Kevin Iwamoto is no longer a lone voice in the wilderness, speaking out about the impact the increasingly imminent General Data Protection Regulation will have on meeting planners. And that makes Iwamoto, a senior consultant with GoldSpring Consulting, very, very happy.
He’s been talking about GDPR since it was passed last year by the European Parliament, the Council of the European Union, and the European Commission. It replaces the EU Data Protection Directive put in place in 1995, back before the Internet and cloud technology completely transformed how meeting planners collect, store, and process attendee data. Designed to better protect the personal data of EU citizens and residents, it covers everything from attendee names, photos, and email address to social networking posts, medical information, and computer IP addresses, and it applies to organizations headquartered anywhere in the world, holding meetings anywhere in the world, that are collecting any personal data on any EU citizen or resident attendees.
But until recently, his evangelizing was met mostly with yawns and glazed-over eyes, he says. Yes, it is kind of boring and technical to think about, and it does sound like it should belong to the legal or IT department, not to planners. I have to admit, though it was my idea to make it this issue’s cover story, I was kind of dreading digging into it too.
But, as the more than 600 people who signed up to hear Iwamoto talk about it on a recent MeetingsNet webinar now are starting to realize, it is all of our responsibility to understand what GDPR is and how to bring our meeting data processes—and those of our vendors—into compliance.
Why? Think about all the personal data you collect on registration forms, mobile apps, and surveys—and think about all the data that your vendors and suppliers are processing on your behalf. That’s a lot of data to wrangle, and if it isn’t done right, you could be facing a fine of up to 4 percent of your organization’s annual turnover from the preceding year, or up to $24 million, whichever is higher. This regulation has some big teeth, and it will come back to bite those who don’t start pulling their processes into compliance.
As Iwamoto says, “You can’t just hope for the best—hope is not a strategy. You could be putting your company at risk for a large fine, and when the company gets the bill, they’re going to be looking for a scapegoat. You do not want to be that scapegoat.”
Here is our guide to everything you need to know about GDPR. Please read this and other resources and, more importantly, get your ducks in a row. May will be here before you know it.