The European Union's new General Data Protection Regulation (GDPR) goes into effect next Friday, May 25. By now, most planners are likely at least familiar with this policy, which aims to better protect the personal data of EU citizens and residents. Replacing the EU Data Protection Directive, first instituted way back in 1995, the updated regulations cover a huge range of data, including attendee names, photos, social media posts, computer IP addresses, and more -- and apply to any organization collecting data on EU citizens or residents (regardless of where the organization is based or where its meetings are held).
That means there is a good chance than most planners will be affected by GDPR in some way. To delve into the specific requirements and what planners need to do to ensure they are compliant, Successful Meetings spoke with Kevin Iwamoto, senior consultant at travel consultancy GoldSpring Consulting, who has been urging organizations in the travel and events industry to prepare for the impact the regulation will have on their business. Here he outlines the most pressing issues raised by GDPR and how planners should be preparing.
What effect do you think this is going to have on the management, not just of meetings, but of incentive programs that have international audiences?
It really comes down to changing the way they collect and use information. And a lot of it starts with "the list that never dies." It goes back 20 years -- you invite people from that original list and it just keeps getting repurposed and sent to partners and to other attendees -- a proliferation of personal data information that as an industry, we're really not great at safeguarding. It's often not encrypted or password-protected. We give access to anybody who wants to see it. All of that has got to get cleaned up for GDPR. Otherwise, you could face significant fines.
However you are putting together these lists, they now have to be made current, and everybody who's on that list has got to give you consent to be on it. Now they define the people collecting this information and organizing these meetings and event trips as controllers. Your suppliers -- technology partners, meeting management companies, DMCs, CVBs -- are defined as processors. Those processors are the ones using your data in order to help you orchestrate the incentive trip, meeting, or event.
And how are not just the companies themselves, but their suppliers, getting in compliance with this?
It's really more of a process revamp and a logistics evaluation. You really need to do a personal information audit to see who currently has access to this data, why they have access to it, how are they using it, and maybe even revamping the whole process flow or standard operating procedure, to eliminate or reduce the amount of touchpoints for this data. So that you can kind of remove any kind of potential liability or fines. A lot of it has to do with taking a look at how we currently do it and how can we redo it to mitigate, eliminate, or minimize any opportunities for fines to be assessed by the European Union.
And how is the European Union monitoring this, specifically with the meeting and incentive industry -- or do you have to get that specific?
What this whole initiative is doing is giving power back to the attendee. If you think about it, attendees traditionally don't have any power or say about how their data is used. We ask them for information, they comply, and if they don't comply, they're not included. Whatever happens in the planning process or the meeting or event process, they're just told what they have to do, where they have to go, asked what sessions they want to attend, what they want to eat. GDPR says, "wait a minute, if you don't really understand the data you're giving up, how it's being used, who's using it, why they are using it, and you haven't given consent for it, the whole thing stops right there. It really changes the fundamental structure of how we organize and operate meetings and events today.
The organizers -- or the controllers as I'm going to call them -- have to document that consent. When the consent is given digitally, it's easy, because it's captured online. But when the consent is verbal or when the consent is given in a non-technology environment, it's up to the controller to document the date of consent and the methodology and put that into their consent database. So now they have to keep these consent databases and anybody and everybody who's on a list has got to give you consent to be on that list. And if not, you have to take them off.
I've attended many association conventions through the years, and the better-run ones will include a clause when you register that says, "You agree to be photographed at this event."
Right. Associations tend to do it better, because they may have a global membership and must have their ducks in a row. GDPR covers EU citizens and residents, which could include an American expat living and working in Europe. So you can't just go by the attendee's passport, you have to go by place of residence or place of citizenship as to who this applies to. This is why it doesn't matter whether your event is held in the U.S., as long as you have one EU resident or EU citizen, GDPR and all of the expectations around it, you have to comply with.
Instead of have a separate process for non-EU residents or citizens, a lot of American companies have decided to adapt the more rigid GDPR standards because then you have one process instead of two because of residency or citizenship. That requires you have to document your consent forms. GDPR also says that you have to name who is touching the data, how they're using the data, how long they may need access to this data. And it can't be buried in this very complex, lengthy legalese that people tend not to read. It's got to be very easy to understand.
The penalties are pretty stiff. It's EUR 20 million -- about $23 million -- or 4 percent of gross annual turnover or your company revenue, whichever is higher. There could be iterations of fines depending on the severity of the situation.
How will GDPR impact attendees and their experience of an event?
It's not just attendees, it's anybody -- not just meetings and events and travel that's affected, but any kind of company program, company incentives, marketing programs. The marketers are going to have a really, really tough time with GDPR. The rights that are given to attendees, or EU citizens or residents, are pretty substantial and you're going to have to think about their rights when you build these programs. And even simple things like RFID, if you don't let them know that that RFID, who that technology is, what they're going to capture, what they're going to do, and do you agree to it being used, you can't use it on them. The private citizens now have the right to file a complaint with the EU and from there comes the fine. So, there's some key tenants that are new that GDPR brings in terms data subject rights to the individual. So, one thing that's brought up is breach notification. You remember how Equifax took months and so did Yahoo, to notify their subscribers that "Oh, forgot to mention by the way we got hacked and all your information got hacked about two months ago." Under GDPR, you've got to notify within 72 hours. And the processors, they are required by GDPR to notify the customers and the controllers without any undue delay. So there's no freedom of leaving it up to you when you notify.
There's something called "right to access," and that's an expanded right for data subjects. So the person asking the information about how much data of mine do you have, how is it processed, why is it being processed, who's using it, what purpose. If somebody asks the controller for this information, they have to give it free of charge, in an electronic format, and it has to be totally transparent. So, at any time I could ask you, for example, how much data you've collected on me, how you are using it, and where have you used it. And you need to send that to me for free. Clearly that's going to change some internal processes and access for transparency, but it's part of GDPR, right.
The key thing is called "the right to be forgotten," under Article 17. That means that you as a data subject have the right to ask the controller to erase your personal data, cease further dissemination of the data, and advise your third parties to halt processing of the data. So you can see the downward chain of command. Controllers need to figure out how to simplify this process in the case somebody says, "I want to be deleted." That's going to cause some serious change of process and it is going to cost some money.
What are some other issues to keep in mind?
There is data portability, which means the data subject has the right to receive personal data that concerns them. And it has to be a machine-readable format, and the right to transmit that information to another controller. You don't have the have the right, when you collect my data, to exclusively use my data. I can revoke that right and I can move it to somebody else.
The last thing is privacy by design and data protection officers. Depending on what line of work or industry you're in, the GDPR requires that you hire a data protection officer, or DPO. Those are going to usually be government organizations. The DPO is going to be responsible for regulating and monitoring data subjects on a large scale, or special categories of data. And they're going to be totally liable for any kind of infraction or fines or breaches, and so on.
These are some new things added to data protection for the individuals that currently don't exist in the U.S., and weren't even widely, it was like sporadically present in different parts of the EU. The good part of this whole GDPR is this: it's going to give a baseline of rules and regulations across the 30 European Union countries plus the UK. Currently, each country has its own standard. Under GDPR, all European Union nations have the same standards. You can make it stricter; you cannot make it less than the current baseline.