May 22nd, 2018
The Top Five GDPR Questions From Meeting Professionals
As President of a global organization, I have the pleasure of working with meeting professionals from all over the world who work for many different companies, associations, and agencies. Because of our global capacity and mindset, the Global Data Protection Regulation (GDPR) has been a huge focus for Global DMC Partners, and it seems like as we get closer to the official launch of the regulation on May 25th, more and more questions have come across my desk from our clients and DMCs that are in both non-EU and EU countries. While meeting professionals that are not based in the EU may not necessarily be thinking about GDPR and it’s impact right now, there are five main questions that I have summarized from my daily chats with our clients and DMCs.
And, if you don’t know what GDPR is, here is a quick summary: GDPR is set to go into effect in the EU on May 25, 2018, and it represents a momentous change for EU data privacy regulations. It replaces and improves upon existing regulations by giving EU citizens more control over their personal data and how it is collected and used. It also outlines significant fines and penalties for non-compliant companies that collects, stores, or processes the personal data of its customers.
1. Ok, I know the definition now, but what are the key components of GDPR that I need to know?
- Security – Data security is vital and all technology systems used to collect and store EU citizens’ personal data must be secured according to industry standards. Any security breaches against your organization must be reported within 72 hours.
- Consent – Companies are required to obtain consent to store and use personal data of EU citizens. This means you, as an event organizer, need to obtain registrants’ consent to store and use their data and explain how it will be used after you collect it.
- Privacy – EU attendees will have a “right to be forgotten” and will be allowed to ask you to delete their personal data and stop sharing with any third parties (i.e. exhibitors, vendors) who also need to stop processing it.
2. If I don’t have any meetings in Europe, is there a true risk if I’m not in compliance with GDPR?
Depending on the nature of your business, GDPR can impact your organization a lot or almost not at all, but in any case you should not ignore it. If you don’t currently manage programs for European companies or have European attendees at your meetings, you might one day soon!
3. What actions do I need to take right now to be compliant with GDPR?
To keep it simple, do two things first: 1) stop emailing personal data via email and 2) familiarize yourself with the regulation and recommendations for compliancy – read articles, attend webinars, speak to your legal and IT department, talk to your event registration provider, and discuss GDPR internally with your team!
Next, pinpoint the tools you are using currently to collect and store personal data – like your online registration tool, Excel spreadsheets, email, CRM system, survey tool, e-marketing tools, and other internal storage areas – and start to outline the processes you have in place for collecting and storing data.
Appoint one or multiple employees to an internal GDPR taskforce to review data workflows, create and review a Data Protection Policy for your company, and monitor compliance. It would be a plus if your taskforce has a technical background in security or data management.
When it comes to collecting and storing personal data for events and meetings, consent must be actively given by the attendee for you to have their personal data. That means no more receiving their passive acceptance through pre-ticked boxes and opt-outs. You should also add in language to your registration process to disclose the purpose of collecting and processing their personal data, any third party recipients of their data, how long their data will be stored, and their ability to withdraw consent at any time.
Finally, educate your all of your vendors and suppliers who may be handling personal data of event attendees. Make sure they are aware of the regulation and ask them what processes they have put in place.
4. What kind of consent language do you advise we add into our registration?
This will depend on the type of data usage and processing you have in place for the event. Separate language may need to be displayed and separate consent collected for the following scenarios:
- If you plan to share data with additional event vendors, like DMCs or hotels and other venues
- If you plan to share data with any other third parties, like sponsors or exhibitors
- If you plan to share data with any other attendees, like in an attendee list on the event’s mobile app
- If you plan to have a photographer taking pictures, photo consent should be collected
5. What GDPR tools do you recommend for meeting planners?
This is a tough one because there aren’t specific tools or technology in place for GDPR compliancy. It is still a relatively gray area, and we’ll learn more once the GDPR is officially in place on May 25. For now, the most important thing you can do is analyze your processes and workflows when it comes to collecting and storing data, look into using online tools that encrypt and securely store your data, and ALWAYS collect consent.
-Author: Catherine Chaulet, President, Global DMC Partners