Got an extra $25 million lying around in the petty cash drawer you can afford to lose?

In May, a new data protection law will change the way you do everything, from collecting email addresses to marketing your next meeting, if you process the data of European Union (EU) citizens. Have an EU citizen attending your meeting? Listen up or you may have to pay up.

General Data Protection Regulation (GDPR) is meant to harmonize data protection rules across European Union (EU) member states. Regulation takes effect May 25 and applies to data processing carried out by individuals and organizations operating within the EU. It also applies to institutions outside the EU that offer goods and services to EU citizens. 

Imagine this: You are the CEO of a U.S.-based company holding a meeting in Salt Lake City. In preparation for the event, you provide a free downloadable PDF sharing the sights and information about the meeting destination in exchange for the website visitor’s email address. 

If the website visitor who just downloaded your PDF happens to be an EU citizen, you are now responsible for using and/or storing their data responsibly and in compliance with GDPR.

“In the future, if you want to keep those data details so that you can send them future information ...  you’re going to have to get that permission explicitly for anybody who is in Europe,” said Carol Tullo, an expert on data protection and cybersecurity. 

Tullo is an associate consultant of The Trust Bridge and until July 2017 served as director of Information Policy and Services at the United Kingdom’s National Archives.

“You’re going to have to say, ‘We will be capturing details of your information, and we’re using that for the purposes of this event. If you would like us to keep your data on file so that we can alert you about future events, please tick this box,’” Tullo said. “Ultimately it is each organization’s obligation to have good governance and good compliance because it’s your reputation that’s at risk.”

But it’s the painful potential monetary consequences of not meeting the law’s requirements that really have people worried. The GDPR is a data privacy regulation with teeth sharpened not just for groups in the EU, but for any entity on the planet processing personally identifiable information about EU citizens.

Failure to Comply With GDPR Could Cost You a Fortune

If you fail to meet GDPR regulations, the Information Commissioner’s Office (ICO) or EU privacy regulators can fine violators up to 4 percent of annual global sales or €20 million (USD $24.76 million)—whichever is higher. 

David DeLorenzo is a technology consultant with DelCor Technology Solutions who believes GDPR could be disruptive in every industry.

“My biggest concern is that many organizations are looking at this as just a data and technology issue when in fact it is a business issue that will have a significant impact on many areas in business,” he said. “It is a game-changer in the way that organizations will be able to do marketing.

"It could impact revenue streams for many ancillary businesses, like list sales, and has the potential to render some of the innovative technologies that we use to serve content based on automated processing unusable because of data privacy," DeLorenzo added. "So yeah, I have some concerns.”

If you have mailing lists, collect IP addresses automatically in your third-party marketing tools or even store random Excel spreadsheets containing individuals’ personal data with your notes for later use, you must adhere to the wishes of any EU citizen about their data. You guarantee that they have control over how they want their data used.

And just because your third-party technology provider is capturing the data you use, it doesn’t mean they will necessarily be prepared to help you with GDPR-related requests.  

Visual artist Nicolet Groen admits she is concerned about the tools she uses to market to her prospects.

“The thing I worry about most is whether the SaaS [software as a service] products I am using are GDPR compliant,” she said. “I did an assessment, and there are still many loose ends.”

Somewhat concerning is the lack of conversation about GDPR for small businesses and those operating outside of technology circles. For example, the regulation is an unknown challenge for many volunteer-led or -organized events relying on third-party technology providers to handle anything tech-related. But GDPR requires both the processing and handling of data to be compliant, and the responsibility falls on those organizers—whether they know it or not. 

“Many people just don’t believe GDPR is something that pertains to them, and that worries me, as organizations typically don’t know if someone is a citizen of the EU just by the little bit of data they may have about them in a database,” DeLorenzo said.

An Alarming Statistic on GDPR Compliance, Plus Some Complications

Research by the analyst firm Gartner revealed over 50 percent of companies affected by GDPR regulations will not be in full compliance with its requirements by the May 25 deadline.

Conversations about GDPR can take a predictable path, moving from scaremongering to hedging one’s bets that GDPR enforcement would be unlikely to impact smaller organizations without egregious offenses. But GDPR will have a remarkable impact on businesses, regardless of size. 

According to a PwC pulse survey, companies have exhibited a variety of ways to try to comply with GDPR. Among those surveyed, 77 percent were using the Privacy Shield Program administered by the International Trade Administration (ITA) within the U.S. Chamber of Commerce. 

While not a complete answer, participation in the Privacy Shield Program is a commitment from U.S. companies participating in the program that they will adhere to the Privacy Shield Framework, which has many of the same rules as the GDPR. Membership in the program certainly can’t hurt, but also won’t guarantee that non-compliance on any point won’t get you fined.

(Note: Financial organizations are not allowed to join the Privacy Field Program).

Many of the questions around GDPR revolve around permission and responsibility for data. But other possibly more complicated problems are surfacing as more people attempt to meet the requirements. 

For Peter O’Neil, CEO of ASIS International, GDPR compliance is a severe concern, but not for the reasons you might expect. O’Neil says it isn’t his headquarters he is most uneasy about, but the ASIS chapters that are operating semi-independently throughout the world.

“You’re going to hear a lot of people tell you they wonder about whether membership in an organization equals permission and what this means for the data they sell, but I’m wondering how I’m going to know what our European chapters are doing with their databases,” O’Neil said. “Our chapters are somewhat decentralized, and we’ve never really had total control over what they do or say. So how culpable are we going to be as ASIS International if and when a chapter’s found responsible for violating the regulation?”

Even if you delegate an agency or third-party provider to process the data for you, your organization is still held responsible for its safekeeping and compliance. 

“Maybe it’s a conference venue that you’re passing the data to so they can produce name badges, brochures or whatever,” Tullo said. “You’re also going to have to make sure that in collecting the data about 'Carol Tullo,' even if you’re asking someone else to process it, that they are compliant.

“You’ve got the same controls and the same reassurance that they are going to keep it secure, that they’ve got good systems, that they’re not going to pass it on to anybody else, and that they are handling that data responsibly,” she continued.

Guidance and support on GDPR-related issues could be an excellent opportunity for savvy vendors to help lead the way and make things easier for their clients and potential clients. But the path won’t be an easy one.

“I think most of the technology vendors are looking at the key requirements like consent and the right to be forgotten, which are in their wheelhouse, for providing a toolkit,” DeLorenzo said. “But these are still substantial undertakings from a data perspective when you think about having to anonymize or remove data from a transactional database.”

If the GDPR penalties start piling up, we’ll soon know if any of these efforts were money well spent.

The article's author, KiKi L'Italien, is the founder and CEO of Amplified Growth, a D.C.-based digital marketing consultancy. She also is a blogger for Meetings Today and will speak at our 2018 Meetings Today Live! events.