An introduction to GDPR and what it means for you

No Comment Yet

By Simon Clayton, chief ideas officer and GDPR practitioner, RefTech. Follow us for a full series of expert GDPR blogs.

Unless you have been living under a rock, you’ll be aware of GDPR and have been subjected to several blogs and countless emails warning of the horrors it will bring when it becomes enforceable next May. Before you groan and say ‘not another blog about GDPR’ let me explain. This isn’t a blog trying to sell you anything, and reading this series of articles will not magically take the pain away. Instead, I hope that they will change your perception of GDPR and give you clarity of the task ahead.

Read more: Get your free GDPR White Paper here.

GDPR is complicated and in some ways, confusing. It is legislation made up of 99 articles and 173 recitals and much of the wording is currently subjective and vague. This means a lot of commentators are getting key facts wrong because so much of the wording is contradictory and open to interpretation.

I have already invested months of my time in learning and understanding GDPR and the separate articles it contains. I’ve attended two training courses and after taking exams, I’m now a GDPR Certified Practitioner. I’ve given a series of GDPR masterclasses across the country and I’m going to be speaking about the subject at Confex next year.

Despite my best efforts, nobody knows everything about how the articles will be interpreted and how the regulations will translate into the real world. I have almost daily queries which I am referring to the ICO, and at this stage even they don’t know all the answers, which is at least partly because they haven’t released their full guidance on how to interpret the regulations yet – we expect that early next year.

I believe that GDPR is much more suited to the online world, but it does apply to the real world too – even if some of its clauses aren’t brilliant when applied to real world scenarios. For example, Article 13 states that whenever personal data is collected directly from the data subject, you must tell the data subject everything about how you’re going to use their data including (but not limited to) :-

  • who the data controller is
  • the purposes of processing and the legal basis for processing
  • recipients or categories of recipients of the personal data
  • the period for which the personal data will be stored

This must be done at the time the data is obtained which is pretty straightforward when a visitor is filling out an event registration form and there’s a link to the privacy policy on the page. It becomes much less clear when data is collected in person, for example when someone gives me a business card. If I meet someone at an event and give them my business card then according to GDPR, a data collection procedure has taken place and that person must immediately give me a copy of their privacy policy, or at the very least, tell me where I can find it. Will we see people handing out such documentation at networking events? Will people have to include the URL to their privacy policy on their business cards? I really can’t see this happening in the real world, but already that’s a clear violation of GDPR.

Don’t get me wrong – I believe that GDPR is generally a good thing but this is a journey where we are currently in the dark and feeling our way to some extent. The ICO releasing more detailed guidance next year will help, but it’s likely to leave a lot of other questions unanswered until we start seeing the results of investigations with the decisions of the ICO.

Becoming GDPR compliant isn’t about ticking boxes or investing in a new piece of software that will do everything for you, and despite the scary headlines, it isn’t just about avoiding huge fines. The ICO isn’t generally interested in dishing out huge fines as punishment; in her blog, Elizabeth Denham, the information commissioner, highlighted their track record and pointed out that the ICO investigated 17,300 cases last year (2016/17) and just 16 of them resulted in fines because the ICO would rather encourage responsible stewardship of data than punishing organisations with fines.

GDPR is our once in a lifetime opportunity to do the right thing; for organisations to review how they collect, store and use personal data because they have a responsibly to the people whose data they use. GDPR is forcing us to treat people’s personal data transparently, fairly and with respect and to be aware of how great a responsibility that is.

Start your journey by downloading our free white paper ‘Get ready for GDPR: Your events management strategy’. The paper gives you clear explanations and a framework of questions to ask to enable you to create your own GDPR strategy:

The paper is free to download and it’s not a crafty data collection exercise so you don’t even have to leave your email address. It is just our way of helping our industry take the steps it needs to become more responsible.

Once you have downloaded the white paper, tune in to my blog each week on the CN website. I’m researching and refining how GDPR should be interpreted by our industry, and I’ll be discussing best practice and sharing my learnings with you.

ConferenceNews Guest Author

Conference News hosts great guests on its pages. Our Blog section is the collection of the best opinions in the UK and international events industry.

ConferenceNews Guest Author


ConferenceNews Guest Author

Conference News hosts great guests on its pages. Our Blog section is the collection of the best opinions in the UK and international events industry.

Up Next

Related Posts