by Derek Goodnature
On May 25, 2018, the sweeping new rules known as GDPR went into effect. The regulations significantly change how companies must manage user data for individuals in the European Union, and companies are scrambling to make sense of it. The urgency is heightened by two factors: the law is ambiguous on several areas, and the penalty for violating it can, in theory, number in the billions of dollars.
What does this have to do with company sports tickets and client entertainment? Simple: if there’s even a chance your company is inviting EU residents to sporting events, you could easily be violating GDPR unless you have taken specific steps to be compliant. That’s true even if the live event in question takes place outside of the EU. In fact, GDPR will affect a large number of US-based companies who will be slow to realize it.
Confused? Let’s review some of the basics.
Who is affected?
GDPR rules cover all organizations who either do business in the EU or that process personal data originating in the EU.
On the surface, that might seem fairly unambiguous. But consider the following scenarios:
- You’re a US-based software company who primarily markets your products to IT professionals of American companies. One of your email marketing messages is received by the VP of Technology of a US multinational corporation while she is away on business in the EU. Guess what? Any data you collect on her as a result of her receiving and interacting with your email message is subject to GDPR.
- Your company sells industrial equipment across the globe. While your primary markets are in Asia, you also have versions of your website ending in European country codes (like .de, .nl, and .fr) which are displayed in the native language of these countries. You are subject to GDPR for any data collected when someone in these countries accesses your website.
- Your company is based in the US and regularly distributes surveys to corporate decision makers around the world. One of your surveys is completed by the head of marketing for a French company while he is attending an international conference in Las Vegas. The survey data you collect from him is not subject to GDPR because he was not residing in the EU when he providing these data to you.
- You run a US-based CRM website where companies can sign up and upload their customer data. Your company cleans, formats, and displays customer data so corporate leaders can make better decisions about where to focus their efforts. If any of the data uploaded by your customers includes personal data originating in the EU, you guessed it— you are subject to GDPR. Even though you did not source the personal data yourself.
The scope of who is affected by GDPR is so vast that Yaki Faitelson, a member of the Forbes Technology Council, recently published an article titled: “Yes, The GDPR Will Affect Your U.S.-Based Business.”
In short, if you’re not sure whether GDPR affects your company, it probably does.
What must companies do to stay compliant?
GDPR governs how companies treat the personal information they collect about EU residents— how much they collect, why they want it, what they intend to do with it, how they protect it, and how quickly they must alert authorities when these data are breached.
And that’s just the start.
The 99 separate articles that make up GDPR contain extremely specific requirements covering:
- the documentation companies must keep about the user data they collect
- written justification of why such PII must be gathered in the first place
- how companies must remove personally-identifiable information (PII) from user data before processing it
- strict timeframes for when companies must notify authorities after PII is breached externally
- appointing a general data officer in companies that regularly deal with large volumes of PII
- users must positively opt-in to having their PII processed in certain cases
- how businesses must provide users with a copy of their PII within 30 days of a request being received
- users have the right, under certain circumstances, to have their PII erased from company records
The list goes on. It is small wonder that a cottage industry of GDPR consultants has sprung up to help companies navigate the maze of requirements that must now be followed.
And if you decide to throw caution to the wind and just figure it out later?
You might not want to do that…
Penalties for non-compliance
In the wake of major data breaches by companies like Yahoo, Facebook, Uber, more, European officials have decided to impose some serious fines for non-compliance with the new law. Companies found in violation can be fined for up to 4% of global revenue or 20 million euros— whichever is larger.
You read that right. Clearly, the EU is targeting large multinationals who have been accused of having a devil-may-care attitude toward protecting user data. Some analysts suspect the EU will make an example out of a large corporation to scare others into taking the new rules seriously.
Don’t let that be your company.
How does this affect my company sports tickets?
If your company collects personal data about guests & invitees who are located in the EU, you are subject to GDPR. Think about that— if any of the hundreds or thousands of people you take to ball games, concerts, or even dinner happen to be based in the EU when you collect their information, you suddenly have to worry about whether or not you’re in compliance… and how much it will cost you if you’re not.
Unless you use TicketManager. We adhere to the most stringent security and privacy guidelines, including GDPR. In fact, we are one of the only ticket management solutions to achieve SOC security certification— one of the toughest security protocols around.
- We use auditors from multiple independent firms to test our security on a regular basis.
- All of our data is encrypted 100% of the time with SSL
- Our data facilities are protected with biometric access and 24/7 surveillance
- And more
Companies often struggle to manage tickets and guest lists with Excel and email. Those who build their own internal ticketing system almost always find themselves overwhelmed at the difficulty— and cost —of building and maintaining these systems over time.
GDPR renders all these homegrown solutions obsolete. If you’re not using a ticket management solution that’s compliant with the new standards, you’re putting your company at risk of incurring millions of dollar in fines.
See why the world’s best companies use TicketManager to make company tickets easy & prove the ROI.