Have you heard about the European Union's tough new General Data Protection Regulation (GDPR)? If your organization collects personal data, then you need to pay attention. And if you think it doesn’t apply to you because your company only operates in the U.S., guess again. If any of your meeting and event attendees are coming from Europe, then the GDPR standards apply to you.
The new privacy rules extend to any company processing data of EU residents—regardless of the location of the company headquarters.
Among other changes, GDPR gives individuals more control over their data, requires clarity on privacy terms and conditions, and forces companies at the senior executive level to build the new personal data protection standards into corporate governance. It will be enforced starting May 25, 2018, and is directly aimed at providing greater data protection for the roughly 508 million people in the member countries of the EU (currently 28 countries, including the United Kingdom until Brexit).
For those opting to ignore the GDPR, know that non-complying companies will face stiff penalties to the tune of four percent of annual corporate revenues or 20 million Euros, whichever is greater.
And, in case you are wondering, the scope of personal data covered by the GDPR is more than just name and address; it also covers income information, health information, frequent-flyer and frequent-stay account information, birthdays, age, food preference, allergy notifications, cultural and ethnic background information, and more.
There are also regulations and guidelines as to how long the data collector can retain the information with mandatory purging of personal data. No exceptions!
Think about how much personal data is collected for employee travel, meeting/event attendees, guest attendees, etc. You should give a heads up to all your preferred travel and meeting suppliers that collect personal data that they need to check on what they are doing to comply with the impending May 25, 2018 GDPR launch and, most importantly, how and what your company needs to do to prepare for it.
All of this is no doubt a positive step towards combatting the sinister data hacking and phishing activities perpetrated globally, but it does require a tough, introspective look at how you and your supplier partners treat and retain personal data.
The U.S. is one of the weakest countries in terms of data privacy protection regulation, and therefore is the weakest link in ensuring that companies are appropriately safeguarded and compliant with the impending GDPR rules.
If you still don’t see how this applies to you, think about the following:
· Your exposure in terms of how you use personal registration data (name, address, country of citizenship, age, etc.) and how long you can retain that data
· Use of registered attendee data for marketing analytics
· Retention of education session data for future analytics and future conference education preferences
· Retention of personal data for frequent-flyer and frequent-stay account information, birthdays, age, food preference, allergy notifications, and other attendee preferences, etc.
You now have about eight months to figure out the impact of GDPR to your meetings and events programs, your company, your suppliers, and any other organization that gathers and retains personal attendee data. There’s a lot of information online about GDPR; I recommend doing some research and having conversations with your company leadership and your preferred suppliers to figure out what you need to do to best prepare. Don’t procrastinate!