It's been just over a year since the European Union's General Data Protection Regulation took effect, governing how personal data is handled both inside and outside the European Economic Area for citizens of the region's countries—EU members plus Iceland, Lichtenstein and Norway. If you're a meetings manager collecting data on these citizens, your company needs to comply with this law. If found in breach, the company could be fined 20 million euros or as much as 4 percent of annual revenue, whichever is greater.
Are companies ready and complying? The answer is hard to pinpoint. Those in fairly regulated industries like financial services and pharmaceuticals had some compliant processes in place already and began to adopt more when the law was approved in 2016. Others that scrambled to create data privacy policies before the May 25, 2018, deadline initially focused on internal systems but are now doing more serious third-party vendor evaluations and employee training. What does seem to be consistent is that meeting managers in general are afraid they're not doing enough.
"People are concerned that if an audit hits, even though they've been working to try to get it right ... it's still such a huge job that they won't have done enough, and they feel it's their responsibility," said Kimberly Meyer, principal of consulting company Meetings Strategy. She moderated a panel on protecting and managing meetings data at a BTN Group Strategic Meetings Summit last month. "Most corporations would say [the responsibility] is shared, but some people feel that they'll be pointed at because they own meetings."
The right course of action is hard to nail down, but here are some best practices for meeting managers.
Have a Data Strategy & Know Your Important Partners
Check with the company's data privacy officer, if there is one; the compliance department; the technology department; and legal. Find out what data privacy policies already exist in the organization. Work together to make sure the policy includes the meetings department, is clear with rules around who owns what, and is flexible enough to evolve with changing business needs and operations while remaining compliant.
American Express Meetings & Events formed a data task force in early 2018 with members from American Express Global Business Travel's meetings information team, operations and technology, as well as business analysts, to meet on a weekly basis, said Amex M&E director of operations Tina McLaughlin. The team reviews all instances of technology and looks at what attendee data the company is collecting, how it's using it, how to drive standardization while still allowing for customization, and varying needs for different countries and different clients. It also provides governance on any changes coming through.
Respect the Data Owner & Be Transparent
Adopt honest, friendly, consent-based communication and marketing. Make it a two-way conversation through the use of consent fields or questions, said Cvent implementation team manager Tom Patten.
Know What You Need & What You Don't
Collect only the data that is actually needed, and once the meeting or event is over, delete what no longer needs to be stored. There is no reason to hold on to attendee dietary restrictions or T-shirt sizes, for example.
Make Sure the Data Is Secure
Use encrypted fields for sensitive data like ID numbers, credit card information, date of birth and even dietary restrictions. Establish security and privacy service level agreements with anyone who has access to the data, including internal staff and third parties. But it shouldn't be the meetings manager's job to know what should be encrypted or to know what is required in different countries, Meyer said. "Legal, IT and compliance should be determining what is needed in a country or region or what should be encrypted," she said.
Use GDPR as Your Guide
GDPR is just one of several new data privacy regulations around the globe. It is the most comprehensive, so it behooves companies to use it as their guide for setting up policies and procedures for handling personal data. However, "there may be other privacy, employment-related privacy laws or communications laws depending on the company's geographic location or specific sector, and meeting managers should consult their legal teams to find out which privacy laws are applicable," said Samantha Simms, an attorney and founder of The Information Collective, a data privacy consulting company based in the U.K.
Under GDPR, a privacy statement indicates what data is being collected, how it is being used, how long it is being retained and how it is being shared. A person opts in and has the option to opt out later and request the data be deleted, except when the data is collected on the basis of legitimate interest, said Lenos Software CEO Debra Chong. GDPR says technology needs to adhere to Privacy by Design principles, which means that all settings should default to privacy-respecting settings, Chong added. The California Consumer Privacy Act goes into effect Jan. 1, 2020, but experts agreed that GDPR will be more extensive, as CCPA asks people to opt out from the start while GDPR requires opt in.
Determine Who Owns the Task of Getting Data Privacy Right
Different people have different views on who the point person should be, and it might depend on the type and size of the company. Chong believes it should be the company's privacy council, security and IT. Cvent's Patten said it also could be someone from the meetings staff, provided they are in communication with IT, legal and compliance. Simms believes it rests with the entire organization and that three layers should manage privacy risk:
- the frontline data owners who manage the internal privacy controls required to manage personal data on a day-to-day basis (travel and meeting managers, as well as marketing and finance staff)
- an internal monitoring layer that often sets and oversees the controls; tests the effectiveness of the controls, policies and guidance; and makes adjustments where necessary (privacy, legal, security and IT teams)
- an auditing layer, which can be internal or external and range from a self-assessment checklist to an in-depth investigatory audit.
