GDPR: Everything you need to know
Everyone, from Blondie to the Kinks and from Beastie Boys to Pearl Jam, has sung about the importance of privacy. From 25 May 2018, the way the live music industry handles the personal information of its European fans, artists and employees is set for a shake-up as the General Data Protection Regulation (GDPR) is introduced across Europe.
So, what is the GDPR?
The last European data protection law was introduced back in 1995. Since then, much has changed in terms of both the personal information we generate and share, and what we all perceive our rights over that data to be.
The new law provides enhanced rights to individuals to control how their data is handled, and puts greater regulatory scrutiny on companies who mistreat the data entrusted to them.
Who will it affect?
The law will apply to all companies processing the data of European citizens (be they fans, customers, artists, employees or partners), irrespective of whether the company processing the data is inside Europe, or located globally.
What might this cost me if I get it wrong?
Fines can be up to 4% of group annual turnover (or €20 million, whichever is higher).
Other impacts of non-compliance include the power for regulators to suspend a company’s processing activities subject to investigation and the ability for consumers to band together and bring class actions.
However, many companies are viewing the (i) potential brand damage, (ii) loss of customer trust, and (iii) diminishing investor return where personal information is mistreated, as potentially far more significant than the monetary penalties.
Is there any upside to this for me?
Many organisations have found that being upfront and transparent with customers about the data that is held on them and how it is used builds trust and often results in them sharing increasing amounts of information. This creates the opportunity to connect with fans and customers in an increasingly personalised way. Managed well, this could both lower the cost of acquiring and servicing them as well as increasing satisfaction.
“This creates the opportunity to connect with fans and customers in an increasingly personalised way”
Ok, maybe I should be doing something about this – where should I start?
First things first: get familiar with the law and nominate someone in your organisation to lead your company through the new requirements. You might need to appoint a data protection officer. Knowing both the relevant privacy laws and how to apply them to business processes is a considerable challenge. Having an appropriately skilled and qualified person in place is a must, and can repay any costs many times over by focussing any additional work only where it is absolutely necessary, whilst making sure full advantage is taken of the opportunity to engage more deeply with customers and fans.
Knowing what you need to do to comply with GDPR starts with having a proper grip on (i) what personal data you have, (ii) why you have it, (iii) what you use it for, (iv) where it is used and stored, and (v) what rights (consent) you have to hold and use it.
For example, you’ll be relying on consent to market to fans: where is that consent coming from? Do you collect it directly from the fan, or does another company collect it for you? Under GDPR, pre-ticked marketing opt-ins will be a thing of the past. The entity for whom consent is being given will also need to be named (e.g. generic “event partner” opt-ins will no longer be permissible). If you rely on others to collect marketing consent on your behalf, you should ensure they meet the new requirements.
Citizens will also have powerful new rights, including the ability to:
• Access and make corrections to any of the data you hold on them
• Request a copy of all of the data you hold on them, in a form that they can easily pass to others
• Request that you delete all of their data
• Opt-out of some or all processing or profiling (eg marketing segmentation).
You must be ready to respond quickly should they choose to exercise these rights.
Hannah and Giles are chairing a GDPR session on 7 March 2018 at ILMC 30.