Getting in Shape for GDPR

One of Feathr CEO Aleks Levental’s favorite hobbies is making molehills out of mountains.

Make no mistake though--he runs a tight, secure, and data-driven ship. But he has a way of not sweating the things that can keep other people up all night. GDPR is one of them. In this article we'll be learning why GDPR is a historically important change in how the EU protects personal data, and also why there’s no need to panic whatsoever.

What is GDPR?

GDPR, or the General Data Protection Regulation, is a set of rules and regulations that establishes certain new protections for the personal data of EU residents and new consequences for keepers of such data that do not comply with the new rules. And for some reason, business media has chosen to frame its discussions of GDPR with a lot of fearful words and high-pressure countdowns.

The reality of GDPR is nowhere near as frightening as it’s been made out to be.

The reality of GDPR is that it’s not all that different than the laws we’ve been following for decades, regulators aren’t coming to fine you into oblivion, and the new rules are good for everyone.

Watch our in-depth GDPR webinar below to get caught up to speed on GDPR for event and association professionals, whether located in the US or the EU. It’s filled with actionable tips. Then read on as we address some specific helpful questions.

GDPR replaces DPD, the Data Protection Directive from 1995. DPD was quite similar to GDPR, so despite a lot of hype around are you ready for GDPR?!, not much is truly changing. Let’s go over the most important changes:

• GDPR enacts stricter consent standards for EU resident data. In a nutshell, this means data tracking is now opt-in rather than opt-out.
• There are now clearer guidelines for organizations outside the EU and their responsibility to the data of EU residents.
• The definition of what is considered “sensitive data” was broadened under GDPR rules. This type of data is less of a concern for marketers because it refers to biometric data, data that reveals ethnicity, sexuality, and other inherently personal information.
• GDPR includes a new set of “rights” for EU residents, including the right to be forgotten (erasure), the right to access, the right to data portability, and more.

The Information Commissioner’s Office of the UK is a great source of detail about these rights, as well as other important steps to take to ensure GDPR compliance.

You can view their guide here.

What isn’t GDPR?

It’s equally important to understand what GDPR is not.

GDPR is not a set of rules that disallows any specific kinds of marketing or communication. That’s especially important in the light of the overly dramatic tactics of media coverage of GDPR. All your current marketing and communications remain legal under GDPR, as long as you or your data partners gather consent ahead of time.

GDPR is not a hammer with which EU regulation enforcers intend to wallop small organizations, especially in the US. GDPR is partially a reaction to the data-handling practices of the “big fish” like Google, Facebook, and Apple. In fact, the most important change your organization will likely have to make is to document your good-faith intent to comply with GDPR. Let’s look a little closer at that.

What Should I do?

There is no shortage of GDPR guides available, and this article does not claim to be a one-and-done guide to GDPR compliance. What we intend to do here, however, is provide context and actionable suggestions for the industries we at Feathr serve. The list below is not comprehensive--you’ll have to talk to your lawyers for that--but it will lead you in the right direction.

1. Use GDPR principles as a guide for all your data handling. There’s no need to treat EU and US (and other countries’) residents differently, as it will become an unsustainable headache. GDPR is an excellent guideline to determine best practices and future-proof data services.
2. Perform an audit of all your data partners. That’s any processor, vendor, platform, or tech partner you use that holds or has access to your user data. These partners, like we do at Feathr, should be taking on the majority of the GDPR compliance burden. The first and most important step to take with your data partners is to document your intent to comply with GDPR. Draft a contract or an addendum to an existing contract that explicitly communicates a commitment to comply with GDPR. Note: we are not lawyers and this is not legal advice. Please review any steps listed in this article with your organization’s counsel.
3. Have an access plan. Document a plan for or with each data partner for how you (or they) will respond to new subject access requests enacted by GDPR. The new data rights (listed in the ICO link above) require organizations to respond to certain requests, and you need a plan in place for each.
4. Know where to direct data subjects. Each data partner should have a process and web-based location where data subjects can go to submit requests. Usually a web page or a portal, you and your data partners must be able to provide request opportunities for every user. Speak to your data partners individually about how and where they handle such requests.
5. Gather explicit consent. To remove uncertainty, add checkboxes to any forms with which your users interact that permits explicit agreement with data regulations, or “opt-ins.” An example of this would be a checkbox at the bottom of an event registration form that reads “I understand and agree that a meeting planner will have my contact details for the purpose of planning meetings (such hotels accommodations, transportation, activities, etc.)   Please note that if this box is not checked, then we are unable to secure your logistics for attendance at the meeting.” 
6. Update your privacy policies. Be clear about what data you’re collecting, why you ask for it, and what you do with it. Notify your users of updated privacy policies through email, website popups, or whatever means is most efficient for your business.
7. Assign a Data Protection Officer. In almost all cases this will be a role that is required to be identified in your organization. Thankfully, the person in this role doesn’t need to be an international data privacy lawyer or a network security expert. It just needs to be someone who can manage the documentation and process around data requests and follow up on some finer points.
8. Consider self-certifying under EU-US Privacy Shield. This is important if your organization directly stores and transacts data, has a custom-built data platform, or an on-site deployed AMS, email system, or database. For more information, check out the Privacy Shield website here: https://www.privacyshield.gov/PrivacyShield/ApplyNow. It will substantially simplify the legal basis and ability you have to transfer EU data out of the EU.

