80 Meetings & Conventions • mcmag.com March 2018
GDPR: WHAT YOU NEED TO KNOW
WHAT IT IS: The General Data Protection Regulation (GDPR) is
the European Union’s updated and consolidated data protection
and privacy law. Approved in 2016, it will be enforced this spring.
The law applies to any worldwide organization collecting the
personal data of EU citizens.
WHY THIS AFFECTS YOU: If any of your attendees or
participants are residents of the European Union, including the
United Kingdom, which is expected to adhere to GDPR after
Brexit, you and your event partners need to be compliant.
Enforcement deadline: May 25, 2018; non-compliant
organizations can face fines on and after this date.
PENALTIES FOR NON-COMPLIANCE: Fines of up to 4% of
annual global revenue, or 20 million ($28 million). There will be
a tiered approach to fines depending on the security infractions.
• CONSENT: No more passive acceptance, pre-ticked boxes,
and confusing opt-outs. Organizers must be clear (no legalese)
and specific with explanations on how and where attendees’
personal data will be used, down to which third-party suppliers
will be handling their data, and how long it will be stored.
You’ll have to make it easy to withdraw consent, too. Consent,
whether online, verbal, or on paper, must be traceable and
• DATA PORTABILITY: Individuals have the right to ask for and
receive a free copy of their personal data you hold, or send it to
another organization. The data must be provided in a common
• RIGHT TO BE FORGOTTEN (DATA
ERASURE): Individuals have the right to
request that their personal data be deleted
from your data platforms and that of any
third parties who will have to stop processing
it. Exceptions may be made for any financial
transactions, legal, or tax/audit obligations.
• DATA SECURITY: All organizational systems
(event software, marketing automation,
CRMs, etc.) handling personal data must be
made secure from the onset and meet the
highest tech industry standards. Breaches
must be reported within 72 hours.
• DATA PROTECTION OFFICER (DPO): If your
business carries out large-scale monitoring
of personal data and online behavior, you
will have to appoint a data protection officer
with no conflicts of interest to ensure data
protection policies are being implemented,
enforced, and understood. The position can
be in-house or outsourced.
• Consult with your corporate legal or IT teams to find out
where they are at with GDPR compliance, and how your
work processes affect compliance. If you are running a small
independent business, check with your technology vendors.
Look at outside consultants or advisors, if necessary.
• Discuss with current clients and prospective ones. Work closely
with their DPOs, if applicable, to make sure your security needs
are aligned. Amend contracts where necessary to show you are
both operating within the legal confines of the regulations.
• Review GDPR compliance with your third-party suppliers.
Revamp contracts and service-level agreements to ensure they
are in compliance. Spell out your responsibilities and theirs in
the event of a breach or fine levied.
• Audit your database and lists. Any EU resident, for instance,
who didn’t opt in under the new regulations will have to be
removed. However, you
may reach out to see if
they opt back in under
of attendee data is
not allowed under
GDPR. Consent given
for one event will not
consent for another
one of your events
down the road.
FOR MORE INFORMATION
THE EU’S WEB PAGE ON GDPR COMPLETE WITH FAQS.
The Event Planner’s Guide to GDPR Compliance
7 STEPS TO GET YOUR EVENTS READY FOR GDPR
Eventsforce, an event management software company based in London,
provides a helpful e-book and info on preparing for GDPR.
GDPR: WHAT YOUR EVENT TECH PROVIDER CAN DO FOR YOU
E-book from etouches, a cloud-based event management and venue sourcing
solutions provider in Norwalk, Conn., and soors.it, a technology sourcing
platform, help planners and their event tech providers assess their roles towards