There is still much confusion in the meetings industry following the May 25, 2018, implementation of the Global Data Protection Regulation (GDPR). 

Bruce Smith, managing director of London-based Tenax Analytics, helped explain some of the intricacies of the EU and UK regulation and risks for planners and suppliers during his MPI WEC 2018 presentation: “How to Thrive in the New Era of Data Privacy: A Forensic Insight to the GDPR.”

Smith posed that the approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals. He also believes that according to current indicators, most organizations will suffer a data breach—whether it’s an external hack or inside job—if steps are not taken to educate employees about the dangers of not providing adequate protection.

During the presentation, Smith emphasized that GDPR impacts every company that stores or captures personal data of European participants attending events or meetings regardless of where the meeting is held or where a company is based. Noncompliance could lead to fines of up to $20 million-plus, or 4 percent of global annual turnover for the preceding financial year.

[Related Content: Not GDPR Compliant? Here's What You Need to Do NOW!]

According to Smith, U.S. planners will be affected by the way they handle people from the EU. Being an EU citizen is what determines it. The country they are based in will determined by the governing body.

“It’s not your company’s data, it’s your client’s data,” he said.

He noted that GDPR is a principle-based set of regulations rather than a rule-based set, which means there will be a lot of interpretations moving forward, including possible open interpretations of Article 82 of the Regulation, which states:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

GDPR Ready? Our Industry (and Others) Aren’t There Yet

So, what’s new since GDPR launched on May 25?

  • Many companies are still scrambling to become GDPR ready (Only about 50 percent of companies in countries affected are ready for GDPR, as noted in the presentation).
  • Complaints have already been filed against companies claiming they are seeking forced consent in terms of service from their users: Google (France), Instagram (Belgium), WhatsApp (Germany) and Facebook (Austria), among others.
  • Several clients are sending new contracts requiring incentive planning houses and other hospitality companies contractually agree they are GDPR ready.

Smith stressed that compliance to GDPR is a best practice and is achievable for all of those who work with European customer/client data, but planners need to begin now with the following 12 steps:

  1. Awareness: Make sure that decision makers and key people in the organization are aware.
  2. Information: Document what personal data you hold, where it came from and who you share it with.
  3. Communication Privacy Information: Review your current privacy notices and put a plan in place for making any necessary changes.
  4. Individuals’ Rights: Check your procedures to ensure they cover all the rights individuals have.
  5. Subject Access Requests: You should update your procedures and plan how you will handle requests.
  6. Legal basis for Processing Personal Data: You should look at the various types of data processing you carry out. Identify your legal basis for carrying it out and document it.
  7. Consent: You should review how you are seeking, obtaining and recording consent.
  8. Children (if required): Start thinking about putting systems in place to verify individuals’ ages and to gather parental or guardian consent.
  9. Data Breaches: Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection by Design and Data Protection Impact Assessments: Familiarize yourself now with the guidance the ICO (UK Information Commissioner’s Office) has produced on Privacy Impact Assessments.
  11. Data Protection Officers: Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within the organization.
  12. International: If your organization operates internationally, determine which data protection supervisory authority you come under.

He also suggested the following regarding obtaining client consent:

  • Remove the idea that this is being done because of new regulations and instead use it as a way to build trust with clients and prospects—it’s also a good way of updating your mail base.
  • Have a conversation with your clients about how you use their data.
  • Craft your message carefully before you send emails out asking for continuation of consent from existing contracts (getting legal consultation is best).

Consent must be freely given, specific to the purpose and informed.

Another tool for individuals is using the website Disconnect, which works with browsers including Firefox and Chrome, to tell users who is tracking you.

“GDPR is going to be around,” Smith said. “They are already talking about the next level.”

[Related Content: GDPR Is Ready to Bite the Meetings Industry]