The countdown is on to May 25, 2018, when the European Union’s General Data Protection Regulation goes into effect. Now’s the perfect time for global strategic meetings management program leaders to finally get visibility and oversight of all rogue meetings and events spend emanating from and in the EU and U.K.
The most commonly recommended best practice for dealing with the new data protection rules is a data governance gap audit. An audit will expose all areas impacted by the GDPR, which hinges on how personally identifiable information (PII) is managed and gives individuals greater control over their PII. That means business travelers and event attendees who are EU citizens have the right to know how their registration and profile data is being used and can request a redaction of their data.
One of the challenges for SMMP global category leaders is getting visibility into local country spend and local country preferred supplier agreements. The new data protection rules provide an opportunity to finally get access to all this information through a GDPR readiness audit. Violating GDPR will result in huge fines of up to 4 percent of annual global revenue or $24 million (whichever is greater), so it shouldn’t be difficult for SMMP category leaders and procurement executives to get approval to conduct such a readiness audit and, more importantly, once the gaps are identified, to bring the rogue spending and supplier agreements into the corporate SMMP.
If you think about all the personal data currently flowing through business travel, meetings, and events, the data governance gap audit will itself be challenging, time-consuming, and comprehensive. You need to figure out what personal data you hold on for attendees, speakers, and sponsors; where it came from; and whether you have the adequate consent (under GDPR, existing pre-ticked opt-ins no longer count!).
You also need to know which systems the data is stored in, when it was last used, and what it was used for. In addition, you need to know how accurate the information is, what kind of current processes you have in place to keep the data safe, and, most importantly, whether it’s been shared with other suppliers and partners. If it has, then you need to ensure that you have the adequate consent and that those suppliers and partners are also doing everything they can do to comply with GDPR regulations to keep your data safe.
You are also responsible for communicating any incorrect information and even destroying the data if you never had the proper consent in the first place, which is often what happens when you merge registration and attendee lists from other meetings and events. You will not be able to do this anymore unless you know what personal data you hold, where it came from, where it is stored, and who you shared it with.
Lastly, you will need to document how you conducted your audit. You need to document your compliance with GDPR’s accountability principle, which requires organizations to show how they complied with data protection principles by having effective policies and procedures in place. And, in the same way that travel program financial audits are now standard operating practice, get ready for personal data audits also to become the norm.
With the new and more restrictive GPDR, you need to learn everything you can and use that knowledge to craft your audit and discovery guidelines. The 2018 GDPR changes are a blessing for global SMMP leaders, who will finally get much needed local country spend transparency and the opportunity to get this spend under the main corporate SMMP governance umbrella. It’s time to craft your global SMMP strategy for leveraging this compelling event for greater control and oversight of your global SMMP. Don’t miss this opportunity!