Do you speak GDPR? It is like a foreign language you need to learn from scratch. What’s more, it’s difficult to get your tongue around. And how do you start with a new language? First of all by learning the vocabulary. So, how does it go? General Data Protection Regulation? GDPR? The General Data Protection Regulation (GDPR) establishes EU-wide rules for the processing of personal data.

One year of GDPR – what’s the story so far? The GDPR was introduced as a big hype. Now that the EU General Data Protection Regulation turns one, we can draw two conclusions. Firstly: There has been no GDPR “armageddon”. Neither, unfortunately, has it brought any major changes in data protection. Despite supervisory authorities and imposed sanctions, we can still see violations of the GDPR on Facebook, Google or at banks on a daily basis.

This was discussed at the 20th Data Protection Congress on 22 and 23 May at the Pullman Berlin Schweizerhof. Over 300 corporate and public data protection experts met under the motto “One Year of GDPR and 20 Years of the Data Protection Congress”. The GDPR, which has been in force for one year, was the main topic of the conference. Time and again, we hear that it has now entered into practice. It is no longer just a theoretical construction that companies should adhere to. It is a legal ruling that can serve as a basis for the enforcement of titles.

Is the GDPR just a toothless tiger? It is true that fines and sanctions were already imposed last year. But we are still waiting for the expected deluge of warnings. The sanctions rather serve as precedents – since, unlike in many EU countries, the German authorities are not dependent on earnings from fines. They rather have an advisory role. So to prevent the GDPR from becoming a toothless tiger, it is important to penalise violations – especially those of large data companies.

The GDPR has entered into practice and created a lot of uncertainty and confusion. Now in force, the law, which has served as the legal basis for data protection since May 2018, is changing the protection of personal data. Opt-ins need to be a deliberate choice. New rules apply to cookies, as well as to the storage and use of data. This concerns all companies!

In event management the security of personal data is of maximum importance. The GDPR poses challenges for planners, for example, when managing invitations. They may only send congress invitations to existing contacts who have already given their consent. This is particularly demanding for sales and marketing. But how can I get my target group’s consent if they have not even been informed that the event is happening? The answer: through information and advertising. Because advertising measures, be it in print or online, are still admissible.

Elke Schneider, Conference Director of the 20th Data Protection Congress, tells us all about the essentials for events in the context of the GDPR: “Corporate data protection officers are very much aware of the issue, more than any other target group. That is why it is particularly important to comply with the legal requirements when organising the data protection congress. This also applies, of course, to the conception and organisation of all other events.” For example, when preparing a panel discussion in compliance with data protection rules, you must not address emails to more than one person. You need to agree with the delegates beforehand whether other delegates should be able to receive their email address.

Stricter rules also apply to the use of digital documents during a congress. Technology, including general terms and conditions, must be sent or downloaded in accordance with data protection rules, be it voting devices or apps that attendees can download to their mobile phones. The Data Protection Congress issues the conference documents in printed form. Allegedly, that makes it “watertight” and is currently the delegates’ format of choice despite the digital possibilities. The next Data Protection Congress will take place in Berlin on May 13/14, 2020.

Tips: The GDPR in event management

W Only send invitations to existing contacts who have given their consent.

W Marketing staff can only write to contacts who have opted in.

W Do not send email addresses to mailing lists unless each recipient agrees to the mailing list in advance.

VV Data protection and event management