New data regulations are fast approaching, with the European General Data Protection Regulation (GDPR) coming into force in May 2018. You may have noticed that we have already started to plan towards this by asking you to confirm your email address following our recent CRM upgrade. You may have also seen lots of information regarding GDPR but according to a recent survey from law firm Irwin Mitchell only 34% of people in the events industry are aware of the new regulations.
Key points of the new rules include making companies more accountable for data - which means businesses must be ready to state what personal data they hold, where it came from and who it is shared with - as well as a greater focus on consent. Below is a summary of the key changes you need to be aware of:
- Extended Jurisdiction
Regulations will apply to any company collecting and/or processing EU citizen's personal data regardless of where the company's physical offices are located. Whether you have employee data, customer data or supplier data - if the data relates to an individual you will be caught by the change in data laws.
Organisations will be required to obtain an individual's consent to store and use their data as well as explain how it is used.
- Mandatory breach notification
Organisations must notify the supervisory authority within 72 hours of discovering a security breach. If it is likely to "result in a risk to the rights and freedom of individuals".
- Right to Access
Companies must be able to provide electronic copies of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.
- Right to be Forgotten
EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties - who are then also obligated to stop processing it.
- Data Portability
Individuals will have the right to transmit their data from one controller to another. As a result, upon request, organisations must be able to provide an individual's personal data in a "commonly used machine readable format".
- Privacy by Design
A real game-changer, this means that security must be built into products and processes from day one.
- Data Protection Officers (DPO)
Certain companies are now required to appoint a DPO - either a contractor, new hire or a member of the organisation's staff. DPOs are required at companies "whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences".
The new data laws which will become enforceable in May 2018, cannot be ignored and the fines for non-compliance or data breaches could be more severe than previously, with fines rising from £500,000 to €20 million. If you are unsure of the impact of GDPR on your business then RefTech are running a series of GDPR masterclasses that are free to attend and aimed specifically at event organisers or professionals. You can find out about these masterclasses by visiting their website here.
Also, if you still haven't confirmed your email address with us yet then please check back through your inbox and click on the link to make sure we are compliant moving forward.
Don't get bitten by new data laws!