In the current information age, data is big business — and so is data protection. When it comes to meetings and events, the seemingly endless flow of data across country and regional borders can be difficult to manage, and it’s about to get a whole lot harder.
On 25 May, the European Union will enact new data-protection laws, known as the General Data Protection Regulation (GDPR) across all 28 EU countries. The laws impose strict new rules on controlling, processing, and sharing the personal data of EU citizens. This includes the transfer of data outside the EU — and applies to all companies working with Europeans, regardless of geographic location.
For Tiffany Morris, general counsel and vice president of global privacy at global data-management company, Lotame, this is a danger point for event planners and service providers other parts of the world.
“With GDPR, the thing to keep in mind is that the law applies if a company is collecting personal data from Europe,” Morris said. “It doesn’t matter if the company is in Europe, it doesn’t matter whether the consumer on which you’re collecting data is a European resident. If your event happens to be at a Marriott hotel in London, for example, and people are registering for your event, then GDPR would kick in because that personal data is flowing from Europe to the collecting entity. That’s a big change — and what we lawyers call an ‘extra-terrestrial law.’ [It] has boundaries far beyond the jurisdiction in which the law has been established.”
GDPR also stipulates that organizations must have the clear consent of an individual to use their data for a specific purpose.
You need to articulate to consumers what information you’re collecting and for what purpose.
For event marketers looking to leverage data collected at events, Morris offered this advice: “You really need to articulate to consumers what information you’re collecting and for what purpose,” she said, “and if you’re sending it to third-parties. In many cases you may need opt-in consent from the user or you may need to establish ‘lawful means’ to process the data under GDPR.”
Morris said that her “biggest concern for clients,” especially those operating in online advertising, is the use of “cookie” IDs — considered the currency of online marketing. “Historically we haven’t considered this data to be detailed enough that it would identify a user individually, but under this new law, it does,” she said. “That’s a really big shift for us.”
According to Felix Rimbach, director of research and development at event services and technology company, Globibo Singapore (which has offices across Asia, Europe, and the U.S.), data transparency is another sore point.
Policies can no longer be hidden in complicated legal jargon.
“The legislation describes very clearly that policies can no longer be hidden in complicated and convoluted legal jargon,” Rimbach said. “This is a rather common practice … and requires immediate attention, especially for terms and conditions used in registration processes.”
Transparency also comes to the fore when it comes to working with third-party suppliers and ensuring they are compliant with GDPR.
Morris recommends establishing data-processing agendas. “These documents establish what security and technical safeguards need to be in place, who can touch the data, under what conditions it can be processed, and very specifically outline what the third party can and cannot do with the data.”
The increased use of real-time messaging apps, facial recognition, and live streaming at events also presents a problem. To navigate the GDPR rules, Rimbach recommended that all event professionals seek legal advice in reviewing internal data processing and storage systems, in order to make necessary changes before the May deadline.
“The complexity of current event technologies has significantly increased — cloud storage, system interfaces, and networked processing have become difficult to comprehend as well as to isolate properly. We clearly recommend planners to seek strong legal support to get ready for the change.”
He sees a “a big gap in regards to future compliance with the new regulations,” Rimbach said. A majority of organizations have made some good basic steps to comply with local data protection policies, but the unique and rather novel reach of this legislation, especially with regards to processing event registrations, has not been fully acknowledged.”