Posted by Lee Noble
The European Union’s General Data Protection Regulation or GDPR as it is much more affectionately (sort of) referred to will come into force from May 2018. The new law is much like the current Data Protection Act but turbo-charged with greater emphasis on compliance and with much sharper teeth.
It is in reference to the storage and management of personal data that businesses collect from a multitude of different sources; festival goers, employees, artists, stewards, contractors - if you’ve got their details written down somewhere then yeah you guessed it; GDPR applies to you. Even if the details aren’t stored electronically.
And where does Brexit impact all of this? Surely with GDPR being an EU thing, Britain can just get rid when we say farewell to our European neighbours? It seems not; with a little piece of legislation called “The Great Repeal Act” we are most likely to retain the legislation; especially since we were one of the leading parties in developing it (the UK... not Project Simply).
So it appears that we are in it for the long haul. But while a little tricky to adapt businesses for GDPR compliance, let us not forget that this legislation is there to help and protect us. It is also a great opportunity for businesses to learn more about their customers needs and wants, too.
It goes without saying that it’s a pretty big deal due to festivals being very much people-orientated. No people, no festival right? It now seems that “No GDPR compliance, no festival” seems pretty apt considering that the level of fines you could incur for breaching the regulations are up to £20million or 4% of annual turnover.
To put this into perspective, TalkTalk received a £400,000 fine in 2016 for security failings that allowed hackers to access customer data; constituting a data breach. While £400,000 sounds like a lot of money, it has been calculated that under GDPR, this figure would have been £59 million.
"GDPR isn't just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.
"Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board."
Roger Rawlinson, Managing Director of NCC Group’s Assurance Division
The key is in the transparency and flexibility. Making sure that anyone signing up to a mailing list, becoming a member of your website or even the process of buying a ticket has full provision of what exactly they are signing up to. And, the option not be included in anything - as the default option. Gone are the days of sneaky little checkboxes in size 4 font, pre-checked, agreeing for someone to sell their soul to your mailing list.
One majorly important thing about this is that GDPR works retrospectively - it will apply to all of the data you currently hold about all of the people. So your time best spent between now and May 2018 is going to be in gaining that consent from your current list
Basically, you need to be telling people what you’re collecting about them, how you’re going to use that information and in what way you’re going to communicate with them - and you’ll need their permission to do all of those things.
The key thing is not getting caught up in the panic around fines and non-compliance. While they are there to make sure people are in line with legislation to protect personal data, it’s a great opportunity to reconnect with your database and use it as a means to increase the quality of your data.
Giving people the ability to actively engage with your festival’s marketing means that they are more likely to become a paying customer later down the line. Send a communication out to them in a completely transparent way; let them know why you are contacting them in the meantime and then gain their consent for you to continue interacting with them. The knock on effect that this has is that you get to weed out those that are either uninterested in your events or those that aren’t preferable to being contacted by email - why not chuck in a question to ask them how they would prefer to be contacted?
Turning this into a positive, then, GDPR can actually shape up to be an opportunity to find out much more about your potential customer base. Building up a festival-goer persona can be greatly influenced by how a person actually prefers to be contacted rather than just what they want to be contacted about. This will allow you to tailor the promotion of your event to them in a more personalised way than ever before.
Another aspect that you need to take into consideration is how your website is going to allow the transparency required by GDPR legislation. Setting up the subscription centres, how the opt-in checkboxes and statements are going to work and the way that this will affect your website and marketing are going to be massive for all businesses going forward.
Getting ready early for this is absolutely paramount. Even if this means planning for an event or festival much further in advance than you would usually it is better to do this and allow time for GDPR preparation than be non-compliant come May 2018. The Information Commissioner's Office (ICO) have put together a very handy 12-page document to help you get prepared for GDPR.
One of the early steps that the ICO recommend is running an audit on what current data your company is holding, how it is holding it and whether this could be potential for a breach moving forward
“Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute.”
The Information Commissioner’s Office
With so many things to take into consideration, you need to start to think about the main point of contact for attendees and your festival when looking for info, signing up to mailing lists and buying tickets. What will this user journey look like? Do you want to be in contact with them at each stage? If yes - you will need consent and this will need to be mapped not only in the design of your website but also the entire marketing plan put together.