By now, you’ve surely heard about the General Data Protection Regulation or GDPR – an EU regulation that protects the personal data and privacy of EU citizens and stipulates how companies and organizations can collect, manage and use this data for business purposes. It’s coming into force on May 25, 2018 and companies are scrambling to ensure that they are in compliance as the deadline nears.
While companies are rightly ensuring that all of their software and technology providers are GDPR-compliant, that alone is not enough. Companies – including those in the event planning industry – have to ensure that their internal processes are GDPR-compliant as well.
To understand this more, let’s take a look at the implications of GDPR for event planners.
I only do business in North America. How will GDPR affect me?
The protections offered by GDPR extend to EU citizens wherever they are in the world. This means that businesses registered or located outside of the EU will still be required to be GDPR-compliant so long as they have customers who are EU citizens. Unless your business knows all of the nationalities held by all of your customers, it is advisable to treat all of your customers as if they were EU citizens. Since many people move countries or are citizens of more than one country, you cannot just look at their address and infer whether or not they are an EU citizen.
As for how GDPR will affect event planners, the two main ways involve storage and right of access and erasure.
While companies are allowed to collect customers’ personal data to process a business transaction, as soon as that transaction is completed and there is no longer a demonstrable need to keep that data, it must be deleted or irreversibly anonymized. This means that companies will have to ensure that processes are in place to delete or anonymize the personal data contained in transaction records after it is no longer needed.
This is not as daunting of a task as it looks. You are likely already GDPR-compliant when it comes to handling your customers’ credit card data, so you don’t need to reinvent the wheel here. Simply look at how you can treat your customers’ personal data the same way as you would their credit card data. Once the data has been processed, you either delete the credit card information or encrypt it.
One commonly overlooked fact is that customers’ personal data may be scattered across various platforms, servers and formats – both digital and physical. When customers register for a conference, their personal data is captured by the registration system, but may then be transferred to the booking system as the event nears. If you export a rooming list that contains personal data, print it out or email it to a colleague, that personal data is being scattered further. Were an EU citizen to request erasure of his or her personal data, you would have to ensure that it is removed from all of those places. Do you know what that process would look like? Have you mapped it out? You will want to have a plan in place beforehand so that you are not scrambling when you receive your first request.
Right of Access and Erasure
GDPR also gives EU citizens the right to view all the personal data that a company has collected from them and the right to have that data deleted. If one of your customers makes these requests and you are unable to provide all the data that you have regarding that person or if you fail to delete that person’s personal data after receiving a request to do so, you could face serious penalties.
You should also consider how you would respond if attendees invoke their right of erasure before the conference starts. Since you would be obligated to delete or anonymize their personal data, how would that affect the organization of the event? Can you have a name badge without a name on it? Would a hotel be willing to reserve a room without a name attached? Would you be forced to consider a request for erasure as a de facto cancellation of the room reservation? These are important questions to consider and may mean adding a clause or two to your event registration and room reservation agreement to clarify how such a situation would be handled.
Do I need to delete all of my customer data?
GDPR does not mean that you have to delete all of your customer records, you just have to delete or anonymize the parts of those records that qualify as personal data – and this, only after the business transaction has been completed (or earlier if you receive a request for erasure). You can still keep historical data such as attendee numbers, room totals and check-in/out dates, but you must remove the personal data attached to those records.
What do I need to do?
As previously mentioned, your technology providers (including Meetingmax) are most likely already GDPR-compliant, so all you need to focus on is ensuring that your internal processes are also compliant. This means thinking about how you handle historical transaction data and how you would respond to a customer’s request to access his or her personal data or have it deleted. Are your current processes already GDPR-compliant?
The examples listed in this article are by no means an exhaustive list of everything that you need to do to become GDPR-compliant and the steps towards compliance will be different from one company to the next. The objective of this article was to merely get you thinking about GDPR and how it will impact your business procedures and data archives.