018, after which time, companies should be fully compliant, or risk heavy fines.

Who does the GDPR affect?

GDPR will apply to organisations both within the EU and outside of the EU, if they offer goods or services or monitor behavior of EU data subjects.

What are the penalties for non-compliance?

Organisations can be fined to a maximum of €20 million, or 4% of their annual global turnover.

Over the last two years, the Information Commissioner’s Office (ICO) has issued fines to 87 organisations, with an overall average of £80,000 (17% of the maximum penalty fine).

What is personal data?

Any information that is related to a person, or that can be used directly or indirectly to identify that person. This can be anything from a name, photo, email address, bank details, posts on social network sites, medical information or an IP address.

Organisations can be fined to a maximum of €20 million, or 4% of their annual global turnover.

Who does the GDPR apply to?

Whether a data controller (the organisation that collects the data) or a processor (the organisation that processes the data on behalf of a controller), there will be new rights and responsibilities that companies will need to adhere to.

The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

What is the difference between GDPR (regulation) and DPD (directive)?

The new regulation is a binding legislative act and must be applied in its entirety across the EU. The directive is a legislative act that sets out a goal that all EU countries must achieve but is up to each individual country to decide how.

Do I need to appoint a Data Protection Officer (DPO)?

You should appoint a DPO if you are a public authority, an organisation that engages in large-scale systematic monitoring or a large-scale processor of sensitive personal data. If you do not fall under these categories, you do not need to appoint an officer.

What will happen to your existing data?

Organisations will need to ‘refresh’ consent to comply with the new regulations.

Organisations will be required to name any third parties that will be relying on the person’s consent to use the data. Consent requests will need to be prominent and separate from other information, such as general T&Cs. GDPR states that people have the right to withdraw consent at any time and that information on how to do so, should be clearly visible upon collection of data.

What will GDPR mean for the industry?

One of the key reasons as to why GDPR is coming into force is because of the exponential rate that data is now being collected. In the events industry, data collection tools help gather and analyse information on attendees – from registration systems and mobile apps to surveys and social media. Events in particular also deal with highly sensitive personal data – from attendee names, contact details and employment information to gender, disabilities and dietary preferences. With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that marketers and event planners need to prepare before the new regulations come into place.

Any organisation that collects and processes data on European citizens falls under the new regulation. So, if you are hosting events in Europe or your attendees are European citizens (regardless of where your events are taking place), then the new regulation applies to you. Also, if you’re using event management or registration software that helps you capture and process data around your events, then GDPR will apply to your technology providers too (even if they’re based outside the EU).

Data protection is currently front of mind with much of the discussion being centred around the size of potential fines and the impact on marketing databases and the changes to consent. Where should you be looking to ensure that you operate under the ‘Privacy by Design’ directive?

The Information Commissioner's Office have produced a 12 step guide to help you prepare for the GDPR and a self assessment checklist so you can fully understand and plan your approach.

Information collected from the following websites: