Meeting Mentor Magazine
How Well Are You Protecting Your Attendees’ Data?
Remember last May when your in-box was flooded with exhortations from every organization you have ever done business with to read and sign off on their new data privacy policy? Perhaps your organization was one of those doing the flooding, as the enforcement deadline for the European General Data Protection Regulation (GDPR) approached and meeting organizers scrambled to retrofit their policies to ensure they complied with GDPR’s consent, data-breach notification, data access and portability, and right-to-be-forgotten requirements.
So one year out from the frenzy, how is the meetings industry doing when it comes to GDPR compliance? On the positive side, 81 percent of the 110 U.K.– and U.S.–based corporations, associations, government agencies, professional conference organizers (PCOs) and event-management organizations responding to a new study by Eventsforce said they believe they are in compliance. In addition, 44 percent said they shared less data with hotels, venues and other third parties; 41 percent have improved and increased transparency around their data management processes; 40 percent have tightened their data security processes; and more than a quarter collect less attendee data than they did pre-GDPR.
However, 90 percent said they still find consent management and ensuring event supplier compliance a challenge.
MeetingMentor recently caught up with Eventsforce CEO George Sirius (pictured) to learn more about the current, and likely future, state of data privacy regulation in the events industry — and how meeting professionals can better handle the challenges arising from these regulations.
MeetingMentor: While Europe led the charge with GDPR, several other similar regulations are now in the works, such as the California Consumer Privacy Act, Brazil’s General Data Privacy Law and India’s Personal Data Protection Bill. How should this affect meeting organizations’ efforts to continue working on the GDPR aspects that they still find challenging? Do you anticipate we’ll continue to see more states and countries moving in this direction when it comes to data protections?
Sirius: GDPR standards are expected to eventually expand outside the EU as the subject of data privacy and security becomes more and more front-of-mind. The U.K. government has already confirmed that it will adhere to GDPR if or when it completes its exit from Europe, and as you mention, there are similar regulations in Canada, Australia and, more recently, California.
With incidents like the recent Facebook-Cambridge Analytica scandal, people all over the world are going to start demanding more rights over their personal information — so our advice to international meeting planners would be, even if your events are not collecting data on European citizens and residents, it doesn’t hurt to follow the best practices GDPR requires when it comes to data management. Being prepared will not only help them meet future standards, but it will also show attendees that these organizations can be trusted with their most important asset — their personal information.
MM: Do you have any suggestions on what meeting organizations can do to meet those still-challenging requirements, especially those involving working with third parties?
Sirius: Our research found that managing consent and understanding how third parties are looking after their event data are the top two challenges organizers are still facing around GDPR — and I would say this is probably the case for most organizations dealing with compliance issues.
With regard to consent, we would suggest organizers work with event tech suppliers who support them with GDPR tools that help record and manage the consent they get from attendees on things like registration forms and apps. They should also be able to provide tools that help identify, manage and protect the personal information attendees share with meeting organizers so that, at any given point, organizers know exactly what kind of consent they have from an attendee, when it was given, what personal information they hold on him or her, and how that data can be erased if need be.
Attitudes toward how attendee data is shared with third parties, such as venues, hotels and tech suppliers, and how these organizations protect their data are also changing. As an event tech provider (and hence data processor), we see many of our clients are now asking us about data security, which they didn’t before. They are requiring more formal documentation, asking more questions around our security policies, and making changes to contractual terms and conditions. And this is exactly what they should be doing.
We would advise you, as a meeting planner, to ask event suppliers/partners how they’re managing your data on your behalf and what they’re doing to keep that data safe. How important is data security for their organization, and what best practices do they follow? How long do they keep data, and what procedures do they have in place to delete this data when you ask them to? What about your own suppliers and contractors who also have access to your data? Organizers need to ensure that their third-party suppliers can clearly explain what contractual and legal safeguards they have in place to ensure they’re looking after that data at all times. Having answers to these questions will minimize your risk and protect you from any unpleasant surprises in the future.
MM: Any advice for those, especially meeting planners, who still find this whole topic just overwhelming and/or “not my job to worry about”?
Sirius: Many meeting planners think that compliance should be more the responsibility of their IT and legal departments. But the reality is that there are a number of things organizers do that can put their organizations under serious financial risk with GDPR. Things like using pre-ticked consent boxes on registration forms and apps and not having the proper processes in place to manage attendee consent. Or sharing delegate lists through unsecure spreadsheets with venues, speakers and other attendees. Or not paying attention to the information freelancers and temp staff have access to. Or leaving unattended registration lists lying around. These are just some examples, but there are many more.
It is therefore incredibly important that event professionals understand what they should or shouldn’t do – so they can then figure out what changes they need to make around collecting and managing the personal information of people coming to their events.
I think one of the most important things meeting planners need to remember is that GDPR compliance is a journey, not a destination. It isn’t a simple matter, nor are the requirements black and white. But even if meeting planners haven’t taken the necessary actions one year down the line, it is never too late to start.
As a first step, we would advise meeting organizers to ensure that everyone on their events team understands why GDPR has happened and why data protection should be a consideration from the offset of all event planning activities — and not just a mere afterthought. This is key. Event teams also need to understand what rights attendees have under GDPR and what processes are in place to meet these rights.
Then there’s the whole issue of data security, which we mentioned earlier. Failing to report a data breach within 72 hours can result in crippling fines under GDPR, so ensuring that everyone in the events team has a good understanding of what constitutes a data breach and what to do when one happens is critical. And don’t think it won’t happen. We saw a number of data breach incidents in our industry over the past year, including the U.K. Conservative Party conference app and others like Ticketmaster and Ticketfly. So it’s very important to be prepared. Also, in the event that your event data is compromised, the data protection authorities will be a lot more forgiving when they see you’ve done your best to protect that data from getting into the wrong hands.
Lastly, I would say events really shouldn’t be complacent about the financial penalties of GDPR. A report cited in the Financial Times last month reported that hundreds of thousands of cases have been raised so far, and the fines are rolling in. National data protection agencies in 11 countries have levied 56 million euros in fines. The largest and most high-profile case so far was Google with a 50 million euro fine for violating consent requirements. And though the number of fines across the world are still relatively small, meeting planners who handle data on EU citizens should remain vigilant at all times.
MM: Are there any resources you would recommend for meeting professionals to learn more?
Sirius: I mentioned it before, but it is also really important to highlight the issue of data security, because a data breach is essentially what can get meetings and events into a lot of trouble under GDPR. In fact, our research study found that 40 percent of organizers now have much tighter data security checks and processes in place because of GDPR. If you’re unsure where to start, I would recommend reading our report, The Event Planner’s Guide to Data Security in a Post-GDPR World. It identifies a list of key areas within event planning that could easily put attendee data into the wrong hands — it also has some useful checklists for both meeting planners and their team members that help minimize the risks of breach.
We would also recommend visiting the Information Commissioner’s Office (ICO) website (www.ico.org.uk), which has some fantastic easy-to-read information on how to start your journey toward GDPR compliance. It would also help if organizations assign one person in their events team to take ownership of GDPR and be the focal point for all matters regarding compliance. That way they can keep a tighter control in ensuring all the necessary steps have been taken and that the events team aren’t doing anything that puts their organization at risk.
For more on why GDPR compliance should be a vital and ongoing concern for meeting professionals, see Adam Briggs’ column in the Summer edition of MeetingMentor magazine. — Sue Pelletier
Design by: Loewy Design