GDPR for Events and Hospitality after Brexit
The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of individuals within the EU. GDPR's reach is global, so can impact any company, regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.
In June 2016, the UK voted to leave the European Union (Brexit) - after entering a 'transition phase', the UK and the EU started a new trading arrangement on 1st January 2021. Since then, the UK has enacted parallel legislation to the EU GDPR, but one that applies to individuals in the UK. This has implications for businesses in the UK, the EU/EEA and across the world.
The article looks at the impact of Brexit on UK and EU data for the events and hospitality sector, which processes large volumes of personal data of individual from around the world.
Disclaimer: The content of this article is for informational purposes only. It is not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.
Principles of GDPR
The diagram illustrates the fundamental principles of GDPR. In summary:
Personal data consists of any data that can identify an individual
GDPR applies extraterritorially to any organisation that either offers goods and services or monitors the behaviour of EU citizens
There are six principles for processing personal data
For processing to be lawful, it must follow one of 6 principles
Individuals have eight rights to their data
Organisations can either be Controllers or Processors, and they must have a written contract in place between them if they exchange personal data
Finally, GDPR is all about accountability – businesses that hold the personal data of other people are fully accountable for safeguarding and protecting it
GDPR for Events and Hospitality
Why Events and Hospitality?
There are many different organisations involved within the events lifecycle, as demonstrated in the image above, each providing a specialised service. And there are many kinds of personal data, often shared between these organisations to allow them to perform their services. And because events tend to be global, this potentially means that lists of personally identifiable data (PII, often delegate lists) are passing from one organisation to another, often crossing borders. Typical examples include:
A UK agency holds a conference in Dubai, with delegates from all over Europe
A global agency has its Paris and London offices co-ordinating an event in New York with attendees from across the globe
A Berlin-based corporate is holding an AGM in Madrid / with attendees from the UK and Asia
A London based agency uses a DMC in Greece (which is in the EU)… or Turkey (which is outside the EU)
A global corporation uses multiple agencies in different countries to manage their meetings management program
For each example above, multiple lists of personal data may be shared between numerous actors - corporate, agency, venue, hotel, DMC, transfer company, etc. as demonstrated in the image below. And each actor may be local or international, and may further share the data with one or more third party.
What is a representative?
Under the EU GDPR, any company which is based outside of the EU but does not have an office or branch within the EU and regularly process EU personal data is required to appoint a representative within the EU.
The representative is someone who could speak on behalf of the company and handle any queries from data subjects or the supervisory authorities. The principle is that any individual who has an enquiry about his/her data should be able to raise this with an EU based company, rather than chasing the parent company which may be in China or Australia (or anywhere outside the EU). There are a few exceptions, but by and large, events and hospitality businesses that do not have an office or branch in the EU are required to appoint a representative.
GDPR after Brexit
Before 1st January 2021, the UK was part of the EU so there was only one GDPR that applied to individuals in the EU, which included individuals in the UK.
Since that date, the UK has absorbed the principles of GDPR into UK law, to create the UK GDPR. So now there are two GDPR regulations businesses need to consider - the two laws are very similar, only they apply to different groups of people.
The EU GDPR applies to any businesses that process the data of individuals in the EU, and
The UK GDPR applies to any businesses that process data of individuals in the UK.
The global nature of the events industry means it is likely most businesses will have to comply with both sets of regulations. One outcome of this is that a UK event business may now need to appoint an EU representative. Similarly, the reverse is also true – an EU event business may have to appoint a UK representative.
Representatives after Brexit
From 1st January 2021, UK companies may be required to appoint a representative in the EU/EEA, if they process the data of EU citizens and do not have a branch in the EU/EEA. Similarly, EU/EEA companies may now be required to appoint a representative in the UK, if they process the data of UK citizens and do not have a branch in the UK.
International companies who have already appointed a representative in the EU/EEA may now be required to appoint a representative in the UK as well, depending on which data they process.
For example, an events agency in Paris that regularly processes the data of delegates from the UK may need to name a representative in the UK. Likewise, for a UK DMC that provides events services to EEA agencies. The primary role of the representative is to communicate with the local supervisory authority, should there be an enquiry or a data breach, and to manage any data subject requests.
