In a survey carried out by international auditors PwC in January this year compliance with new EU data protection regulations were cited as a ‘top priority’ by 92% of organisations in the US.
The US is evidently not part of the EU but the concern arises from the fact that there will be a requirement for all entities which process data within the EU to be compliant with the new GDPR (General Data Protection Regulation). That inevitably includes the UK, regardless of what you might think in respect of Brexit, and for anyone who wishes to engage seriously with data protection regimes they should be reminded that the clock is already ticking as we fast approach the enforcement date on May 25 next year.

No business will be left untouched, especially those engaged in hospitality, tourism and event management, because the GDPR requires businesses to treat customer data with a new level of respect. If you process the data of anyone in the EU whilst in the EU, you will have to develop new processes to ensure you can evidence your accountability, not only for protecting that data, but ensuring the right to privacy of the individual.

For many this will feel like red tape for red tape’s sake – unnecessary legislative burden, but that maybe because no one has taken the time to explain ‘why’ the GDPR has been brought into effect and what’s its ultimate goals are. In a series of three blogs we will take you through the drivers from the EU perspective and explain why the events and tourism sectors can and should embrace the change. So who are we to take you on this journey?  In short, we are advocates for the digital societal change that the GDPR is trying to bring about, and we have built and delivered what we believe is the 1st GDPR-ready event and tourism platform to digitally enhance engagement in venues and events.  We have done what all of you are about to have to do and we are happy to share some of our experience with you.

What is the GDPR?

The media has been awash with coverage on this new legislation, but you may have missed it, so as quick summary, the GDPR replaces the Data Protection Act in the UK (and equivalent legislation in every EU country).  What it does is two key things – first it significantly enhances and clarifies the rights of the individual over the use of ‘their’ personal data, and yes ‘their’ is key to understand; under the GDPR you as an individual are granted new rights akin to ownership of your personal data. Secondly, the GDPR makes businesses far more accountable for how they obtain and use ‘your’ data.  The net effect of these changes is a need to be far more transparent with your customers as to what data you obtain and how you use it, more often needing their explicit consent for access to specific data for a specific purpose, enabling them to know and understand how you process their data and to object if they so wish, even telling you to delete it or give it back in a form they can take to a competitor!  It is after all ‘their’ data!

Many scare-mongers throw up the new fines of up to €20m (the DPA only allowed max fines of £500k) or 4% of your global turnover, whichever is bigger – but the ICO recently debunked this highlighting only 16 fines applied under the DPA against 17,300 investigations. However the GDPR does give the individual the same rights to pursue a claim as the ICO has (in general, and the DPA did not allow this) so respect for your customer data does become a new priority.

Why do we need this new legislation?

In short, businesses have not respected the rights of the individual sufficiently well. There is a pervasive thought process amongst the big US Internet companies in particular that our data, once obtained, is theirs to monetize as they wish.  This culture has led to most business users of their services to fall (often unwittingly) into the same culture. Nowhere is that more true than in the multi billion $ targeted internet advertising business, in which the hundreds of companies compete for ever greater insight into who we are, where we are and how we think, just so they can serve up ads at the right time and place for their paymasters.

This sort of data is being re-sold in the Big Data economy (and hackers) in ways in which we would be truly concerned if we knew – and most would not have consented to if asked (credit, health, sexual preference profiling and many other things). It’s a race to the bottom as far as our right to privacy is concerned.  The knock-on effects across all sectors seeking to make a digital $ is that the average consumer is becoming more concerned.  They ask themselves, “can I trust these digital services?” and if the answer is not an unequivocal yes then perhaps they don’t engage, or if they do they obfuscate by sharing inaccurate data (or so they think!).  This means that the cost-efficiency potential of digital integration and data innovation opportunity is fundamentally undermined.

Worse, as was discussed in Davos 2015, we are facing the kind of trust deficit for the Internet that collapsed the banking system in 2008.  The EU sees the potential to redefine the digital engagement model between businesses and consumers by strengthening legislation and re-empowering the individual with more rights to protect their privacy, liberty and freedoms.  They don’t do this out of the goodness of their hearts, but because the Internet as it is, is ‘owned’ by the USA (a geo-national competitor for your digital services) – the top 4 grossing US digital companies annual turnover (when added together) is greater than the Gross Domestic Product (GDP) of 80% of the world’s countries!

The future economy of the EU is dependent on creating a new commercial battlefield, one where new rules are laid out and new (EU) competitors can set up and thrive, and perhaps export their ‘trustworthy’ (see this video) services back to the USA and rest of world.  In short, the EU feels this legislative change is required to help drive a growth-oriented imperative in the digital market, whilst simultaneously enhancing digital society for the individual – after all who does not want to trust the businesses they exchange their digital personal data with?  Especially if that is to become a daily, if not moment-by-moment, activity?

The more data a customer shares at check-in, the more you can enhance your services to meet their needs – the more services we can offer people at events bto discover who is here and what’s happening, the more successful our events can become.  Trustworthy engagement is at the heart of this mutually beneficial exchange of information – preparing for the GDPR will help you get your company ready, and perhaps even more globally competitive.

In our next blog we’ll talk about what trust and privacy really mean in a digital era and how to inculcate them as principles into your products, services and company culture.


Geoff Revill, Co-Founder and Managing Director of Krowdthink Ltd, innovator and disruptor for event and venue engagement & connectivity. Passionate advocate for re-balancing digital empowerment between individual and business.