• Bg Chatsworth House Library

Workshop: GDPR

Workshop: GDPR

Hosts: Hannah Mason, Ticketmaster (UK) & Giles Watkins, IAPP (US)

With a room full of inquisitive delegates, Mason and Watkins outlined the changing landscape for companies that use fan data, thanks to the inbound, European-wide General Data Protection Regulation (GDPR), which comes into force in May – just 100 days after the workshop itself.

The experts outlined such key aspects as how data is stored, transferred to third-parties, how mailing lists are built, and the stringent fines that will be imposed for the misuse of data.

Watkins highlighted the importance of data and the fact that corporations such as Google, Facebook, Amazon and Apple owe their fortunes to the use of consumer personal data. He identified four types of privacy harm to explain the background of why GDPR rules are being introduced, adding that the last time Europe tackled data regulations, Facebook founder Mark Zukerburg was just 11 years old.

Mason outlined the sharing of data between the likes of promoters, ticketing companies, and venues, highlighting just how many instances of data can be gathered when a fan attends a show. The penalties for the misuse of data under the GDPR rules will be 4% of annual global turnover or €20million, whichever figure is higher.

Mason said that GDPR is not just a European law – if you are targeting European fans, or processing European data, you fall within the reach of the new law when it comes into force on 25 May 2018. She also urged everyone in the room to ensure the privacy policies on their websites are updated and fit for purpose when the new law is introduced.

“So it might mean that you are only allowed to send Beyoncé marketing to people who previously expressed interest in Beyoncé..."

Watkins and Mason also revealed that the new law will allow the local regulators to initiate dawn raids, audits and similar initiatives to crack down on suspect organisations.

Prompted by audience questions, the data experts also talked about upcoming ePrivacy laws that might prohibit companies from targeting marketing material to fans, unless it is for data collected for specific acts. “So it might mean that you are only allowed to send Beyoncé marketing to people who previously expressed interest in Beyoncé – you might not be able to send Teletubby marketing to someone whose data you’d got as an Iron Maiden fan…” explained Mason.

She also warned that the GDPR laws open the doors to class action suits in Europe, while Watkins observed that some organisations are already actively working on cases ahead of the new legislation going live.

Watkins concluded that gaining consumer trust is crucial for future data commerce. And he noted that the GDPR rules are driving investment in training and technology, in addition to organisations creating new accountability frameworks.