A world leader in meetings and events, BCD M&E designs and executes meetings, events and incentives through proactive solutions, innovation and the power of imagination. Learn more at www.bcdme.com and follow @bcdme.

You’ve heard of the European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018. While the GDPR is a European privacy law, it has global reach and impact. This broad reach, increased privacy standards and the potential for large fines and penalties for companies that do not comply, mean that the GDPR has become a key topic of focus for the business travel and meetings and events community.

Data protection laws are a set of laws that govern the way that businesses collect, use and share personal data about individuals. While these laws are nothing new and almost every country has privacy regulations in place, the GDPR is a major overhaul of the current EU data protection law. In fact, it’s the biggest change in EU data protection law in over 20 years. The GDPR is a regulation — which means it must be followed in its entirety throughout the EU. In other words, no further enabling legislation by individual EU countries is needed for the GDPR to become law.

The GDPR is an attempt to strengthen, harmonize and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how organizations may obtain, use, store and eliminate personal data of individuals. It will have a significant impact on businesses around the world.

Who Does the GDPR Affect?

The scope of the GDPR is very broad. It will affect 1), organizations established in the EU and 2), all organizations involved in processing personal data of individuals in the EU — regardless of where the organization is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world. The GDPR also applies across all industries and sectors.

What Are the Main Changes?

The overarching changes can be summarized as follows:

• Directive vs. Regulation. The GDPR will become law without the need for implementing legislation in each EU member state. This means a greater degree of harmonization of data protection law requirements across the EU.
• Broader Definition of Personal Data. The GDPR defines “personal data” more widely than at present, and includes online identifiers such as IP addresses (unique identifying numbers that allow computers to communicate over the internet).
• Extra-Territorial Effect. The GDPR applies to entities that: 1), have an establishment in the EU; 2), offer goods and services to individuals in the EU; or 3), monitor the behavior of individuals in the EU. Accordingly, entities without an EU presence may be subject to the GDPR’s requirements.
• Substantially Increased Fines. Failure to comply with the GDPR’s requirements can lead to fines of up to 20 million EUR or up to 4 percent of total annual global group revenue in a financial year.
• Stricter Consent Requirements. The GDPR sets a high standard for consent for processing (collecting, using and storing) personal data. The GDPR is clearer that consent must be unambiguous and involve a clear affirmative action. Silence, pre-ticked boxes or inactivity cannot be used to imply consent. Individuals also must be able to easily revoke consent.
• Breach Notification Obligations. The GDPR requires a controller to report a data breach to the data protection authority without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the affected individuals. There is also an obligation to notify affected data subjects without undue delay in certain circumstances. The GDPR also requires a processor to notify the controller of any data breach without undue delay.
• Expansion of Data Subjects’ (Individuals’) Rights. The GDPR bolsters existing data subject rights and introduces new ones such as the right to be forgotten and the right to data portability (transfer of data to another third party).
• Privacy by Design and Data Protection Impact Assessments. Data protection must be considered from the outset when new technologies are designed, rather than as an afterthought. Controllers must conduct data privacy impact assessments before processing personal data where the processing is likely to result in a “high risk” for the rights and freedoms of individuals due to the use of new technologies or the nature, scope, context and purposes of the processing.
• Appointment of a Data Protection Officer (DPO). The GDPR requires the appointment of a DPO by all private bodies (whether controllers or processors) whose “core activities” consist of either of the following two processing activities: 1), regular and systematic monitoring of data subjects on a large scale; or 2), processing on a large scale of special categories of data and data relating to criminal convictions or offenses. I&FMM