With all that is going on in the world of meeting planning, The General Data Protection Regulation (GDPR) may not be something event organizers are aware of or concerned about. But that needs to change, and change quickly, say data security experts.

The European Union’s GDPR will go into effect May 28, 2018, and it will extend EU data-protection law to any entity involved in processing data for EU residents, regardless of where that entity is located. The scope of data protected by GDPR is extensive: everything from name and date of birth to food preferences and frequent flyer affiliations, as well as income and health details.

Compliance with GDPR’s stricter data-governance regulations will require ongoing audits and assessments and likely additional costs, noted Kevin Iwamoto, senior consultant with GoldSpring Consulting, an independent travel consultancy. Failure to comply can result in stiff penalties, he said. MeetingMentor asked Iwamoto to explain why GDPR should be a concern for meeting organizers.

If event organizers do not collect credit card information directly, they may think GDPR does not apply to them. They may also think that, since their meetings are in the U.S., GDPR regulations are not relevant. Can you explain why these are both misperceptions?

Credit card information is just one element of data collection that is included in GDPR. The terminology being used is “PII,” which stands for personally identifiable information. PII includes any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data could be considered PII. This would include birth dates, addresses, phone numbers, employer information, frequent flyer account numbers and so on.

If any of your attendees are coming from any of the EU countries, including the United Kingdom, your data governance standards should be GDPR-compliant. Here’s what the GDPR website says about its applicability:

“The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

Since meeting organizers are not information technology professionals, what specific steps should organizers take to bring this issue to light and to take/direct action within their organizations?

My recommendation for meeting organizers, suppliers and corporate clients is to ask about GDPR internally, especially to the chief executive who oversees corporate data governance. Specifically, I would recommend asking:
1) What is our corporate policy on GDPR adherence standards?
2) What part should I play to ensure my program, process and suppliers are compliant with GDPR?
3) Do we have standard language, approved by corporate legal, that I need to amend existing supplier agreements with, especially if those suppliers are handling attendee PII data?

I also recommend reviewing information on the main EU website. Everything you need to know to prepare is there, and the FAQ page is very helpful. There are also companies like Veritas that offer GDPR audits for readiness. They will do a gap analysis that your company can review and will recommend actions to take to avoid the huge fines that could be assessed. Those fines are up to 4 percent of annual global turnover for breaching GDPR or 20 million euros, which is about $23.7 million. This is the maximum fine that can be imposed for the most serious infringements.

What is the most difficult part of GDPR compliance for event organizers?

The most difficult part is knowing what the impacts may be to current processes for event management. For example, data warehousing for repeat registrants is designed to be customer-friendly for attendees registering for an event, but it could be violating GDPR if the PII data is not purged by the new data-retention standards, which do not allow for evergreen retention of PII.

Another area of difficulty is trying to find internal corporate support and resources to partner with you to ensure your event is not in violation of GDPR. Working with your suppliers is much easier because you can just ask them what they are doing regarding GDPR readiness and then figure out how to protect your company and event by going to corporate legal, as well as by including GDPR-specific questions in your RFPs and RFIs.

The bigger issue is: Who owns the corporate data governance in your company? That executive needs to come out with corporate standards, audits and readiness guidelines. The GDPR is elevating data-governance standards to the C-suite of executives and holding them accountable.

So the message is to get GDPR on your radar screen right now?

Event organizers cannot afford to play “hot potato” with GDPR oversight. The good news is, someone at the executive level is fully responsible; the bad news is, if you suspect that your specific area of responsibility could potentially present a gap that may compromise your company and make it subject to hefty EU fines, then you need to raise your hand proactively and flag it. Trust me, the “I didn’t know” explanation will not save you from serious implications for your company, career and job. — Regina McGee