GDPR Redefines Industry Privacy Practices on a Global Scale

general-data-protection regulation GDPR

Since taking effect in May, the EU’s General Data Protection Regulation (GDPR) has altered data management practices throughout the meetings industry, not just in Europe, according to 2019 Global Meetings and Events Forecast report.

“Every event planner now has to be an expert on GDPR,” Lawrence Coburn, CEO of mobile enterprise application developer DoubleDutch, said in the report. “What we are hearing from large clients is they have decided to comply with GDPR globally, because they don’t have the bandwidth to create two different workflows—one for European citizens and one for everyone else. What’s happened is that GDPR is now, effectively, a global law.”

What GDPR is Doing

Requiring centralized control of personal data, as well as informed, individual consent from each user about exactly how that data is used, GDPR is a major step for data privacy. It is meant to help protect users from myriad data breaches and unethical applications of personal information that have come to light in recent years. But even those happy to comply with the new law are having difficulties.

The report, issued annually by American Express Meetings & Events, surveyed members of the meetings industry. Half of European respondents claimed to be struggling to establish centralized data management. At the same time, nearly 45 percent of respondents are finding it difficult to comply with the consent and designated oversight requirements.

Outside of Europe, meetings and events professionals are feeling the pressure, as well. Attempting to comply with GDPR, 58 percent of Asian and 56 percent of Central/South American respondents indicated the designated oversight requirement as the most challenging. Pointing to a higher rate of strategic meeting management protocols among planners in North America, the report does suggest there is a lower level of concern. Regardless, one-third of North American respondents shared apprehension about their ability to meet the requirements.

“Everyone is extremely stressed out because the fines are so enormous, and no one knows how the law is going to be enforced,” Coburn said. “Everyone is waiting to see if there are companies that will be made examples of.” Some fines go as high as including a minimum of €20 million (about $33 million).

And that stress is having a direct impact, Coburn explains: “Some companies in the pharmaceutical and financial services sectors are saying there is too much risk to use different vendors, particularly in the context of GDPR, so they are starting to simplify their vendor list. We are seeing a heavy push for consolidation of vendors across a broad meeting program.”

Beyond the Law Itself

Ripple effects of GDPR are reaching even further, affecting attendees, as well. The section of the global meetings forecast, “The Future of Personalization,” contributed by events services agency Banks Sadler, claims laws such as GDPR—and the breaches they are meant to prevent—are making attendees more aware than ever.

Flippant use of data, even if used for personalization methods the industry has embraced only recently, can meet with harsh rebuke from attendees. As new technology—such as facial recognition and emotion-targeted content—become easier to implement, planners need to be hyper-cognizant of individual expectations of privacy.

What to Do

In another section, “Meetings Legal Trends, Grimes Law Offices,” founder Joshua L. Grimes reports that the requirements and restrictions of GDPR are simply a fact of life for the industry now. The sooner companies and planners adjust, the better.

To help, he includes a list of imperative steps to follow.

  • Post a clear and concise GDPR-compliant privacy policy on event registration websites.
  • This policy must inform individuals how their personal data will be used and their rights to have that data modified and/or deleted.
  • Secure knowing and freely given consents from individuals prior to using their personal data.
  • Ensure that there is a legitimate reason to collect personal data from individuals, and that only the data required is collected.
  • Adopt effective methods for safeguarding personal data received from individuals.
  • Ensure that contractors, business partners and others with whom a business shares personal data have adequate protections in place to properly handle and protect that information.

Read our full break down of the 2019 Global Meetings and Events Forecast here.