The following questions/statements have been offered by others in our industry in the past 60 days. The answers have been vetted by our London attorney, especially because some of the questions are shockers!
Is GDPR just another guideline, do we have to undertake this?
This is absolutely the law, and non-compliance carries the potential for significant financial penalties that reach 20 million Euros and go up for bigger companies to a maximum of 4% of worldwide turnover.
This seems unfair and unreasonable to my business.
Assuming you’ve been handling guest personal data with appropriate respect already, the changes required do not fundamentally change our businesses. Think about an experiential agency or a team fan database with millions of names that must be wiped clean because the data was not collected legally, according to the new law. Those businesses and others are seeing the hard edge of this law while hospitality event activation is not.
We’re too small to be forced to make such changes to our business.
All companies, big or small, and with events hosting one guest or 1000, have to comply; there is no small-company or small-event exemption. Note that there is an exemption from certain record-keeping for agencies with less than 250 employees – however, this exemption is nullified if collecting certain standard event information that includes medical accessibility or dietary restrictions.
There is not enough time to do this.
The law was signed in April 2016, so although many companies may be making a last minute-rush, that isn’t because we haven’t been given an appropriate amount of time.
I’m in the UK and we’re leaving the EU, so does this apply?
The UK version of GDPR will be fundamentally identical and will likely be in-place before the end of May, long before Brexit. Additionally, GDPR is enforced within the UK by the UK’s Information Commissioner’s Office (ICO), which has the power to conduct criminal investigations and issue fines, so this absolutely applies within the UK.
This can’t possibly be rigorously enforced from 26 May.
The UK’s Information Commissioner Elizabeth Denham has said her office will be more lenient on businesses and organisations if they have shown “awareness” of GDPR. This means if decision-makers are taking steps to meet their obligations, their organisations are less likely to be fined.
My client is not asking about this, so I’m not going to worry about it.
Many companies are scrambling to comply in their primary business first, and therefore non-core data collection, including through sponsorship/event agencies, may not be a priority. So, check your contract: Most agency contracts put the legal responsibility and the financial exposure of data privacy and protection fully on the agency. Knowing this, your client might be expecting you to take the lead and not wait for it to ask.
We are gathering data just from within my client’s company, so GDPR is not applicable.
Individual rights under GDPR supersede company rights over employees, so all elements of GDPR still apply to internal events and employee data collection.
My event is not in Europe, does GDPR apply?
If you are inviting, and therefore collecting data from and on behalf of European residents, GDPR applies. The law is written to protect EU residents anywhere and everywhere, so there is no exemption for an event outside of the EU.
We delete all guest data after an event, so no further requirement for us.
GDPR requires much more than deleting data: Guests’ personal data, which includes even names and the RSVP ‘yes’, must be collected, handled and processed according to standards set under the new law.
We do not store any guest data, so GDPR does not apply to us.
In this case, further discussion revealed that the agency was inviting guests to events via phone and email, so it was collecting personal data manually and then submitting the data to the event’s guest and credentialing system. Guest personal data was being held for a short time, insecurely on paper and Excel, after being collected through an also non-compliant process, and in addition its email archives were set to retain passport and other data insecurely for many years. Confirming what personal data is actually handled is the first step to avoiding problems down the road.
We’re fine inviting guests by manual emails and holding their data on Excel sheets.
This is still the most common way to invite and track guests attending a smaller event, but you must dig deeper to see if and how compliance can be achieved – in all but the simplest cases, that will be unlikely. GDPR is designed to be technologically neutral, so it doesn’t matter if the data is held on or processed using a lever arch file, an Excel spreadsheet, within your CRM, or an in-house database, there is more to the law that must be complied with, starting with the most-visible element, the prescribed disclosure statement to guests.
GDPR impacts hosting guests at events because all individual data collection must now follow a specific protocol for disclosure, data protection, record-keeping and being prepared to fulfill EU consumer rights regarding their data. Learn the just four steps to comply with the new law in our blog post: Keep Calm and Carry On – The Hospitality Event Manager’s Brief for GDPR Success