May 25 and the implementation of Europe’s General Data Protection Regulation is right around the corner. If you haven’t started preparing yet and are beginning to panic about 20-million-Euro fines, here are some no-nonsense answers from Rutger Broekhuizen, a cross-border business regulation expert based in the Netherlands. Broekhuizen reassured us that, “it is perfectly possible—without too high a cost—to create awareness and develop the required knowledge and skill set within your own organization.” So, take a deep breath, read his responses, and get ready.
MeetingsNet: Are organizations really at risk of incurring a 20-million-Euro fine if they are not in compliance with GDPR?
Broekhuizen: The General Data Protection Regulation indeed applies to any planner processing a European citizens’ personal data. However, I dare say that the risk of 20-million-Euro fines is somewhat hypothetical.
It is far more likely that the pressure to become compliant will first come from someone who is concerned how their personal data is being handled. What we currently see is that the larger awareness of the general public regarding privacy issues causes people to think more about the processing of their data, and that they consequently are quicker to be critical or object if they feel that their rights are violated or that the processing of their data is not conducted in a careful manner. Attendees are free to file a complaint with the Dutch Data Protection Authority or another country’s DPA which will probably lead to an investigation and notice of noncompliance before any actual sanction will be imposed.
Also, more generally speaking, the pressure to comply with the new rules will come from the side of larger companies demanding compliance from their suppliers.
Clearly, there will be more pressure to protect personal data than before, but it will take some time before penalties and sanctions are routinely imposed.
MeetingsNet: How does GDPR differ from previous legislation?
Broekhuizen: The GDPR offers more tools to the authorities to investigate, monitor, and sanction noncompliance than the previous legislation. Existing rules are largely similar or identical to those of the GDPR, but in the past, there were few sanctions and hence little awareness.
Employees are often not aware that they are handling sensitive data. Just by creating awareness, a great number of problems caused by careless handling of personal data will be prevented.
The language of the privacy statement is important. As with the data processing agreement, the text has to be tailored to the specific situation of the company using it.
MeetingsNet: Can you clarify some of the GDPR terminology?
Broekhuizen: The person whose personal data is concerned is the “data subject.”
The “controller” is the party who decides the “purposes” of the data processing.
The “processor” is the party who processes the data on behalf of the controller.
The organizer of a convention or meeting will generally qualify as, and perform the role of, controller. Service providers such as the registration company must be regarded as processors if they process personal data on behalf of the meeting planner.
MeetingsNet: What should U.S. planners know about GDPR in terms of attendee registration and service provider contracts?
Broekhuizen: What is important to remember is that at some point in the process of organizing a meeting, the participants should be asked to give their consent to the processing of their personal data. Under the GDPR, if a person does not object, this can no longer be construed as silent consent. Meeting participants must opt-in. Service providers offering online registration tools are becoming more aware of this requirement. They are building the consent request into their registration modules, and it becomes a tick-the-box option. Making use of an appropriate web tool can relieve some of the pressure in this area.
It is also important to note that the GDPR obligates controllers and processors of personal data to enter into a separate written data processing agreement, in which an extensive list of topics—specified in the GDPR—has to be dealt with. They can no longer be incorporated in general purchase conditions or standard contract templates.
MeetingsNet: Are there standard forms for data processing agreements?
Broekhuizen: Currently, a lot of templates for data processing agreements are circulating on the web. However, we see a lot of examples where such agreements are not entirely adequate, often because the interests of the client (controller or processor) is not sufficiently protected.
MeetingsNet: Is there an official certificate that businesses can get saying “GDPR compliant”?
Broekhuizen: No, the GDPR provides for this mechanism, but it will take some time for such schemes to be developed. Therefore, where processing participants’ personal data is a core or ancillary part of a service, the need for a specific data processing agreement is inescapable.
MeetingsNet: Should planners invest in outside experts to help them with this new legislation
Broekhuizen: The GDPR is complex, as EU legislation tends to be. This does not mean that carrying out regular business processes at all times requires specialized, in-depth knowledge of the GDPR. A good training in GDPR basics and some initial advice from a specialist will go a long way.
Also, while companies should, of course, aim for full compliance, there is a general consensus that being fully compliant is, to put it mildly, quite a challenge. My advice: understand that an important aspect of working with the GDPR is to be able to prove that you constantly use your best efforts to comply with the rules. Then, if a non-conformity is found by the authorities, it will be less likely to immediately lead to sanctions. At least, that is how Dutch government authorities usually work. If, however, no serious efforts are made to comply with the legislation, the authorities will be less likely to take a lenient approach.
MeetingsNet: Are European businesses already set up for compliance and this is no big deal?
Broekhuizen: The implementation of the GDPR is quite big a deal.
MeetingsNet: What are your tips for preparing for GDPR?
Broekhuizen: The quickest way to get up to speed with the GDPR is to have a specialist explain the essentials and advise you how to get the basics right in your core processes. Don’t depend on your business partners to inform you or protect your interests. Your partners will often not be as knowledgeable about your needs, and their legal interests under the GDPR are not always entirely aligned with your own.
Privacy is a crucial part of your business as a meeting planner. It is perfectly possible—without too high a cost—to create awareness and develop the required knowledge and skill set within your own organization. You will still work together with your business partners to be compliant, but you will be able to do so while protecting your own interests and without having to depend on them to inform you about the applicable rules and processes.