Simon Clayton, chief ideas officer at RefTech, on being open, transparent, and accurate about what you are doing with the data you handle.
The EU’s new data protection regime – the General Data Protection Regulation (GDPR) – will come into force in May 2018 and make EU data protection rules a lot stricter.
While the future of data protection law after the UK fully leaves the EU remains unknown, the fact remains that the exit is still many years away. In the meantime, the UK’s Information Commissioner has confirmed that the UK will go ahead with implementing GDPR into our own national regulations regardless of the Brexit vote. Any post-EU data protection regime the UK may come up with on its own, which again is many years in future, would have to be fully adequate and equivalent to GDPR in order for the UK to continue trading with Europe. In other words, regardless of Brexit, GDPR is here to stay. GDPR is technically on the books now but is not being enforced until the 25th of May 2018. This gives you plenty of time to adapt your business processes into full compliance so use this time wisely!
Good data protection practice in exhibition organisation starts at the source: the registration process. In our privacy-conscious times, exhibition visitors have changing expectations about the use of their registration information. Although visitors do, by and large, expect organisers to resell their data for marketing purposes, they also expect that information to be shared safely, fairly, and responsibly. Visitors also assume that information not required for marketing will be kept confidential, and that sensitive personal information, such as support required for health issues, will remain safe.
Fortunately, good practice is easier than you might think. Approaching your exhibition data from the perspective of responsible stewardship, rather than boxticking, will save you from potentially embarrassing backtracking later on. Part of responsible stewardship is staying abreast of your rapidly changing data protection obligations under evolving EU regulations.
Personal data in a changing landscape
Under current EU and UK data protection regulations, personal data is defined as data which identifies an individual. The use of that data by an organisation for business purposes is called ’processing’. As exhibition organisers, you must obviously process personal data to do your job – registering visitors, producing badges, accommodating dietary requests, and so forth. This concept is known as ’fair processing’.
Part of fair processing, however, means being open, transparent, and accurate about what you are doing with the data you handle.
Many of the somewhat careless practises about openness, transparency, and accuracy which may be allowed to slip through at the moment will no longer wash after May 2018. One of the core principles being addressed in GDPR goes beyond ’privacy by design’ to require ’privacy by default’. Anyone dealing with data, be it in a registration form, a software application, or an exhibition stand, will need to get into the habit of capturing the minimum amount of data possible, while also shifting control over the use and retention of that data from the organisation collecting it to the person the data is about.
Another GDPR principle you need to get into the habit of honouring is that you must supply a legal justification for any personal data you collect in the registration process. ’We need it because we need it’ is no longer sufficient. This justification must be explained to visitors and clarified at the time of registration. For example, an event insurer may require you to ensure that all attendees are over the age of 18, and you may have to collect attendees’ dates of birth to comply with this requirement. Be sure to explain this, with the legal justification, in your registration terms and conditions.
For exhibition industry professionals, the watchwords for the new data protection regime are clarity and consent. You must ensure clarity in the information you collect as well as the information you provide, and you must secure consent at all stages of your event. The new regime will require a change in mind-set as well as everyday practices, but it will ensure a more responsible playing field for both organisations and individuals in the long run.