Has the events industry grasped data protection after two years of GDPR?

Data protection regulations got serious back in 2018 when the European Union enforced the stringent General Data Protection Regulation (GDPR) law, meaning the way companies collect, process and protect the personal information of EU citizens changed forever.

“Over 2.5 quintillion bytes of storable information is developed every 24 hours — and the pace, and value of this, will only increase with the rise of automation and digitalised technologies,” said Barry Cook, privacy and group data protection officer at VFS Global.

“Although we may not appreciate it, personal information has become a prime commodity in our global economy. It provides a snapshot of our day-to-day lives and can be used by organisations for targeted advertising and for determining the future behaviours of consumers.

“So, ensuring it is sufficiently protected, and shielded from potential misuse, is key.”

However, if a company is found in breach of GDPR law, it could result in considerable financial consequences, as Marriott’s Starwood division found out last year when it was fined £99m as it was discovered hackers had stolen the records of 339 million guests.

Marriott’s fine was announced shortly after the Information Commissioner’s Office (ICO) that it plans to fine British Airways £183m over a separate data breach that saw hackers steal the personal data of half a million of the airline’s customers.

The two tiers of fines, €10 million or 2 per cent of the annual global turnover of the previous year or €20 million or 4 per cent of the annual turnover of the previous year would be enough to put many many SMEs out of business.

George Sirius, CEO of Eventsforce pointed out that while some event planners are still struggling with GDPR compliance, many are beginning to highlight their data protection credentials in the hope of winning business.

“The regulation has also brought about a number of positive changes to our industry, especially with regards to event marketing, data management and data security.

“Events are also starting to promote their data protection credentials a lot more than before in an effort to show attendees that they can be trusted with their most valuable asset – their personal information.”

While GDPR compliance may still seem daunting to many event planners who handle swathes of personal information, there are a few fundamentals that form the basis of the regulation, which can make compliance simpler, as M&IT’s senior circulations executive, Nick Nunhofer, explained.

Nick Nunhofer.

“GDPR has tightened up data protection as opposed to changing it entirely. Many businesses, such as ours, rely on the two core principles around GDPR to operate, these are ‘consent’ and ‘legitimate’ interest.

“An example of where we use consent is by visiting one of our web sites and signing up for more information. We have created consent based on six main categories where an individual can opt to choose exactly what subjects they want to receive further information on.

“An example of where we use legitimate interest is in our voting procedure for the annual M&IT Awards. Every person who gives us their information as part of the voting process qualifies for further contact under the Legitimate Interest clause. Of course any customer can update their options at any time by asking to be opted out entirely”.

He added: “People have become more aware of their rights so it’s really important you watch your paper and email trails. If someone says take me off your email list and you still email them, they can refer back to that email and make a complaint. It is important to remember that not all systems are automatic and therefore to allow up to 72 hours for the fullness of data requests to be actioned”

Still finding it difficult to wrap your head around GDPR – or have you seen the regulation positively affect your business? We’d love to hear from you. Get in touch at