In 1994, Vice President Al Gore famously called the internet an "information superhighway." Since then, smartphones and social media have created new, ubiquitous lanes on that ever-growing road, the surface of which is paved in people's personal data. In response, regulators around the world have argued for the creation of new "traffic laws" to govern digital highways as if they were real ones. The latest among them: the European Union (EU), whose new General Data Protection Regulation (GDPR) took effect on May 25 and will impact all organizations that collect data on EU citizens and residents -- including those that plan meetings and events that Europeans attend. To find out how the new law will impact meeting professionals, Successful Meetings spoke with George Sirius, CEO of meetings technology company Eventsforce, who shared six essential takeaways that will help meeting professionals understand what GDPR is and what obligations it creates.
1. Although it's a European regulation, GDPR affects everyone, everywhere.
According to Sirius, GDPR is "the most important change in data privacy regulations in 20 years." One reason it's so significant is because of its enormous reach: Although the EU created it in order to give EU citizens more control over their personal data, the regulation has global implications.
"It is a European regulation but it applies to any organization which collects and processes data on European citizens and residents -- so even the American living in the U.K.," Sirius says. "If you're hosting events in Europe or your attendees are coming from Europe, regardless of where your events are taking place, then the new regulation will apply to you -- and so will the fines for non-compliance."
2. Meeting professionals in many cases are responsible for GDPR compliance.
On first glance, GDPR appears to be a regulation that was written for IT and legal professionals. That's true. Because meeting professionals utilize IT, however, they also are important stakeholders.
"We conducted a research study recently looking at the event industry's current state of readiness for GDPR and we found that more than 60 percent of event planners hold responsibility for compliance," Sirius says. "And this is no surprise. Events deal with an enormous amount of personal data collected though registration systems, apps, surveys, social media, lead capture tools, etc. It is the event planner -- and not the IT or legal guys -- who decides what data is collected from events, how consent is managed, and how that data is shared with third parties like venues and hotels."
Their key role in data collection means meeting professionals who don't comply with GDPR represent a liability for their organization. "Another reason why the legislation matters for event professionals is because of the number of things they traditionally do that can now put their organizations under serious financial risk with GDPR," Sirius continues. "Things like using pre-ticked consent boxes on registration forms and apps and not having the proper processes in place to manage attendee consent. Or sharing delegate lists through unsecure spreadsheets with venues, speakers, and other attendees. Or not paying attention to the information freelancers and temp staff have access to. Or leaving unattended registration lists lying around. It is therefore incredibly important that event professionals understand what they should or shouldn't do so they can then figure out what changes they need to make around collecting and managing the personal information of people coming to their events."
3. Non-compliance will cost you.
GDPR isn't a recommendation; it's a rule. If you fail to comply, there could be financial consequences.
"The consequences for non-compliance can depend on many things: how long the infringement lasts, the number of individuals who have been affected, and the level of impact," Sirius says. "It's also important to remember that penalties for non-compliance will be applicable to both data controllers (i.e., the organization hosting the event) and the data processors (i.e., event tech companies, event management agencies, and other third parties which process data on their behalf). For each instance of non-compliance, companies can be fined up to €20 million or 4 percent of their global turnover of the preceding financial year -- whichever is higher. That's alongside any personal damage that may be claimed by individuals whose data has been compromised, as well as the serious damage it could cause to their reputation in the eyes of attendees, customers, partners, and employees."
Facebook is a cautionary tale, according to Sirius. "Look at the recent Facebook data breach scandal; it is a good reminder for all of us why GDPR is happening," he continues. "If it had happened after May 25, the maximum GDPR fine would have come into play because of the number of users affected and what appears to have been inadequate monitoring of third-party practices. The incident has also shaken up people's trust in the way Facebook manages their profile information."
4. GDPR sets a new bar for meeting suppliers and vendors.
In order to comply with GDPR, meeting professionals may have to do more and better vetting of their supplier partners.
"GDPR regulations require compliance by both data controllers and data processors. In the case of meetings and events, the company hosting the event (i.e., data controller) must show how they're complying with the new regulations. And part of that responsibility is making sure that third parties that process data on their behalf (e.g., event tech companies, hotels, event management agencies, etc.) are also fulfilling their legal responsibilities," Sirius says. "Why? Because if in the course of an investigation the authorities find that these parties have not been compliant, then the host organization may also be liable, even if they themselves were compliant."
In the case of event tech providers, Sirius says event planners must find out where their event data is being hosted and how that data is being transferred in a way that is compliant to the new regulations. "They need to find out how the data is being used by the organization, who has access to it, and where they're based," Sirius explains. "For example, if their customer support team is based outside the EU, even if data is hosted within the EU, then they'll still need to ensure that they're complying with GDPR standards."
With registration systems like Eventsforce, event planners must find out how their provider allows them to obtain and store consent, as well how it can help them delete any personal data. "And they need to ask them how they themselves as an organization are complying with GDPR," Sirius says. "Having an EU-based tech provider will ensure they're also subject to the new regulations, which will limit the risk of non-compliance. But that's not enough. What is their understanding of GDPR and how are they planning to help you, their clients, meet their obligations? How important is data security for them and do they follow best practices? What about their own suppliers and contractors who also have access to their data? Having the answers to these questions will protect event organizers from any unpleasant surprises in the future."
5. GDPR isn't just about consent; it's also about security.
According to Eventsforce, 90 percent of meeting professionals already are underway with GDPR preparations, and more than 40 percent have already done things like data audits, updating consent boxes on registration forms and websites, and creating new processes for storing consent, meeting individual access requests, and deleting personal data.
But GDPR isn't just about getting consent to collect and share data; it's also about securing and protecting that data. "A data breach is essentially what can get you into a lot of trouble if you're not complying with GDPR," Sirius explains. "In fact, our survey results showed that data security will be a bigger priority for 81 percent of event planners because of GDPR. And yet, surprisingly only 30 percent said they'd taken steps to update their data security practices or prepare for a data breach, both of which are key to compliance requirements. Event planners need to show they're doing their best to protect the personal information of individuals to minimize the chances of it getting into the wrong hands. Failing to report a data breach with 72 hours can result in crippling fines under GDPR -- so ensuring that everyone in the events team has a good understanding of what constitutes a data breach and how to follow best practices is key to compliance. It's also important to think about what processes need to be put in place once a breach has been identified, including how to report it within a three-day timeframe."
6. Meeting planners don't have to do it alone; compliance is a team sport.
According to Eventsforce's survey, meeting professionals' biggest concern around GDPR compliance is their ability to meet all requirements by the May 25 deadline.
"Many were also unsure if the steps they were taking were sufficient for compliance, while others felt they had limited understanding of what needs to be done," Sirius reports. "If you feel you don't know where to start, we would recommend you get some legal advice or visit the ICO website, which has some fantastic easy-to-digest information on what you need to do. Or you may have a Data Protection Officer (DPO) within your own organization work closely alongside what they're doing around GDPR so you don't have to replicate work. It would also really help the process if you have one person in the events team that takes ownership of GDPR and be the focal point for all things events and compliance. That way you can keep a tighter control on making sure all the necessary steps are being taken to prepare for compliance and that the events team aren't doing anything that puts your organization at risk."