What Europe’s New Data Protection Law Means for Meetings and Events

If you haven’t been paying attention to privacy and data security, now is the time for meeting and event planners to start. For some, it may already be too late.

The European Union’s General Data Protection Regulation (GDPR), set to take effect May 25, promises to have far-reaching effects on how meeting planners on this side of the Atlantic manage data.

The EU’s robust response to data security and privacy concerns governs the collection of EU citizens’ personal data. That means that U.S. meeting planners (and U.S. companies) who host events in Europe, or have European attendees regardless of the meeting’s location, must comply or face stiff penalties.

The new rules apply to all industries, but the meetings industry is particularly data-intensive.

The use of personal registration data (name, address, citizenship, age, etc.); attendee data for marketing purposes; educational session data for analytics and future conference preferences; individuals’ data on frequent traveler programs, food preferences, birthdays, allergies, and more are affected.

“Recent reports and benchmarking have shown that the majority of planners and companies, let alone U.S.-based, won’t be ready for GDPR when it takes effect,” said Cindy Fisher, senior vice president and global head for CWT Meetings & Events. “A number of myths still surround GDPR principles and how they should be interpreted and implemented. It’s still a very new subject or way of approaching data protection for most U.S. companies; the learning curve is steep.”

While U.S. planners need to set up processes identifying which areas businesses must focus on for GDPR implementation, “U.S. planners that only provide ad hoc services to European residents probably won’t need to deploy a fully-fledged GDPR program, appoint a Data Protection Officer and examine the lifecycle of personal data with a magnifying glass,” according to Fisher.

What Is a Data Processor?

The new rules increase the importance of working with technology vendors that comply.

“If you read the documentation and the measures enacted, it can be pretty onerous,” David Peckinpaugh, president of Maritz Global Events. “There’s been a lot of fear-mongering surrounding it. GDPR is big. For an EU-based company it’s huge, but is it somewhat mitigated in the U.S.? Probably.”

Under the regulations, companies like Maritz and Carlson Wagonlit Travel are defined as “data processors,” which are vendors used by “data controllers” to process or store data. Data controllers own or manage personal data.

American Express Global Business Travel is a data controller. Its chief privacy officer and vice president of commercial compliance Kasey Chappelle noted that how data is collected might be an issue under the General Data Protection Regulation.

“Some of the GDPR’s changes require by law some steps that previously had been privacy best practices,” she said. “One of those is ‘data protection by design’ – a product development approach that builds privacy into the design of products, interfaces, and applications.

“It’s a better way to protect privacy, rather than expecting that a legal consent or privacy policy applied at the end will take care of it. Meetings and events companies and those who use their services will need to work only with software partners who can demonstrate they follow secure and privacy-protecting design practices that meet this new requirement.”

Marketing Issues

Marketing will be an issue too, according to Fisher.

“Marketing departments have a challenging first half of the year as GDPR redefines ways of working by strictly framing how to market to individuals,” Fisher said. “The restrictions imposed as a result of transparency, consent or opt-out requirements will likely modify how a marketing department operates, especially via automated means using tech platforms. Fundamentally, it should serve to clean up old databases or outdated practices.”

Carlson Wagonlit Travel, Maritz, and American Express GBT are already prepared for GDPR, their executives said. The new regulations were first announced two years ago, so major industry players have had a head start on compliance.

“It’s been on our radar for some time,” Peckinpaugh said of the GDPR which the EU adopted two years ago. “We’ve been compliant for many, many years but we had additional hoops to jump through. It has been a financial burden, a time burden; a lot of our people have been focused on it.”

Carlson Wagonlit Travel also has been working on implementing it for years, while American Express GBT started to build GDPR compliance into its programs even before the EU adopted it in 2016.

But what about compliance by other U.S. meeting planners and companies?

Peckinpaugh said other meeting planning companies’ reaction has been “a mixed bag.” “Any company like ours which manages a lot of data—no doubt those companies are taking it seriously,” he said.

Related industry sectors like hotels, caterers, or destination management companies may not be as tuned in, though. Time will tell as the new rules go into effect on May 25, 2018.