18 Meetings Today // 03.18
data privacy regulation with teeth sharpened not just for groups in the EU, but
for any entity on the planet processing
personally identifiable information about
If you fail to meet GDPR regulations, the
Information Commissioner’s Office (ICO)
or EU privacy regulators can fine violators
up to 4 percent of annual global sales or € 20
million (US $24.76 million)—whichever is
David DeLorenzo is a technology consultant with DelCor Technology who believes
GDPR could be disruptive in every industry.
“My biggest concern is that many organi-
zations are looking at this as just a data and
technology issue when in fact it is a business
issue that will have a significant impact on
many areas in business,” he said. “It is a
game-changer in the way that organizations
will be able to do marketing. It could impact
revenue streams for many ancillary busi-
nesses, like list sales, and has the potential to
render some of the inno-
vative technologies that we
use to serve content based
on automated processing
unusable because of data
privacy. So yeah, I have
If you have mailing lists,
collect IP addresses auto-
matically in your third-par-
ty marketing tools or even
store random Excel spreadsheets containing
individuals’ personal data with your notes
for later use, you must adhere to the wishes
of any EU citizen about their data. You guar-
antee that they have control over how they
want their data used.
And just because your third-party technology provider is capturing the data you use,
it doesn’t mean they will necessarily be prepared to help you with GDPR-related requests.
Visual artist Nicolet Groen admits she
is concerned about the tools she uses to
market to her prospects.
“The thing I worry about most is whether
the SaaS products I am using are GDPR
compliant,” she said. “I did an assessment,
and there are still many loose ends.”
Somewhat concerning is the lack of con-
versation about GDPR for small businesses
and those operating outside of technology
circles. For example, the regulation is an
unknown challenge for many volunteer-led
or -organized events relying on third-party
technology providers to handle anything
tech-related. But GDPR requires both the
processing and handling of data to be com-
pliant, and the responsibility falls on those
organizers—whether they know it or not.
“Many people just don’t believe GDPR is
something that pertains to them, and that
worries me, as organizations typically don’t
know if someone is a citizen of the EU just
by the little bit of data they may have about
them in a database,” DeLorenzo said.
Research by the analyst firm Gartner
revealed over 50 percent of companies
affected by GDPR regulations will not be
in full compliance with its requirements by
the May 25 deadline.
Conversations about GDPR can take a
What is GDPR?
predictable path, moving from scaremon-
gering to hedging one’s bets that GDPR
enforcement would be unlikely to impact
smaller organizations without egregious
offenses. But GDPR will have a remarkable
impact on businesses, regardless of size.
According to a PwC pulse survey (www.
In April 2016, the EU Parliament passed
expanded regulations under the General Data Protection Regulation (GDPR)
regarding the collection, transfer and
protection of the personal data of EU
citizens. These regulations unify and
strengthen data protection for EU citizens, giving them more control over how
their personal information is used.
What will you need to
do to stay compliant?
GDPR’s protections follow the individ-
ual. Therefore, if you are collecting
and/or processing PII (Personal Iden-
tifiable Information) of EU citizens
anywhere in the world, you must follow
GDPR regardless of whether your event
is held in the EU or not.
of annual turnover
What are the requirements of GDPR?
Meetings and events capture personal information: registration systems; mobile event apps; post-event surveys; collection
of names, physical and email addresses; computer IP addresses; session attendance; frequent flyer information; food preferences; and more. GDPR sets guidelines for how this information should be captured, stored, accessed and deleted.
Consent is key. GDPR mandates the need for positive opt-in, maintaining evidence of consent and ease-of-withdraw-al, among other requirements.