Most experts agreed ownership should not rest on the meetings manager's shoulders alone.
License All Technology Directly
This area can get tricky. Some companies claim they cannot afford to have their own licenses for all the technology they use and that they are covered under their partner agencies. But Chong argues that if a company can afford to hire an outside meeting planning and management company, it can afford to license its own technology. Otherwise, she said, "you have no privities. You don't have any rights unless you go direct." Meyer agreed, explaining that if a third-party has a data breach, the customer whose data was compromised won't care and will go after the company holding the meeting.
Vet Third-Party Suppliers
Questions to ask: What information do you collect from members and attendees? How will you use the information? Will you sell, give or transfer the information to others? How will you protect the data? How does someone opt out from third parties using their information?
If the answers show the company is not GDPR compliant, revise the licensing agreements. BCD Meetings & Events VP of operations Jenny Lust said her company outlines contractually that each party is protected. Yet, Simms noted that having a license directly from a company does not automatically mean the corporate is the data controller. The data controller is the party who decides how and why personal data is used.
Another step is to use only third-party suppliers that are members of Privacy Shield, Chong said. Privacy Shield is a framework for companies to comply with data protection requirements when transferring personal data from the EU and Switzerland to the U.S. U.S.-based companies self-certify for Privacy Shield via the Department of Commerce and commit to complying with the framework's requirements.
Document the Flow & Control of Data
Perform a data inventory or a register of how data is being used. Lay out the who, how, what, why and where data is being collected, used, stored and deleted. This will enable the program manager to understand who has the data and what they're doing with it and to make the necessary checks against it. It could be as simple as an Excel spreadsheet. This is one of the most important features of a privacy program, Simms said.
Complete a Data Protection Impact Assessment
This is a checklist to identify and mediate the privacy risks associated with a tool, process, system or service, Simms said, adding that GDPR requires companies to complete a Data Protection Impact Assessment where there is a large-scale use of sensitive personal data, automated decision-making/profiling or systematic monitoring. A meetings management system that collects large amounts of data is likely to be subject to a DPIA.
Communicate the Data Privacy Policy
Make sure employees are familiar with your privacy strategy—the policies, service level agreements and legal requirements that are in place. Particularly in companies with decentralized meetings programs, this will help reduce the risk of mishandled data, such as unencrypted attendee data emailed to a hotel or meeting venue. Make sure employees know they could be putting the company at risk if they don't adhere to the data policies and procedures.
Perform Audits
An audit could be as simple as running internal validation checks on the data being collected and reported on to make sure it's accurate and that there are no breaches in compliance. Accounting and consulting firms also can perform more extensive external audits. "They can find all the holes before a government body or tax authority comes in to audit you," Meyer said.
A company should also audit third-party partners to make sure they're handling data as required. "It could purely be a risk assessment and may not be as in depth as an audit, but it gives a good benchmark for what the suppliers you are using are doing themselves," BCD's Lust said. "We do that, too, for anyone we are partners with."
The audit should be performed by someone not in the reporting matrix of the department being audited and not the person directly responsible for the supplier's day-to-day operations/relationship with the company, Chong said. Internal audits should be conducted every six months or annually, Meyer said. Third-party vendor checks should be performed every year or two, depending on how much a company uses that supplier for data handling.
_______________________
Correction June 14, 2019: In a prior
version of this article, attendee online registration was provided as an example of when “legitimate
interest” would be accepted as a viable data collection threshold.This was not correct. Lenos Software CEO Debra Chong, provided a clarification. She wrote:
Legitimate Interest should not be used as the purpose for obtaining
registration data as that does not fall within its legal definition. The use of
legitimate interest in any situation, should also be challenged as ensuring the
rights of the person providing the data must be weighed against its use. Express
and affirmative consent should be used to collect registration data. Trust is
paramount and both parties rights, privileges and obligations would be properly
disclosed and agreed to through consent. For audit purposes, a consent and data
management technology should be utilized to track consents agreed to, where the
data has been sent, how long it should be kept and ensure its proper
de-identification and/or destruction. BTN
regrets its error.