The big change in data protection is on the doorstep. Get some last-minute advice here.
After a two-year transition period, the European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25. The four-letter acronym has forced event organizers, hoteliers, convention centers, and all companies that work with data — translation: every business that does any business in 2018 — to reevaluate their privacy policies and processes for storing and using data.
Many recent headlines have focused on the biggest names: Facebook’s potential to face loads of lawsuits, Snap’s adjustment of Snapchat’s location-tracking services, and Google’s efforts to simplify its user agreements. As GDPR continues to appear in major news outlets, plenty of event organizers based in the U.S. have raced to make adjustments. Norman Gritsch, founder and president of Nexus Data Group and international business lawyer, told PCMA that there is an important distinction in determining GDPR requirements. “It doesn’t apply to U.S. companies unless they’re established in the EU,” Gritsch said. “More than 90 percent of U.S. trade show operators don’t have a physical presence in the EU.”
However, as organizers work to boost international attendance at events in the U.S., Gritsch pointed out that marketing efforts will need to goy under the microscope. “If you’re sending an email to someone with email address that looks like it is in the EU, you should treat them as an EU data subject,” Gritsch said. “That means you need to obtain informed, affirmative consent from them. You can make the wording friendly, though. Highlight that you’ll use the data to benefit them and deliver the best experience possible. There is a way to write this messaging in a better way than simply asking someone to click a box that says ‘I agree.’”
As Gritsch has watched event professionals come to grips with GDPR, the most common mistake he’s seen is that some organizations have unnecessarily declared that they are bound by the legislation. “Don’t say that GDPR applies to you,” Gritsch advised. “If you do, you’re required to appoint a statutory agent with legal authority. As soon as you admit that you fall under the GDPR guidelines, you’re now subject to legal process.”
Gritsch has seen some people go too far in their early compliance efforts, but he does believe that everyone should be taking very GDPR seriously. “While I do not personally expect EU enforcement authorities to target most organizers of U.S.-based events, the legal requirements (and risk) nonetheless exist,” he wrote in a recent white paper. “Even companies with a low-risk profile should undertake a good faith effort to comply with these new privacy requirements, many of which are starting to evolve in the U.S. as well. Potential large fines under GDPR would not be covered by most U.S. insurance policies.”
Looking for more GDPR guidance? Register here for a free webinar.