Meeting Mentor Magazine
How to Minimize Risk When Working with GDPR-Noncompliant Vendors
When Europe’s General Data Protection Regulation (GDPR) went into effect last spring, promising crushing financial repercussions for those who don’t put systems in place to protect the personal data of their European customers — many hotels and other vendors serving the meetings industry swung into high gear to ensure they’d be compliant.
Many others, however, did not. Whether it’s because they don’t do business with any Europeans, they don’t have a physical presence across the pond, or they just feel the odds against ever seeing enforcement action taken against them are vanishingly small, they decided to opt out of the work and expense involved in getting their personal data protection systems up to GDPR-compliance levels.
The rub for meeting organizers, of course, is when you are contracting with a non-GDPR-compliant vendor but you do have European attendees, sponsors or other stakeholders and so have to comply with GDPR. Which requires your vendors also to be compliant. Uh oh.
We asked meeting industry attorney Joshua Grimes, Grimes Law Offices (pictured), what meeting professionals should do when they find themselves obligated to work with a hotel, transportation company, destination management company or other type of vendor that either doesn’t know about GDPR requirements or has decided not to comply but will be processing your attendees’ personal data. He offered these five suggestions:
1. Just say no. “If you know that your organization deals with people who require GDPR compliance, then I question whether you’d want to do business in the first place with contractors who are not willing to be GDPR-compliant,” Grimes said. He suggests bringing up the issue in the initial stages of your negotiations, and if they say they are not following GDPR requirements, walk away and find another vendor who is.
2. Ask what the vendor will do to secure your attendees’ personal data. If you’re already locked into using a particular vendor who you later find out is not GDPR-compliant, Grimes recommended putting a requirement in your contract that they will take “commercially reasonable measures to protect the personal data of attendees, whether that meets the requirements of GDPR or not.”
3. Ask that the vendor indemnify your organization against any violations that occur due to its GDPR noncompliance. “They may not agree to do it, but it’s reasonable to ask,” he said.
4. Limit the amount of personal data you give that vendor. “If it’s a transportation company, do they really need anything more than the names of the people that are using their transportation? If not, don’t give them any more than that. Why give them any more data than they need to have?”
5. Add a disclosure to your opt-in notice. GDPR requires organizations to have customers opt in to allowing the organization to use their personal data. Grimes suggests adding a paragraph to the effect that the attendee acknowledges that some of their personal data may be shared with third parties that are not GDPR-compliant and that they agree to have their data shared with these third parties anyway. “It may not protect you if something happens, but at least it shows that you disclosed the situation to the attendee,” said Grimes. And what if an attendee doesn’t agree? “Hopefully you could work with the hotel or other vendor to carve out an exception for that person.”
The bottom line, said Grimes, is that meeting professionals should give some thought to this situation before it arises — because it likely will at some point. “And for hotels and other vendors, they should question their strategy of not wanting to become GDPR-compliant when their customers will need them to be,” he said.
“Until there’s a big company that stops dealing with hotels and vendors that aren’t compliant, or there’s a big enforcement action in our industry, planners are going to continue to run into this situation.” — Sue Pelletier
Design by: Loewy Design