Appointing an EU or UK Representative is a legal requirement for both the EU GDPR and the UK GDPR. As part of their due diligence / supplier selection process, potential clients could enquire about a company's commitment to complying with either or both GDRP regulations. Where a company needs to appoint a representative but has not done so, there is a real prospect to of not being considered for a project.
UK - EEA Transfers after Brexit
From 1st January 2021, the two-way movement of data between the UK and EU/EEA can continue for up to 6 months, or until the UK has been granted adequacy status. The period is referred to as 'the bridge', and the ICO has already commented positively on a draft adequacy decision published by the European Commission in February 2021.
Should they fail to come to an agreement, UK and EU businesses may need to rely on standard contractual clauses to legitimise for exchanges of data between the UK and EU.
UK-Adequacy Country Transfers
Update 1st January 2021 - the UK can continue to rely on the 13 existing adequacy decisions adopted by the EU, until it has finalised its own agreements with these countries
For transfers to other approved countries outside of the EEA with an adequacy decision, transfers to and from the UK to those countries can continue under the EU's existing adequacy decisions. That is, for countries such as New Zealand, Uruguay, Argentina, partly with Canada and Japan.
For two way transfers of data with countries in the rest of the world, existing standard contractual clauses can continue to be used as currently.
This includes transfers to and from the US; as the Privacy Shield adequacy decision was invalidated in July 2020.
The role of the ICO
The ICO is now the lead supervisory authority for companies in the UK and will no longer provide EU-wide One Stop Shop services. Over time, it will create its own BCRs, SCCs and codes of conduct. Where UK companies process the data of EU individuals, they will be required to nominate a new lead supervisory authority within the EU/EEA.
One consequence of this change is that companies that breach data protection laws could be fined by both the ICO AND one or more EU/EEA data protection supervisory authority.
Cloud Service Providers
Having two GDPR regulations can have implications when using cloud services. If, for example, a UK company that processes only the data of UK individuals but uses a cloud hosting service based in Dublin may need to ensure it has appropriate safeguards in place to justify storing UK data within the EU. If an adequacy decision is not reached, this may require standard contractual clauses to be in place to legitimise the hosting.
Other Changes After Brexit
Both EU and UK companies need to consider the following:
Update privacy notices to reflect the changes above - eg, references to data transfer to a 'third country', the appointment of a UK/EU representative, the nomination of a new lead supervisory authority, etc.
Update all records of processing activity to reflect the changes above
Update all existing contracts with third parties, where there is any reference to GDRP of the cross border transfer of personal data
Appoint a separate data protection office (DPO) for both the UK and EU;
Appoint a local representative in the EU/UK, where they are processing data from outside the jurisdiction
Finally, businesses consider their partners and suppliers because GDPR says that you need to work with other GDPR compliant businesses. As a result of this, you may need to make sure you are compliant yourself, and make sure you are working with partners who are also compliant.
What should businesses do to prepare for Brexit? Whether there is a DEAL or NO DEAL, companies will need to act, and it is better that they understand the implications now, and have a contingency plan. The news changes daily, and it's possible that the UK will leave the EU on 31st January 2020... or it may not leave on that date..., or Article 50 may be revoked. Much depends on the risk appetite of the company, but an audit of all types of personal data (UK and EU), together with a mapping of the flow of this data across borders should be a starting point.
Smartec Business Solutions provide a number of technology, data and GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see www.smartecbs.com/solutions/gdpr, or call Smartec on +44 (0)1784 289974 or email firstname.lastname@example.org
Credits and Resources
This article was written by Arvi Virdee, Managing Director of Smartec Business Solutions.
His email address is email@example.com.
The information came from the following sources:
The UK Information Commissioner's Office website (Data protection if there's no Brexit deal)
The European Data Protection Board website (Information note on data transfers under the GDPR in the event of a no-deal Brexit)
The Privacy Shield website (Privacy Shield and the UK FAQs)
Trustarc webinar (Current state of Brexit and Data Protection Impact)
The Law Society website (No-deal Brexit guidance: Data protection)
Lexology (Brexit: Final arrangements for 1 January and future EU-U.K. data transfers)