GDPR: The 'Millennium Bug' for event delegate sales?
Next month's introduction of GDPR is causing major headaches for companies all over the world, especially sales and marketing leaders, who are concerned that the way they conduct business is about to get exponentially more difficult.
The General Data Protection Regulations will come into play on 25th May 2018 and will majorly affect how almost every European organization does business. It doesn’t matter if your company is based outside of the EU: If you trade with the EU or with any EU citizens then you must have your data governance plan in place, or potentially face huge financial penalties and lose the ability to continue doing business.
The problem is a particular issue for event organisers who typically rely on direct marketing (and telemarketing) campaigns to target certain demographics to their events. Unless a company has already established a tight network of engaged subscribers, how are they to continue to promote their events to their required audience? The real question is how to maintain a sustainable flow of customers while remaining compliant. Do potential guests have to have already shown an interest before you can get in contact with them? What counts as legitimate interest? Are you allowed to contact someone you've found on LinkedIn through the company switchboard? What if you are based outside of the EU?
Here are are a few things that you should keep in mind:
What do I, an event organiser, need to do before May 2018?
If you trade with the EU, or with citizens of the EU, either directly or indirectly, you will need to have your full data strategy in place before the GDPR start date. This must be demonstrable to your clients and you may need to update client contracts to address details surrounding the collection and transfer of customer data. You will also need to allocate the position of Chief Data Officer into your communications team whose responsibilities will cover remaining compliant at all times. It is not necessary to hire someone specifically for the role, but to incorporate the duties into the role of whoever currently looks after corporate data (following sufficient training). You should also consider providing dedicated training sessions for your entire workforce, as to diminish chances of falling foul of legislation and it encourage a security conscious culture which can only be of benefit to the wider business.
Can I continue to send emails to individuals that have attended previous events?
Direct consent from the prospect is now required before sending promotional emails. You will need to get this opt-in consent for all customers, regardless of whether you have been in previous contact. If consent has been given, you are allowed to email them information only regarding to what they have specifically agreed. If a customer has given consent to a different division (or brand) of your company, do not assume that you can email them regarding something else entirely. The fact that consent has been given must be deliverable upon request (so keep this backed up) and the customer has the right to ask for all of their details to be removed from your data at any time.
What will happen if I do nothing?
We've been warned that penalties for non-compliance will be swift and severe, with automatic fines of €20 million or 4% of turnover – whichever is higher. The EU is serious about this, and will be making an example out of companies who they find to be flouting regulations in the first few months – so be careful not to be one of those. You could also risk losing the right to do business in the EU altogether, as the damage to the reputations of companies who break rules could be irreversible.
What is ‘personal data’?
Personal data includes both B2B and B2C customer information. It contains, but is not limited to the individual’s home address, home telephone number, private email account, mobile number (both work and personal), direct office number/extension, and work email address. You will need explicit permission to contact individuals using any of the above channels, unless for accounting, tax or other regulatory purposes.
What if I cannot get consent?
If you cannot acquire consent from a particular individual, you may be able to use ‘legitimate interest’ as a reason to contact them. Prior to contacting them you must perform a Legitimate Interest Assessment for each customer on an individual basis. If you can demonstrate that this has been carried out and explain the particular reasons as to why you thought the individual would be interested, you may have grounds to contact them. This is ambiguous, however, and not recommended as there is no definite right or wrong and a lot of room for error to occur.
The ambiguity and subjective nature of defining 'legitimate interest' is perhaps the most important detail of the regulation for companies incorporating B2B sales and marketing departments, and especially for event organisers themselves. As B2B corporate events are designed to be interesting for a particular industry demographic, it could be fair to say that someone who fits into that demographic could be legitimately interested.
GDPR: The key points
Gone are the days where you can send out huge email campaigns to 'relevant' leads sourced through various data mining methods, as you are no longer allowed to store this data. The regulations will force companies to do more business over the phone, asking to speak with people directly through company switchboards, which will make the process more costly and time consuming. It will also open the door for companies you specialise in promoting events via multiple channels, who already have the knowledge and experience in working this way.
Essentially, if you are a company that depends on email campaigns to promote your product/s, you are going to have to find another way that works for you.
One potential option to ensure that you can continue to grow your event audience whilst remaining compliant is to partner with an outsourcing company that specialises in event sales. These companies will have ensured that all employees have undertaken thorough GDPR training and have the required security protocols and behavioral procedures in place to remain within the rules while keeping the business going. This option gives you the ability to ask for a demonstrable GDPR service agreement as part of the contract to give you peace of mind while taking an easier option.