Event businesses risk all

Leading law practice Irwin Mitchell have recently conducted a survey of 2,129 senior decision makers within business and the results are pretty astonishing.

With just under a year to go until implementation, only three in every ten have started to prepare for GDPR and 35% are unaware of the new rules, including fines for data breaches.

You would like to hope that one sector at least, marketing and advertising, would be completely up to speed; but no, only 34% admitted in the survey that they were aware of the GDPR and 17% admitted that the maximum punishment would force them out of business. Given that event companies are often included in this sector, it would not be too much of a stretch to apply the findings to them as well.

We do need to reign back on the worst case scenario a little, because it is the job of law firms to paint the picture as black as possible, but there is no doubt that any organisation that is not taking the legislation seriously could find themselves in dire straits. The fines are likely to be at their largest for those which cannot demonstrate the measures and processes they have taken to keep data secure and the mechanisms for spotting a data breach.

Firstly, what constitutes a breach? Essentially this is an incident where there is an impact on an individual’s privacy. At one end there is a wholesale hack of customer data, at the other a confidential letter put into an envelope addressed to someone else, with the downloading of un-encrypted data onto an unprotected laptop somewhere in between. Not forgetting of course, the member of staff who leaves you to go elsewhere taking your sales/marketing database with them. Where this begins to impact the business is that in certain instances you need to report the breach to the ICO within 72 hours.

So, if you can’t identify that you have a breach, possibly because you don’t know where all of your data is, how are you going to report it at all, let alone within three days? If you, like 63% of the marketing and advertising companies in the survey, aren’t confident that you can notify the relevant stakeholders within the timeframe, then you are automatically putting yourself in the frame for a fine.

Plus, just being able to identify and, potentially, report the breach isn’t the end of the matter. There is a specified format for the type of information you will need to provide, including the number of records affected and your mitigation procedures. If your data isn’t secure, compliant, your contracts with your Data Processors cast iron and your procedures professional, not only could you be facing a financial penalty, but you could find your business tied up in knots for a considerable period. If you are running a really lean operation, this could prove catastrophic.

Advertisements

Keep Calm & carry on emailing

As a data focussed company, getting to grips with GDPR is an imperative for Circdata. Having begun the lengthy process of conducting their own Data Impact Assessment under the terms of the Regulations, it has becoming increasingly clear what the implications for their clients are.

Another thing that has becoming increasingly clear is the number of misconceptions, and how, with such an enormous and broad piece of legislations, things can quickly get lost in translation.

It would be correct to say that the regulatory authorities and industry bodies are clearly focussed on the major players (or miscreants). A data breach by an internet provider, a financial institution or healthcare provider, or data misuse by a leading charity create unattractive headlines that only serve to bolster public mistrust of the direct marketing industry. Consequently these are the key industries which are currently being subjected to the most exacting of scrutiny.

Anyone involved in the B2B marketplace would be forgiven for self-interpreting the messages they are receiving as ‘business as usual’. But this is very far from the case because that advice is undoubtedly based on practices which aren’t currently being followed.

The events and publishing industry operates on a quid pro quo basis i.e. you give me your data and I’ll give you something in return, e.g. a free subscription to a magazine or entry to my exhibition. It’s a mutually beneficial arrangement. For the purposes of DPA, and now GDPR this would be considered to be a relationship operated under Legitimate Interests, i.e. there is a relevant and appropriate relationship between the individual and organisation.

Within the status of this relationship, an individual must reasonably expect that they will be sent further offers after they have signed up for a company’s product/service, even in the case of a paid for subscription. The individual must be told this, and given the option to ‘opt out’ at any point if they no longer wish their data to be processed in this way.

It isn’t all good news however. If you have been processing your data under Consent (i.e. you’ve been using lots of little tick boxes) then you are not permitted to claim processing under Legitimate Interests post implementation, so you still need to get your data in order before 25th May 2018 to continue using it. And, if you continue blasting your databases with masses of inane email messages then your opt-out/unsubscribe rates are going to rise – so it is time to reassess this strategy as well.

Meanwhile, remember that for most organisations, marketing permissions isn’t the thing you should be most worried about where GDPR is concerned. Your data security is. As one speaker at last week’s EventHuddle put it:

Remember that the minute you download an unsecured spreadsheet of Personal Data* onto an unsecured laptop you are in Breach

If you are still permitting data to migrate through your organisation via Excel, with no checks and balances on who can see it, then this statement should send shivers down your spine.

*Personal Data – any information that identifies an individual person.

Cutting through the cacophony of GDPR

Childrens party2So you just received yet another email from someone telling you ‘everything you need to know about the effects of GDPR’. You click on it, hoping that this time it will actually give you some guidance about what you can and should be doing. But oh no – it’s yet another person/company who has done a cut and paste job and that hard to decipher legalese is all still there on every single one of the 30 pages or more.

Sigh…

Having spent considerable amounts of time recently working through the 99 articles and 173 Recitals that make up the Letter of the Law, I can tell you it is a tricky old bit of legislation to get your head around. But it isn’t impossible.

Firstly, if this is the first you have heard of the GDPR then you are a little slow on the uptake. We’ve known it has been coming since 25th January 2012, with formal adoption starting early last year – so we’ve had a year of the two year transition period already. You’ll hear some people say that full details around the legislation are not clear – but that’s not true. The majority of it is set and it is just the greyer areas where more guidance is required that are being ironed out. So you can’t really use that as an excuse not to get a grip on it now either.

So what do you need to do? Don’t panic. Event companies are unlikely to hold Sensitive Data as defined in the Regulation. Nor are you likely to have lots of Data Subjects wanting to utilise the Data Portability option, or Subject Access Requests for that matter.

My suggestion for your first step towards GDPR compliance is to appoint someone to take ownership of the task. They are going to have to take a few things out of that notorious Too Hard box, so they need to be someone who is dogged in the face of obstruction and obfuscation. They need to have the ear and support of a member of the senior management team. And they need the discovery skills of Sherlock Holmes.

As soon as possible they need to make a list. And if your event company is anything like some of the ones I have worked with over the years, it is likely to become a very long one. Because this list is going to have to cover Every. Single. Database. Yes, every spreadsheet, .csv file, filemaker, Salesforce file on every laptop, computer and server that contains personally identifiable data. They need to know:

  • Where it is stored
  • What data it contains (i.e. fields)
  • How many records
  • When it was created
  • When it was last used
  • What is it used for

It’s not a pretty job. But this is your starting point. Until you know how much data you have, who has access to it, where it is kept and how much use it is, you will have absolutely no idea what solution you need and how much time it is going to take to become GDPR compliant.

So, don’t worry about the details of the legislation right now. That isn’t going to change any time soon. Just start with this one task and it will create your roadmap to compliance.
Hellen @missioncontrol