Do you have to abide by General Data Protection Regulation (GDPR) if your event isn’t based in the European Union? The short answer is, “maybe.” The EU has 750 million citizens and finite resources, making the likelihood small that your event campaign will be investigated and/or prosecuted for a minor perceived infraction. That said, if you have an office or event based in Europe and/or a large database of European prospects receiving regular direct outreach, that likelihood increases significantly. Below are a few considerations as you’re planning your GDPR compliance strategy.
WHEN AND WHY?
The two-year GDPR transition period expires and the regulations go into effect on May 25, 2018. The law is being put into place essentially as a way of bolstering protections on personal data, regulating the “processing” of data, which includes collecting, storing, transferring and using data. There are also rules dealing with “sensitive” personal data, including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data or data concerning health, sex life or sexual orientation. NOTE: even photographs, IP addresses or website cookies that could be used to personally identify a visitor are considered “personal data.”
HOW IS THIS DIFFERENT FROM CASL?
GDPR’s email regulations share similarities with CASL, Canada’s anti-spam legislation. Like CASL, GDPR requires marketers to gain opt-in consent before sending commercial email to a contact (unlike CAN-SPAM’s opt-out requirements). However, GDPR doesn’t have CASL’s “implied” or “express” consent. Instead, GDPR requires unambiguous consent, resembling CASL’s express consent in requiring “a statement or clear affirmative action.” GDPR has no grandfather clause, so a marketer without unambiguous consent from a EU prospect won’t have sufficient permission to email them.
HOW DOES A MARKETER GET UNAMBIGUOUS CONSENT?
First, you have to ask prospects to take an affirmative action opting in, e.g. check a box or provide their email address. In your communication with them, you must provide the name of your organization, email address and phone number or postal address, as well as a disclosure regarding how the data will be used. Finally, you must track and maintain evidence of consent and make it easy to “unconsent.” NOTE: Renting and purchasing lists will become more difficult as list vendors will be required to provide proof of unambiguous consent to third-party marketing.
HOW SHOULD I TRACK CONSENT?
GDPR requires marketers to maintain “reasonable evidence” of EU contact unambiguous consent. One method of providing the required proof of compliance is creating and storing a date-stamped screenshot of the completed consent form. Another option is to track and keep versions of each form page, so that as code changes, the version number increments (Ex: “subscribe.html v0001”). Store the date and time of submission, and the name and version of the submitted form.
WHAT DO I DO NOW?
Unless you want to ignore it and hope no one notices or just stop marketing to European citizens, we recommend either A) developing separate processes for contacts by country. This allows compliance with GDPR and other laws, but may become unwieldy as countries implement anti-spam and/or personal data protection laws. Or B) bring all database marketing processes up to GDPR standards. By complying with the strictest laws in place, this prevents issues with GDPR as well as most other legislation.
Want more details and guidance for GDPR Compliance? Click here to download Derek’s free PDF.
This high-level view of GDPR and its anticipated effects upon U.S. event marketers does not cover every requirement or potential impact upon event organizers. If your organization’s EU footprint is large enough for concern, mdg recommends further due diligence, which may include support from a legal firm specializing in EU business law.