Yes, You Need to Understand the E.U.’s New Data Regulation—Even If You Only Host Events in the U.S.

The broad new rules require compliance from any company or event that collects data from attendees who reside in the European Union.

Glisser, which provides audience engagement and data-capture solutions for events, created a 'consent hub' in its software to comply with the G.D.P.R. regulations that go into effect in May 2018.
Glisser, which provides audience engagement and data-capture solutions for events, created a "consent hub" in its software to comply with the G.D.P.R. regulations that go into effect in May 2018.
Photo: Courtesy of Glisser

If you haven’t already heard about the European Union’s General Data Protection Regulation, commonly referred to as G.D.P.R., chances are you will soon. The E.U. Parliament approved the regulation in 2016 and enforcement begins on May 25, 2018. It governs how organizations gather, store, share, and destroy personally identifiable information on residents of the E.U., such as their names, photos, email address, social media posts, and more—regardless of where that data collection takes place. That means if E.U. residents attend your events, anywhere in the world, you need to comply.

“While the G.D.P.R. is a European data-protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe,” says Garry Sidaway, senior vice president of security strategy and alliances at NTT Security, which recently conducted a survey of executives from 11 countries. “Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organizations see compliance as a costly exercise that delivers little or no value. However, without it, they could find themselves losing business as a result, or paying large regulatory fines.”

In fact, the regulation stipulates a maximum fine of four percent of annual revenue or 20 million Euros (nearly $23 million), whichever is greater.

For planners, the regulation has far-reaching implications about how attendee data is handled during registration, in an event’s mobile app, for lead scanning, in post-event surveys, and more. “If you look at the world we are in today, data about customers and customer behavior is the gold that any company has. So everybody needs to pay attention to this,” says Michael Trovalli, vice president of experiential marketing for business software company Sage. The company’s Sage Summit expanded into a world tour this year, with events in 10 countries, so G.D.P.R. compliance is a critical issue for Trovalli.

One part of the regulation requires data on E.U. residents be stored on servers located in their home countries. “I’m having this conversation with registration companies all the time, he says. " 'Where are your servers? Do you have servers in the U.K.? Do you have servers in Germany, in Spain?' Because if everything is stored in the U.S. that becomes a data issue I’ve got to deal with,” he says.

The regulation also has strict rules regarding consent. Companies must use simple, unambiguous language to explain up front why information is being collected and exactly how it will be used, and each attendee must “opt-in” to give consent—it cannot be a pre-selected opt-in box or an option only to “opt-out.”

Oliver Fisher is head of growth at Glisser, a company that provides audience engagement and data capture for events. He says they have created a transparent “consent hub” that attendees see as soon as they access the Glisser system, where they must click a button to opt-in to each use case for their data. But he says G.D.P.R. will also impact more casual data collection. For example if planners gather attendee emails for a prize drawing, the event organizer will need to make it clear if that information will be used for future marketing purposes. “This is giving control back to the consumer,” Fisher says.

The regulation also gives anyone who “opts in” the right to see the data that has been collected and to ask that it be destroyed. “You’ve got about 30 days to do that, so making sure your systems are compliant and it’s easy for you to find that data is important,” Fisher says. Companies also cannot keep data for longer than necessary and must get new consent if they plan to use the data in a different way than originally approved.

The regulation also impacts what planners can promise to their sponsors and exhibitors. “The onus is on us as a company, for our sponsors that we are bringing in, to make sure we are doing our due diligence. So I can still provide the leads but that I am doing it in compliance with the laws,” Trovalli says.

He says the regulation is also prompting him to think about new ways to promote networking. “Mobile apps are great for peer-to-peer networking. But if my mobile app will have all these restrictions or people may opt out of it, how do I create the alternate experience that still promotes that peer-to-peer networking but that doesn’t rely on the app?” he says. “What’s the experience I can create during my event to bring like-minded people together that want to network?”

The G.D.P.R. regulation requires compliance both by the company hosting the event and by the technology companies that provide the registration system, mobile app, data storage, etc. Trovalli says he expects to see similar data-protection rules going into effect in other parts of the world in the near future. “Absolutely this will expand. I saw experiences of it in Australia, South Africa, Asia. The U.S. may be one of the later ones to adapt because we tend to be slower on these things, but as people get their data more and more violated, they’ll start to demand it." 

More in Registration & Ticketing