GDPR: Is Your Meetings Data Governance Ready?

The European Union’s General Data Protection Regulation will expand the role of data governance for corporate travel management and for meetings and events management. Preparations need to happen now to be compliant by May 25, 2018, when penalties—up to 4 percent of a company’s global revenue—will go into effect. With so much data produced and processed for meetings, plus the permissive data governance allowed in the U.S., meetings managers need to understand the GDPR responsibilities and liabilities of not only their own companies but also their data and technology partners. Also, it’s not just for meetings and events in Europe. Any event that hosts EU citizens as participants are subject to the rules and penalties.

GoldSpring Consulting’s Kevin Iwamoto and Lenos founder and CEO Debbie Chong—whose background as an attorney specializing in e-commerce, data privacy and other corporate matters informs her current role—talk with BTN editor-in-chief Elizabeth West about how meeting managers can push toward compliance and what industry changes GDPR could precipitate.

BTN: To use a sports analogy, are meeting managers acting as the goalies when it comes to data protection? If not, who needs to be managing this?

Debbie Chong: Meeting professionals have responded to our concerns around privacy as, “That’s for someone else in the company to worry about.” Data is not their area of expertise, and we understand that. But GDPR is going to make [data privacy] everybody’s concern. Literally, everybody’s. You might not need to understand the technical and all the legal implications and details, but you’re going to need to know whether your systems and processes are GDPR compliant. Because the stakes are high, in terms of penalties, this is unlikely to be an assessment made by those who are operating the system. This is now at a level [where] IT and the [data privacy officer] will be more involved in decisions around [meetings technology] systems.

BTN: What role will meeting managers have, then?

Kevin Iwamoto: I’m educating meetings clients about asking the right questions when sourcing and contracting. I still see contracts that claim data protection governance is Safe Harbor. Well, that doesn’t exist anymore. And even [contracts] that say that data is protected by Privacy Shield. You can assume Privacy Shield will be replaced by GDPR. On the flip side, if fulfilling your service level agreement necessitates a GDPR violation or breach, you bet your suppliers will come back to you and ask for some form of financial support [to cover penalties] because they are working for you. So with meeting managers, it’s a matter of awareness and knowing now what some of the issues are and bringing it up with the right people in the organization. This is an issue that the C-level suite has to take on, and as Deb said, you’ll see more data protection officers and IT getting involved in meetings.

BTN: What kind of data are we talking about? Will GDPR govern personally identifiable information, or does it go beyond that?

Chong: GDPR compliance will have far-reaching implications in how you handle the PII of your customers, partners, prospects and employees. But it goes beyond PII. For example, [a meetings technology company] is managing data that identifies our customers’ best salespeople, when you talk about incentive [programs]. We know housing requirements or sleeping arrangements. We know dietary issues of participants. All of this is extremely confidential and sensitive client information. Meetings touch so much data, both the data that I provide, as well as data that [a technology system] possibly receives like my IP address, my search history, my Web track on my location. [Marketers can also] infer data based on my online behaviors. [The tech provider] might even share that data with a data mart … and other companies might be buying [my data], even if it’s aggregate, to remarket other products to me. Until now, these have been a privity of contract issue. Now, they’re going to become a GDPR issue.

BTN: Participant behavior data is becoming such a big part of meetings and events and often is provided to sponsors as part of the value of their investment. Will GDPR interfere with this?

Iwamoto: [GDPR] will change the way meeting participants opt in or provide permissions about how their data can be used. I envision that everything will need a data [usage policy] and companies will have to be more transparent about how the data is used.

Chong: Conference producers will have [to require] sponsors to sign an agreement that they will not transfer that data and use it except for the purposes agreed to by the person who provided the data. Under GDPR, participants will also be able to revoke their consent to share data, and that will add another task to data management. [Corporate clients] will need to check the tires on their technology [to understand] whether the solution can handle the permissions and proper opt-ins. We’re in the world of Big Data and Fortune 500 companies. Technology systems need to handle data according to these requirements so that no one has to perform manual tasks. This will mitigate risk to a certain extent.

BTN: Who, exactly, is the liable party in terms of data privacy violations under GDPR?

Chong: The data controller, so in this case the corporate client. The controller has an agreement with the data processor, which is the technology company. As a processor, I would not take any instructions other than from the controller because the controller is responsible under GDPR for managing the data, for treating it the way it’s supposed to be treated.

BTN: Many companies access technology through the third party. Is the liability still the same?

Chong: The data controller is still liable. For a limited number of programs, we appreciate [that] licensing via a third party makes sense. However, for a strategic meetings management program, we recommend companies … go direct to a technology provider to ensure that there is privity of contract to address any potential liabilities. The company data protection officer, a requirement of GDPR compliance, will get involved in the selection and management of technology in both scenarios.

BTN: Many companies have so-called “no-cost” SMMP agreements with third parties, funded mainly by hotel commissions. They don’t have resources for a technology RFP or other SMMP tasks. Is it realistic to think that these companies will change course because of GDPR?

Iwamoto: By program size and by activity, people need to do the math and do the financials as to whether going direct makes sense, or should they license to a third party, an intermediary. Every company is going to come to a different financial conclusion.

Chong: I respectfully disagree, if we are talking about enterprisewide SMMP.

Iwamoto: I just went through it with a midsize client where they wanted to go direct to the [technology] supplier, but when they did the financials and the head-count resource allocation internally, they could not get that approved. They [went] through a third-party partner.

Chong: I had the opposite. A client [told me recently] they had not gone direct and their CFO is now insisting that they go direct. I think any organization is going to be at risk if they don’t go direct. How will they explain, if the third-party [mismanages the data or mismanages the technology], that suddenly the end client corporation is getting fined? So I disagree, I respectfully disagree.

Iwamoto: If that’s going to happen, then GDPR might force more direct contracting with suppliers. But currently, it’s a matter of head-count resource and budgets and financials that lead people to go through the third party. If they do go that route, however, I foresee GDPR compliance becoming part of the auditing process. We do audits all the time for different components of travel and meetings, so I envision that this will become a separate audit stream.

BTN: Will GDPR, then, force a shift in how meetings technology is priced or tiered so it fits more types of end clients?

Chong: I don’t believe this is all because of pricing. That’s just sort of a misnomer in the marketplace. We have clients that might just need our systems for one program a year, and then we have others who are doing 5,000 programs a year. They’re not paying the same thing. Plus, the technology is priced based on usage. Corporations have to weigh the cost of [the right technology and contracts] against the risk of being fined for GDPR violation. Beyond the fine itself, think about public perception. If a company gets fined, everyone is going to start looking and saying, “What else did they do?”

BTN: What about corporate data, like booking patterns, hotels and locations—
basically the RFP history? Is that corporate data ever sold to meetings suppliers and would GDPR come into play here?

Chong: If I’m responsible for sourcing meetings and I’ve set my profile and the sourcing technology is sharing my buying patterns and my profile data in a dashboard to vendors in the marketplace, there is no privity to take actions as you are not a party to the contract if your end user is not aware and has not given the company permission to use the data in that way. Practices and other behaviors that produce covert revenue streams will be challenged in the world of GDPR. Overall, GDPR will help in all of our efforts to further professionalize our industry and provide the visibility that it deserves in terms of how meetings and events impact revenue generation and corporate success rates overall.

BTN: Kevin, do you agree?

Iwamoto: I do, but I also think we should underscore that this goes way beyond meetings and affects how companies need to be looking at data governance overall and how meetings fit into that. We know that the U.S. has some of the lowest data privacy standards in the world. In Europe, data privacy is a right. GDPR is pushing that issue on a global scale.