As the May 25 enforcement deadline for the European Union’s General Data Protection Regulation creeps closer, the implications for how companies acquire, use, and retain personally identifiable information for citizens and legal residents of the EU are coming into focus in all segments of the meetings industry. For organizations that share attendee data with their destination management companies, there are new responsibilities and risks. We spoke with Marty MacKay, DMCP, president of Hosts Global, about her efforts to drive GDPR compliance and her guidance on the kinds of conversations clients and DMCs need to have in the GDPR age.
MeetingsNet: What’s at stake for those in our industry surrounding GDPR enforcement?
Marty MacKay: So many aspects of our people-focused business require collecting and sharing personal data. Just think of all the guest information included in airport manifests, tour registrations, restaurant reservations, recreation safety waivers, etc. All of this and more will be impacted by GDPR’s requirements to obtain specific consent from individuals regarding how their data will be collected, managed, and stored or deleted. Half-measures at data control won’t cut it. Fines for GDPR compliance failures can be as high as 4 percent of global annual corporate revenue or 20 million Euros—whichever is greater. Who wants to risk that?
MeetingsNet: What’s most important for planners to understand regarding GDPR compliance when partnering with a DMC?
MacKay: The most important aspect of GDPR compliance is consent. This means up-front consent from event attendees that their personally identifiable information (PII) will be shared with event suppliers, including the DMC and its subcontractors. Based on this, the client/DMC relationship now encompasses the roles of Data Controller (client) and Data Processor (DMC). These new responsibilities require new conversations to ensure we’re on top of our respective data chains.
When planners work with a DMC, I recommend they ask a few key GDPR questions:
• Do you have standard operating procedures for GDPR-compliant data processing?
• Is your organization trained to identify and close data control gaps?
In return, their DMC should ask the following questions:
• Have you requested consent from your attendees to send us their personal information?
• How will you be sending the data? Is your method secure?
• Are you sending us more data than you have asked consent to send?
• Does that consent include providing the information to our subcontractors?
MeetingsNet: Do you foresee any industry challenges?
MacKay: We all store so much data that we never think about. Confronting legacy data systems, cleaning them up, and managing in new ways is a monumental undertaking. It’s impossible to know the citizenship of each event attendee or identify just EU citizens to ensure GDPR compliance. So absolutely, we should expect challenges. Our company is taking a holistic approach to protecting each individual’s data moving forward, not just Europeans. The temporary hassles of navigating these layers of data processing are far outweighed by the long-term benefits of better data protocols and quality assurance for our clients.
MeetingsNet: Any required actions that planners should be thinking about for programs that run immediately following the GDPR deadline?
MacKay: Many of our clients require registration websites for their events. If you are currently running a “live” registration for an event that occurs after May 25th, double check to make sure you’ve asked for the proper consent from registrants.
Marty MacKay, DMCP, is president of Hosts Global, a worldwide alliance of DMCs, and president of the Association of Destination Management Executives International.