It’s been more than a year since the May 25, 2018, launch of the European Union’s General Data Protection Regulation, and according to recent surveys, it would appear that meeting and event professionals in the U.S. are still struggling to make sense of the changes needed to be GDPR compliant.
Many have yet to incorporate baseline GDPR in their standard operating procedures (SOPs). Many still appear to be in denial about their liability and role in ensuring that their company events and meetings are GDPR compliant.
At its core, GDPR is all about individual data privacy rights and how organizations that are putting on a meeting (known as “controllers” in the lingo of GDPR) are held responsible for data privacy transparency, informing attendees about how their personal data will be used, gaining and documenting consent, and managing the right to request for personal data deletion. GDPR outlines the roles and responsibilities that these organizations, and their supplier partners (known as “processors” and “sub-processors”) must follow to safeguard the handling of individual personal identifiable information (PII).
If you aren’t doing so already, you should be having a conversation with your event suppliers about their understanding of GDPR, and how their activities and processes align with yours to ensure compliance. Here’s a short list of baseline questions that you should be asking your event suppliers:
- Where is my data housed?
- Who will have access to my data?
- How long do you retain PII?
- How does your system and/or processes allow for deletion of personal data, and how quickly can you delete and confirm deletion of personal data?
- Does your organization fully understand and comply with GDPR?
- Can you provide the requisite 72-hour notification if there’s a data breach?
- Do you employ sub-contractors? If yes, do you have legally binding agreements with your sub-contractors that assure GDPR compliance?
Check within your company if any other department and/or individuals are working on GDPR governance and adopt whatever standards they have created to ensure your meeting and events program is compliant. Confirm whether your scope of work documents (SOW) and service-level agreements (SLAs) detail your company’s GDPR standards. Most importantly, have this conversation with your meeting suppliers and partners to ensure you’re all on the same page.
Protecting and safeguarding personal data is everyone’s responsibility especially in our industry. We are fundamentally responsible for attendee safety, security, and data privacy. GDPR is not someone else’s responsibility; it is everyone’s responsibility. Period.