7 Steps to Becoming GDPR Compliant for the Events Industry
The journey to becoming GDPR compliant may seem like a daunting task, but with a systematic and informed approach it represents a great business opportunity.
The more training and preparation you put in for your driving test, the more confident you feel on the day. The same can be said of making the necessary GDPR compliance steps – the more work you put in ahead of the GDPR deadline day on 25th May 2018, the more confident you will feel in handling the required changes.
At Acrotrend we work with event businesses and professionals to help them on their way to becoming GDPR compliant. We recommend a 7-step approach:
Step 1 – Form a Focus Group
Don’t ignore GDPR as it won’t go away and leaving your preparation to the last minute means you will pay more at the end. Start talking. Invite your stakeholders to a GDPR meeting and identify a focus group that will work towards making your event company compliant.
We recommend avoiding approaching GDPR with a technical mindset but looking at how it will help you build loyalty and trust with your event customers. Focus groups may vary dependant on the structure of the company but we would suggest looking at the following roles:
· Marketing Directors, CMOs, Head of marketing
· Chief Digital Officers, Digital directors, Digital Strategy Officers
· Head of Business systems (responsible for customer facing applications)
· Customer Services Directors
· Sales Directors, Chief commercial Officers
· Chief Data Officers
· Chief Analytics Officers
· Chief Security Officers, Cyber Security Officers
Step 2 – Build Awareness of GDPR Compliance
Implementation of GDPR compliance steps brings in many fundamental changes to how event companies collect, store and utilises customer data. The extent of the impact on these companies will vary depending on their business model.
It is helpful to compile a list of questions from various departments and engaging with a certified GDPR consultant knowledgeable in this area who has background on dealing with data protection and/or digital strategies is worth considering.
A question gathering exercise is particularly useful if it’s done by the person who will attend some training programmes. It may also be useful to engage with consultancies or your incumbents with a GDPR background offering consultancy in this area. This will speed up the process of your learning.
Step 3 – Conduct a Gap Analysis
Assess your event business’ current state of data privacy and maturity of handling it. The first thing to identify is the customer data you collect and store from various avenues and channels.
For some event companies this could be a strenuous exercise that’s why we recommend starting as soon as possible.
Another important aspect of gap analysis is to draw out the data flow across processes. This is basically how the data flows within the event company and where it is stored also accounting for partners you may be using to outsource your processes and in turn some of the data.
And finally prepare a gap analysis document that considers your current data flow and processes against GDPR requirements. Keep in mind the gap analysis must highlight GDPR requirements that are not within your processes today.
Things you are not doing at all and are must-haves to comply with GDPR. For example, keeping the history of the consent received.
Step 4 – Build a Business Case and a Roadmap
The gap analysis done in the previous step can then be turned into a business case. We highly recommend event companies looking at not only the compliance side of GDPR but also focusing on the potential business benefits to be achieved from this investment. It will be evident from the customer journey process flow, the areas of customer engagement, customer experience and loyalty that can be improved further to gain better ROI for your events business.
The business case must look at various aspects of hiring or training staff and third parties on your processes and change, what changes you will need to bring about in your solutions handling customer data that will require change in technology or new technology to be bought and finally what external help you may need to bring in appropriate expertise to implement GDPR compliance.
A fit-for-purpose road map must be built based on your need to deploy the security controls for GDPR and also the approved/agreed business benefits.
This road map will need proper buy-in from all relevant event teams involved. They must understand the inter dependencies within the road map and must govern this with a steering group capable of making informed decisions to see the road map through.
Step 5 – Execute and Implement
A confident and well-driven roadmap execution will help build the trust in the processes and in turn with customers. Parallel strands for the execution may have one or more projects within the following areas:
· Organisational design and change
· Customer journeys and processes
· Data structures and control
· GDPR privacy controls in place
· Privacy policies in place
· Third party ways of working and contracts
Step 6 – Test, Test, Test
Your GDPR investment needs to be robust and working to ensure your event business will always remain compliant. Come up with as many scenarios as possible to test the design and solution you have now put in place and ensure the solution covers all aspects of change, including people, and not just data, privacy and technology.
Prepare a plan to handle an event as well. Do not test only for success but test for failure also. The ability of an organisation to comprehend a failure and communicate to the appropriate authorities and customer is important.
Keep in mind that control of your event data resides with the customer post May 2018. How will you cater to their requests on their data and transactions? Also record how long it takes to respond to a data portability request.
Step 7 – Embed Privacy in the Culture
Culture is most arguably the biggest challenge within most businesses and event businesses are no different. Privacy needs to be considered as more than a mere compliance issue and must become second nature to event businesses, which takes effort and time at various levels.
In the past, security and privacy initiatives have struggled to get proper buy-in from the business functions and IT however, privacy has now become quite a central business topic.
For GDPR, privacy/security professionals must collaborate with sales, marketing, customer services, digital and customer experience teams to come up with creative ideas to engage with their target audience. At the same time, data and technology teams within IT and business functions would play a pivotal role in maintaining GDPR compliance steps and principles at all times.
Businesses that build the confidence to complete control over customer data and its movement will define the risk profile of the business in the future.
Our next blog discusses GDPR in Action: Collecting Data at Events. Acrotrend is working with organisations on their GDPR strategies. If you would like further information on the GDPR and the changes your business needs to make to become fully compliant, contact us today by booking a call below.