Phelps R. Hope, CMP — is senior vice president of meetings and expositions for Kellen, an association management company with offices and representation in the U.S., Europe, China, the Middle East, India and Southeast Asia. He can be reached at email@example.com or 678-303-2962.
One glance at your news feed on your smartphone and, chances are, news of a data breach is in the recent slew of headlines from social media networks to credit bureaus to banks, and everywhere in between. Data privacy and protection laws are at the core of soon-to-be-enforced regulations out of the European Union (EU). Whether you are meeting in the EU or have EU citizens on your attendance roster at a U.S.-based meeting, the same precautions must be taken. If your company has a plan in place, then you’re ahead of the curve. For those companies that do not, however, it’s time to create one now. The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and will affect meetings and conventions that handle the personal information of EU citizens on a global scale by protecting the data handling and processing of citizens of the EU whether they are physically in the EU or attending a meeting or convention abroad. This means that any organization’s meeting or convention that has EU citizens attending falls under the jurisdiction of the EU’s GDPR penalties and fines, if this regulation is violated.
There is a lot to be understood in the fine print of GDPR. This regulation not only focuses on how organizations control the personal data of EU citizens, but how they gain consent for that citizen’s information as well. As a meeting planner, it’s important to follow the guidelines by the book to avoid any fines or penalties from violations. An initial step is to ensure that the process provides an “elective” for attendees and prospective attendees to opt into and out of your communications or registration software. Samples (such as those found on www.gdpr4meetings.com, hosted by Debi Scholar) might be:
√ I understand and agree that a meeting planner will have my contact details for the purpose of planning meetings (such hotels accommodations, transportation, activities, etc.) Please note that if this box is not checked, then we are unable to secure your logistics for attendance at the meeting.
√ I understand and agree that a meeting planner will ask about dietary preferences and any special requirements that may be needed to plan a meeting.
√ I understand and agree that a meeting planner will have my contact details for the purpose of registering me to attend a virtual or hybrid meeting (live or on-demand).
√ I understand and agree that I may be contacted for a pre-meeting and/or post-meeting survey.
A non-response is no longer accepted as implied agreement, so there has to be a trail of proof that the participant elected to join the process and has the option to exit when they wish. The participant can also ask for access to their data that you have stored, and if the participant has any questions regarding their data storage or future use of their data then answers must be given within 30 days at no charge. Also, carefully analyzing and updating your current documents and contracts is a key next step to ensuring compliance to this regulation.
Under the regulations of GDPR the definition of what it means to obtain consent from meeting and convention attendees has changed. GDPR defines consent as any freely given, specific, informed, and unambiguous indication of the data subject’s wishes. “While associations typically link to legitimate interests for contact and data exchange, “ said Brussels-based Alfons Westgeest, Managing Partner, Kellen and International Affairs Advisor for EUROBAT and AMCA International, “a clear program illustrating how consent is obtained should be in place, along with a good software management plan.” In addition to making sure that your company is in compliance with the regulation established in GDPR, conventions and meetings professionals must also give attendees the option to withdraw consent as easily as they can give consent to process their information.
Penalties for infringement are incredibly punitive, and can run up to two percent of annual global revenue (or between €10 million to €20 million, whichever is higher), for the most basic mistake. The point of the stiff penalties is to create a global requirement for all companies that digitally interact with citizens of the EU to protect the use and storage of the electronic data of those citizens. If we’ve learned anything from Facebook’s recent data crisis, this is not a scenario you want to be involved in.
The first step you should take is to seek legal counsel to ensure your company is in compliance when it comes to GDPR standards. This is the easiest way to remain transparent in the process of planning for GDPR’s implementation. Once you’ve obtained legal counsel, identify the partnerships you have internationally so that you know which to develop a plan for first. Your organization can be held responsible for the adherence of these new guidelines by any contracted third party providers that market, interact or store any data of citizens from the European Union. When it comes to creating your plan for GDPR compliance, EU partnerships take priority because they are more likely to come in contact with EU citizens that are covered by GDPR’s regulations. “It is European as a regulation directly applicable as of 25 May, meaning a harmonizing of laws across Europe rather than compliance per country,” said Westgeest. It would also benefit your company to only work with GDPR compliant service providers and to designate a data and software protection director to act as a watchdog for breaches in compliance. The final step you can take to ensure compliance is to educate your company and your clients on your compliance plan as a whole.
May 25 is quickly approaching. If your company has already established a process for operating in compliance with GDPR, the hard part is over. If you have not, it’s important to start planning now. For more information on the General Data Protection Regulation, visit www.eugdpr.org or www.gdpreu.org. AC&F