After years of preparation and debate, the European Union’s General Data Protection Regulation (GDPR) was formally approved by the EU Parliament almost two years ago on April 14, 2016. Some are calling it the most important change in data privacy regulation in two decades, and it transcends borders and is rapidly becoming a global “pay attention” issue.
Among other things, GDPR, which will come into effect across the EU on May 25, 2018, requires that organizations report unauthorized access to personal data within 72 hours of detection. Also concerning is Article 17, which states that data subjects have the right to have their personal data removed (or, “the right to be forgotten,” as it’s become commonly referred to) from the systems of controllers and processors under a number of circumstances. This legislation is so significant because it affects nearly any company or organization that does business in the EU, as it is specific to the EU citizens and agnostic of industry.
Andrew Thomas, Director of U.K.-based Ticketing Professionals Ltd., is among those sounding the alarms. He calls GDPR “the biggest shake-up of consumer data and privacy law in over 20 years.”
“It covers personally identifiable data of all natural beings who are EU citizens or live within the EU,” he said. “Think about your ticket buyers, donors, subscribers, members, the list goes on. Their names, phone numbers, email addresses, physical addresses, dates of birth. All that data will be covered by GDPR. If you hold ‘sensitive’ information — information on children, medical conditions of patrons, etc. — this has even stronger rules. If you sell tickets and hold patron, fan or customer data, you are going to need to make sure you record what information you are holding, what you are doing with it, why you are doing it, tell your customers about it and give them the right to object to it.”
Thomas also stressed the importance of clear communication and transparency with data. For those in ticketing or marketing, Thomas said to ensure you’re always being open, clear and honest when you are capturing data. This has always been a priority for any business capturing data online, but with GDPR, it’s finally becoming a formalized process with steep penalties and fines for noncompliance. “Let’s be clear: Most of us have and will always respect our customers’ right to privacy,” he said. “But we are now under the same scrutiny as every other business, from banking to used car sales, dentists to online shoe retailers.”
Thomas noted that there remain many misconceptions among his professional ticketing colleagues throughout Europe. The most common? “Mainly that GDPR is about consent or ‘check boxes’ on the website,” he said. “It's not just marketing or websites.”
So, what are ticketing professionals supposed to do in this highly regulated environment? The most important strategy to employ is to document everything. “If you make a mistake or foul up something, the fact that you have documented your work shows you and your organization take data and privacy seriously,” he said. “That is what it is all about.”
Obviously, this has an enormous impact all over Europe, but it also applies to any companies that hold EU citizen data. Reaction in the U.S. ticketing industry has ranged from “How will this affect my business?” to “Will it affect my business at all?” INTIX Chair Kay Burnham has heard the questions, and she still has some of her own.
“We have yet to completely understand how it is going to affect the global ticketing industry,” she said. “Certainly, ticketing software providers need to look at what and how information is stored in their respective systems if they haven’t already. The notification requirement of 72 hours is going to mean that companies need to be fast at identifying, understanding and getting a notification out if a breach occurs.”
Burnham is wary of how GDPR might affect security and engagement. “We are going to have to figure out how we balance the right to be forgotten with the security issues around knowing who is coming to your venue,” she said. “The primary challenge for ticketing professionals is dealing with the right to be forgotten. When you have crafted your strategies on providing high-level service to your customers around knowing who they are and targeting messages, not knowing who is coming or has come to your venue means rethinking your service and engagement tactics.”
In addition to chairing INTIX, Burnham is Vice President of Guest Services for the Segerstrom Center for the Arts in Costa Mesa, Calif. So, how will being based in the Golden State affect her business specifically?
Burnham acknowledges that Segerstrom has very few EU patrons in its database. “But even one means we need to be aware of the regulations and apply them to our operations,” she said. GDPR technically applies to EU patrons transacting within the EU, but even if the company they’re transacting with is not in the EU, it can be difficult to determine when to apply the standards. Many companies in the US and Canada aren’t entirely sure how they could be fined once it goes into effect in May. “We are taking the simplest approach, which is to apply it to any record that has an address in the EU,” Burnham said “While we are still in the process of determining exactly what that means for us, I would advocate that any company selling tickets to the global market take the same approach. Given the penalties for noncompliance, it is better to over-apply the rules than miss someone.”
She cautioned that having a mind-set of “This really doesn’t affect me because my company is not physically in the EU” is the biggest misconception. Canada’s CASL (anti-spam) law has been in effect since 2014, Burnham noted, and there are still some U.S.-based companies that do not understand they are violating its terms. “I can only imagine that it is going to be the same with GDPR,” she said.
In her position as INTIX Chair, Burnham has some bottom-line advice for ticketing professionals still trying to prepare for compliance with GDPR. “The simplest thing to do is to educate yourself on the GDPR,” she said. “Don’t just rely on your IT department or ticketing software provider to give you the information. Take the lead in your company by presenting them with your own research. A simple Google search for ‘GDPR requirements’ turns up a lot of articles and websites that really help you understand what the requirements are and how they are applied in non-EU countries.”
Want news like this delivered to your inbox weekly? Subscribe to the Access Weekly newsletter, your ticket to industry excellence.