Your Questions Answered

Our GDPR webinar brought up a lot of great questions. Aleks addresses them in detail in the video above (we recommend you watch!), but they were so good that we wanted to summarize them here for easy reference.

Q: The data visible in Feathr has no personally identifiable data. How can we fulfill subject access requests if we don't know what data belongs to whom?

A: For Feathr users, it will be as simple as pointing data requests to the privacy portal at privacy.feathr.co. We will take care of the rest.

Q: Where do I add the opt-in checkboxes to gather consent?

A: In general, there should be a message on your homepage that notifies users if your site uses cookies and allows them to opt in or out of cookie tracking. In addition, you should add opt-in checkboxes to any form, such as registration forms, that solicit information from site visitors.

Q: How do I configure my website/WordPress/HubSpot/etc. for GDPR compliance? 

A: For Feathr customers, no work is actively required on your part. As long as you have our Super Pixel added to your pages, the GDPR update will work automatically. We can't provide technical support on GDPR compliance for platforms that we don't control, but the Information Commissioner’s Office guide is an excellent starting place.

Q: If I have consent for every user on my email list, will my site need to prompt those users to opt in when they return to my site on later dates?

A: No. Feathr will know that those users have already consented to tracking and will "remember" not to ask them again each time they return to interact with your website.

Q: Do event organizers have an obligation to notify attendees that their badges may be scanned from a long distance, when they might not even know the badge is being scanned?

A: All marketing/lead retrieval/badge scanning activities are still allowed under GDPR, but best practices dictate that organizers must be honest and open about what they're doing. In this scenario, the attendees should have opted in to receive a badge in the first place. At that opt-in stage, it would be a good idea to include language that notifies attendees that "at the event, your badge may be scanned from a distance or from a booth you are not actively visiting." If an attendee opts out of this, they should not receive a QR code/RFID tag on their badge.

Q: Will sponsored retargeting still be allowed under GDPR?

A: Yes. Much like the GDPR configuration of Feathr's Super Pixel, there will be a separate opt-in available to users for sponsored retargeting campaigns.

Q: Is it GDPR-compliant to group multiple actions (badge scanning, post-event surveys, event emails, etc.) into one consent form?

A: Yes, that would comply with GDPR as long as you make it clear exactly what actions users are opting into. For example, "do you agree to be tracked for event-related follow-up" obscures the actions to which users are consenting. "Do you agree to be tracked for badge scanning, post-event surveys, and event emails" is more specific and therefore compliant. If you group consent for various activities, consider your groupings carefully. Users may want to opt out of only one of your three activities, but if they are all grouped together, they will opt out of all three.

What is Feathr Doing for GDPR Compliance?

Feathr’s approach to GDPR compliance is to make as much of it our responsibility as possible, even if that means working expressly on your behalf. Our first step is to automate consent with no configuration required on our customers’ end.

This means the Feathr Super Pixel will include code that asks for explicit consent from EU residents when personal data is transacted. For our Influencer Marketing product, we will ensure there is an automated legal record of permission between our customers and exhibitors’/sponsors’ marketing materials.

Every customer, new and old, will receive an addendum to their contract that enumerates our GDPR compliance. If you’re a Feathr customer, you can check us off your list of data partners. As mentioned above, we will also have a publicly available data management interface for EU data subjects. It will be a one-stop data dashboard for subjects to execute the rights of data subjects. This will exist at privacy.feathr.co.

In short, it’s our job to worry about GDPR. Not our customers’. We are happy to answer any questions you may have, just get in touch at info@feathr.co. We will allay your concerns about GDPR, make you an expert on data privacy, and convince you that Lebron James is the greatest basketball player of all time.

If you're not a Feathr customer yet, we'd love to hear from you. To learn more about Feathr and to get personalized recommendations for your data, we encourage you to speak with one of our specialists. Check us out at the link below.

Talk to a specialist →