The questions were coming in faster than Kevin Iwamoto could answer them at the end of a recent MeetingsNet webinar on the new General Data Protection Regulation that will begin to be enforced in May 2018. GDPR’s aim is to better protect the personal data of citizens and residents of the United Kingdom and the European Union.
Between the looming deadline and the potential fines of up to $24 million or 4 percent of the meeting organizer’s global annual revenue of the preceding financial year (whichever is higher), meeting planners in the audience were keen to understand what GDPR is—and what they needed to do to comply with it.
Here are some key questions from the Q&A, with answers from Iwamoto, a senior consultant with GoldSpring Consulting and ardent advocate for planner and meeting supplier education on GDPR.
What is considered “personal data” under GDPR? Does it include publicly available information such as office addresses and work phone numbers?
According to the language on the GDPR website, it’s “Any information related to a natural person or ‘data subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” Basically, GDPR considers any information that can be used to identify a specific person as personal data that must be protected, if that person is a EU or U.K. resident or citizen.
Who has to comply with the regulation?
Any organization that collects the personal data of any EU or U.K. resident or citizen must comply with GDPR, regardless of the organization’s location, where the meeting is held, or whether attendees are employees or paid speakers. This means both data controllers—in this case, the meeting organizer that is in charge of why and how the data is collected and processed—and data processors, the third-party suppliers that process the data on your behalf. As long as there is an EU or U.K. citizen or resident coming to your event, you must comply with GDPR. Keep in mind it also applies when you have a U.S. citizen who is a current resident of the EU or U.K., so you can’t just go by passport nationality. And if you are wondering if it applies to those conducting digital marketing campaigns that target EU/ U.K. citizens or residents, the answer is yes, big time!
Are there any sample GDPR consent forms we could use?
No. You cannot just use a standard disclaimer as a blanket consent for all of your events, and the opt-in has to be active—no pre-checked opt-in boxes allowed. For each event, you need to outline what data is being collected, how it’s being collected, who will have access to it, and what specific purpose you and any others you share it with will be using it for. Whether your opt-in form is included in your registration online or on site, it has to comply with GDPR standards. According to the GDPR website, “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
You also need to ask attendees for consent to include them on your attendee list, including on your event app, and don’t forget to list the suppliers who are collecting and using the data on your behalf, and every manner in which they are using it—all of that must be disclosed.
And yes, this means you can’t share mailing lists or labels with exhibitors or sponsors unless it is explicitly disclosed up front in your opt-in form (and attendees can opt out of sharing that information with any of the third parties named in the form). The consent form will also have to include how individuals can request that their data be deleted, and any consequences that may come from opting out, such as not being included on your hotel rooming list.
How do we handle getting “retrospective consent” from those who are already on our lists because they are past attendees or prospects? Do we need to request that they opt in, and if they don’t respond, remove them from our list?
Yes. Be sure the consent form you send them includes all the details about the data you are collecting, who you will share it with, etc. Your pre-GDPR consent and opt-in forms won’t provide all the information—including how to opt out—that the new regulatory standards require.
One of the best practices for getting GDPR-ready is to conduct a data and processes audit so you can resolve any gaps you identify. How should I get started?
I recommend having a conversation with your legal team to find out what the company already is doing for GDPR so you can figure out what you need to do to comply in your area of responsibility for meetings and events. I also recommend discussing your current program processes and standards about personal data collection, retention, and deletion with your meetings management and event management suppliers, your technology suppliers, destination management companies, and any other partner supplier you rely on to execute your events. Having those conversations and planning support will give you a specific compliance roadmap.
Who in my organization should be our dedicated GDPR point person?
That will depend on your organization, but you should have someone who is committed to lead and learn about everything GDPR to safeguard your organization as well as your team.
What is “privacy by design”?
Privacy by design as a concept has existed for years, but it is only just now becoming part of a legal requirement with GDPR. Privacy by design calls for the inclusion of data protection from the onset of the system design, rather than an addition after the system is built.
GDPR official website
The Event Planners Guide to GDPR Compliance
The GDPR Interactive Whiteboard
The Association of Event Organizers GDPR FAQS
The ICO 12-step guide to prepare for the GDPR
Etouches GDPR Ultimate Compliance Guide
Event Industry Council GDPR White Paper
Glisser Blog (click on “GDPR”)