By Ronnie Wendt
The EU General Data Protection Regulation (GDPR) is being hailed as the most important change in data privacy regulation in 20 years. This regulation will fundamentally reshape the way data is handled in every sector, from healthcare to banking, and yes, even meetings and events.
Though this regulation directly impacts Europe, savvy U.S. meeting and events planners are paying attention to the mandate and making changes now to ensure their compliance.
“Because GDPR is a European piece of legislation, many organizations in the U.S. wrongly believe it doesn’t apply to them. But the truth is GDPR applies to any event collecting personal information on European attendees— regardless of where organizers are and where the event is taking place—and meeting planners need to be prepared,” states George Sirius, CEO of Eventsforce, a global provider of online event management solutions.
Further, he warns, experts predict these regulations will eventually expand outside of the EU, as the subject of data privacy and security becomes more front of mind. “The UK government has already confirmed it will adhere to GDPR after it completes its exit from the EU, and there are similar regulations in Canada and Australia,” he says. “In June, California became the first U.S. state to pass its own data privacy law, the California
Privacy Act. When it goes into effect in 2020, the act will provide the state’s 40 million residents with rights like those granted to European citizens through GDPR.”
PROTECT YOUR DATA
GDPR focuses on the rights of individuals over organizations. It was needed because existing legislation no longer met the privacy needs of individuals living in a digitally connected world. Sirius explains, “They were put in place long before the Internet, social media and cloud computing changed the way organizations use data—and GDPR aims to address that.”
He adds, “GDPR is also happening because of the exponential rate that data is being collected by organizations—and the events industry is no exception here.”
Meeting planners utilize many different collection tools—from registration systems and mobile apps to surveys, social media and lead capture tools— to gather and analyze information on attendees. Planners also collect personal information such as attendee names, contact details, employment data, gender, disabilities and dietary preferences.
“This is one of the key things GDPR wants to address: that organizations dealing with personal data are doing so in a transparent and secure way—and always in the individual’s best interests,” Sirius says.
That isn’t always how planners handle data today. Sirius explains planners often do things that put their organizations at risk; things like using pre-ticked consent boxes on registration forms and apps and not having the proper processes in place to manage attendee consent. Or, sharing delegate lists through unsecure spreadsheets with venues, speakers and other attendees, as well as not paying attention to the information freelancers and temp staff can access, or even leaving unattended registration lists lying around.
GDPR requires meeting planners to be more careful about, and with, the personal information they collect for events; how they manage consent; and how they share that data with third parties such as event technology providers, venues, hotels, etc. He adds, “They also need to become a lot savvier in keeping the data safe, so it doesn’t end up in the wrong hands.”
If organizations fail to comply with GDPR requirements, they can face crippling fines, especially if they have a data breach. “For each instance of non-compliance, companies can be fined up to €$2.7 million or 4 percent of their global turnover of the preceding financial year (whichever is higher)—that’s alongside any personal damage that may be claimed by individuals whose data has been compromised, as well as the serious damage it could cause to their reputation in the eyes of attendees, customers, partners and employees,” he says.
He adds it is important to remember that penalties for non-compliance apply to data controllers (the organization hosting the event) and data processors (event tech companies, event management agencies and other third parties processing data on their behalf). “Meeting planners now have the added responsibility of ensuring these organizations are also managing their data in a GDPR compliant way,” he says.
THE CHARGE TOWARD COMPLIANCE
Sirius offers some steps to launch planners on the road to GDPR compliance:
- Figure out what personal data you or your clients hold on European attendees, speakers, sponsors, etc.; where it came from; and whether you have adequate consent (pre-ticked boxes and soft optins will no longer count).
- Know which systems the data is stored in and where the data is hosted, when it was last used and what it was used for.
- Be aware of how accurate the information is.
- Know what processes are in place to keep the data safe.
- Determine whether the data has been shared with other suppliers and partners. “If it has, they need to ensure these parties also have consent and are doing everything they can to comply with GDPR regulations and keep the data safe,” he says.
“It sounds like a big job, and it is,” adds Sirius. “But there is no other way around it. Yes, getting prepared for the new regulation is a complex and challenging process. But those who can show they’re dealing with personal information in a transparent and secure way, and have respect for the privacy of individuals, will succeed in building new levels of trust. This will be key in deciding which organizations people choose to deal with in the future.”
NEED HELP WITH GDPR COMPLIANCE?
Eventsforce has published an eBook titled, “The Event Planners Guide to Data Security in a Post-GDPR World.” This book offers checklists for meeting planners and their teams, which can be used to assess areas of vulnerability and make changes to minimize the risk of data breaches.