David Chalmers, Senior Marketing Director, Europe, Cvent, talked with PCMA about GDPR:
We keep hearing and reading a lot about GDPR, but what does it mean for the MICE world?
DC: The EU General Data Protection Regulation focuses on the rights of individuals over their personal information and how companies use it. It will have a huge impact on the industry, affecting event professionals, agencies, technology providers, and associations across the globe and not just in Europe. It applies to the collection and processing of data of European citizens, which means compliance is required by any organization hosting events attended by EU citizens anywhere in the world.
What are the steps companies and associations need to take if they haven’t already?
DC: Obviously it’s not long off (May 25) until GDPR comes into effect — so don’t delay any further! Recently, Cvent held a seminar for more than 2,000 MICE professionals and put together a checklist:
- Start by conducting a data audit to identify all personal data you store across your organization, so you know everywhere it is held or processed.
- Make sure you conduct an organizational review of all subcontractors or suppliers providing or processing personal data, to ensure they will comply with GDPR requirements.
- You will need to review all polices, processes and training — ensuring all employees understand the new regulations.
- Then assess risk levels and examine data and security framework.
- You will also need to establish whether to appoint an internal data privacy officer.
- It’s worth considering the appointment of third-party legal experts for advice on what you need to do to be compliant.
- Make sure you start working with all technology suppliers to ensure they will be compliant for the data they are processing for events.
- Ensure you build a comprehensive GDPR implementation and compliance program.
- Start GDPR implementation now if not already underway, with a clear set of activities; prioritizing areas of the business with the highest risks and impact, such as sensitive data, consent, and privacy.
- Finally — and very important, given the fines are huge for any data breaches after May 25 — make sure you set up internal procedures for breach notifications and regular monitoring to enable detection of breaches.
What’s the feedback from those who attended Cvent’s recent webinar on GDPR?
DC: Given the overwhelming response for our first seminar, it is clear that a lot of people in the industry need direction about GDPR. They know they’ve got to be compliant but there are some gray areas around just how far they have to go.
There’s the issue of business cards. How do you prove consent with an exchange and no written contract? The simplest way is to keep a record of where and when the exchange was made, but remember to also confirm and record what they consented to. If they just asked you to send them some follow-up information on the subject you discussed, that doesn’t mean you can then store their data for future use for other purposes, such as marketing campaigns. If you want to be really safe, you could follow up with an email to obtain consent before adding information to the database for future campaigns. The last thing you want is to get caught out with the: “I don’t remember giving you my card, why are you contacting me” line. Again, this is why record-keeping is vital.
When it comes to large events such as trade shows, attendees can already manually control whether they give consent by not allowing an exhibitor to scan their badges or withholding their business card. GDPR brings about some interesting propositions. Perhaps we’ll now see badges with encrypted QR codes — with data transferred only to specific exhibitors and “consented to” parties.
Event organizers typically purchase existing mailing lists from past events to market the event. If they do, they must validate that the processes used by the data supplier for gaining consent aligns with the new regulation. Ideally, you should get consent for all your contacts. The best way to do this could be with a campaign for the upcoming event where you also ask for consent during registration.
It won’t be enough to leave it in the hands of someone else, as you are responsible for confirming this with your suppliers and should audit any contracts with those who process personal data for you. Do your due diligence and keep direct records.
Finally, if you don’t have explicit consent from someone to store their data, an alternative reason you can use is “legitimate interest” — if you believe you have a genuine reason to process their data for a specific purpose. The challenge here is proving what constitutes a legitimate interest for the subject. If someone attended an event the previous year and the same event is being hosted again a year later, then you might decide to store their data and send an invitation as there is foundation for legitimate interest based on former attendance.
But is this enough? Ultimately it is your decision and you should confirm with your company expert or get legal advice to know what makes sense for your event.