by Paul Cook, Mariela McIlwraith and Michael Owen
The General Data Protection Regulation (GDPR) is a law that regulates the collection, use, storage, disclosure and other processing of “personally identifiable information” or “PII.” It was adopted by the European Parliament in April 2016 and takes effect on May 25, 2018. It requires businesses to protect the personal data and privacy of EU citizens and applies to transactions within the EU as well as to transfer of data outside the EU.
Who is affected by the GDPR?
The GDPR applies not only to organizations based in the EU, but also organizations outside of the EU that offer goods and services, or monitor the behavior of, EU data subjects, regardless of where the organizations are based. Given the global nature of the meeting and event industry, it is likely that most suppliers are affected, and that any events with EU attendees, regardless of whether the event is held in Europe, will also be affected. Everyone—whether planner, supplier, faculty or student—will be affected by the regulation in some way, shape and form. Even if you are a small part of a big organization you still need to be accountable for your part with personal data and not assume that it is the responsibility of another department, such as HR or IT. Ultimately, GDPR makes everyone accountable.
What are the consequences of non-compliance?
Failure to comply with the GDPR can have significant financial implications. In addition to reputation damage, organizations also face substantial potential fines for not meeting the requirements. According to the GDPR website, “Organizations can be fined up to 4 percent of annual global turnover for breaching GDPR, or €20 million. This is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. It is important to note that these rules apply to both controllers and processors—meaning ‘clouds’ will not be exempt from GDPR enforcement.” In addition, if your organization is told to stop processing data, it could put you out of business, which is far more severe than any fine.
What constitutes personal data, and what information do event professionals typically hold that needs protection?
The information collected in typical registration forms or hotel reservations, including names, contact information, credit card details, travel itineraries, passport numbers and medical conditions or allergies would be considered personal data. If you collect IP address information or “cookies” from visitors to your website, this data also needs to be protected. A growing area for our industry that requires careful consideration is protecting the data used for facial recognition. The GDPR website defines personal data as “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.”
How does GDPR affect marketing practices?
Much like the Canadian Anti-Spam Legislation that is already in effect, the GDPR sets requirements for obtaining permission to send electronic commercial messages. Not only does it require consent, it also requires that organizations disclose how information will be used. GDPR also includes record keeping requirements to show how and when permission was obtained.
Where do I go for more information?
For more information, visit the Events Industry Council GDPR resource page, the GDPR Awareness Coalition or the U.K. Information Commissioner’s Office.
This article has been adapted, with permission, from the from the Events Industry Council Blog post “The General Data Protection Regulation (GDPR) is coming soon. Are you prepared?” Oct. 27, 2017, by Paul Cook, managing consultant, Planet Planit Ltd., GDPR Foundation and Practitioner Certified; Michael Owen, managing partner, EventGenuity Ltd., Events Industry Council APEX Initiative; and Mariela McIlwraith, CMP, CMM, MBA, director, Industry Advancement, Events Industry Council.
For More Information...
The impact of the General Data Protection Regulation (GDPR) goes well beyond events. Any association driving initiatives to the EU is affected by the law. IAEE has begun auditing its technology vendors and ensuring that the appropriate language is in place within the organization’s business rules and that they are implementing any new processes where necessary to be GDPR compliant.
Through the collaborative work of the PII subcommittee within the IAEE Technologies Committee, IAEE is releasing a white paper on PII data security in just a few days. Please visit the IAEE web site at http://www.iaee.com and look under resources.