GDPR will transform the culture of all businesses that processes personally identifiable information (sometimes called PII) of EU citizens. It comes into force on 28th May 2018, and the meetings and events industry will be heavily impacted, due to the preponderance of processing personal data within the industry.
Companies need to become ‘GDPR Compliant’ before May 2018, or risk facing eye-watering fines – for many small and medium sized businesses, a fine for a data breach after May 2018 will probably cause them to go out of business!
GDPR is not only about the rights of data subjects (e.g., event attendees / delegates), but reaches far within the organisation – as stated above, it will cause a cultural change, as the business has to put data privacy at the forefront of its thinking.
Journey to GDPR Compliance
Arvi Virdee of Smartec Business Solutions is a certified GDPR Practitioner, and can be found on the gasq.org database of accredited professionals. As a subject matter expert in the meetings and events industry, Arvi has the background knowledge required to help organisations become GDPR compliant. The journey to compliance consists of the following phases:
- Start off with an audit of all existing processes, policies, contracts and assets within the organisation.
- Carry out a detailed data mapping and ‘gap analysis’ of all processes that handle PII date. There is no easy way of doing this – it will often require input from different department or division heads.
- A report will summarise the current position of the organisation, and present a plan to become compliant with recommendations for priority areas.
- Any remediation work required will be carried out, either internally by the organisation, or with the help of Smartec or other 3rd parties.
Smartec Business Solutions offers the following GDPR Compliance options for steps 1 to 3 above:
- Option 1 – a 3 day package that consists of 2 day onsite, followed by 1 days of analysis (or the other way around, as necessary), resulting in a report and a compliance plan. This is charged at £1,990 + VAT, with all expenses additional
- Option 2 – a 5 day package that consists of 3 day onsite, followed by 2 days of analysis (or the other way around, as necessary), resulting in a report and a compliance plan. This is charged at £2,990 + VAT, with all expenses additional
NOTE: in reality, most businesses have much more data than they think, so the audit process should not be under-estimated. Where branch or international offices are involved, additional days may be required.
Both options will require key personnel from all departments to be fully engaged and available for discussion. This includes senior management and the heads of Operations, IT, Sales and Marketing, Finance, etc. The following areas will be covered, in as much detail as practically possible:
- Data Management. If you offer delegate registration, you should understand your obligations on processing and storing the data. Where is this data stored, who has access to it and what is the data used for? Is data stored on a cloud system outside of Europe?
- Data Subject Rights. During the registration process, you capture personal information on delegates – you need to understand the rights of delegates with respect to the data you hold
- Staff Awareness and Training. Unlike “boring” subjects like health and safety and diversity, data privacy can no longer be evaded – it has to be front of mind for the organisation, as well as its staff
- Standard Operating Procedures and Policies. Most organisations have a number of policy documents on a shared network drive, which are often out of date. All these documents now all have to be reviewed and, in all likelihood, re-written
- Supplier Relationship Review. Event management companies work with all types of suppliers, some of which will be passed spreadsheets of delegate data (e.g., hotels and transportation companies) What do these suppliers do with this data? And what are your obligations in respect of your relationship with these suppliers? What about DMCs and suppliers outside the EU?
- Data Protection Officer (DPO). Event companies process a lot of personal data, but do they require, by law, to appoint a DPO? Or should they appoint one voluntarily? If not a DPO, how about a data protection manager?
- Date Breaches and Fines. GDPR comes into effect from 25th May 2018, after which fines can be imposed for data breaches. What are the compliance priorities of the organisation, and how can fines be avoided?
- Employment Contacts. GDPR has an impact on all existing employment contacts, which may need to be amended
For more information about these options, and how Smartec Business Solutions can help your organisation become GDPR compliant… or even to have Smartec act like a DPO, call +44 (0)1784 289974 or email firstname.lastname@example.org for more information.