GDPR: The Meetings View

If you’re a travel manager with purview over meetings, get ready. Meetings are a different ball game when it comes to the European Union’s General Data Protection Regulation, which will be enforced beginning May 25. If you think that internal employees, by accepting a position with the company, implicitly consent to sharing of their data for corporate meetings purposes, you’ll be surprised to find out otherwise. If you think meetings hotels are data controllers and you can set those contracts on autopilot just like preferred transient properties, don’t relax just yet. And what about all the other meetings suppliers like ground transportation, offsite dining and events and offsite team building providers? EY’s Kathy Grau, Cvent’s Tom Patten and strategic meetings management coach Debi Scholar broke it down at BTN’s Strategic Meetings Summit in New York late last month. Following are edited excerpts from that session.

BTN: How do you get started internally with GDPR compliance for meetings?

Grau: I reached out to my legal department because I have a relationship with them. They also directed me to EY’s data privacy team, which is directly responsible for GDPR compliance. We now have a call [almost] every week, and it’s mostly me saying that I thought of something else we need to address from a meetings standpoint. In the end, though, you definitely need to work with your data privacy team.

BTN: Kathy brings up a good point, that it’s mostly her going to her team with issues to address. A data privacy officer will address GDPR at a corporate level, but how aware are they of what is going on with meetings?

Scholar: Companies are doing what they need to do at a high level, but they often don’t understand the numerous interactions that take place for meetings and events. That’s [been the case] for 20 years now. Meeting leaders are being asked to include GDPR compliance as part of their performance metrics.

BTN: Can you give me an example of an area where legal and data privacy didn’t connect the dots for meetings?

Grau: Hotel [agreements are] a prime example: As we were updating our master service agreements with our group hotels, one of the hotel chains [that is also a transient partner for us] said, “We’re the controller, we don’t have to do this.” My data privacy person said to me, “They’re the controller for bedrooms.” And I said, “Based on what I understand ... they’re a processor for meetings.”

BTN: I thought hotels and most of the basic travel providers were data controllers under GDPR. Can you explain?

Grau: When it comes to bedrooms, hotels control the data and they control how it’s being collected and used. From a meeting space perspective—and really with most of the logistical details involved in a meeting—the hotel is a processor. If we send the hotel our attendee list, if we send a dietary list with names attached to it, [that’s personal data]. Or, if you send a VIP list with names to say, “Please ensure these three people get special treatment,” [the hotel is] now a processor. EY has different master service agreements for the transient program compared to meetings and events. It’s about educating the company that meetings are different.

BTN: What about other types of suppliers like ground transportation, offsite activities and dining. A lot of these kinds of suppliers get attendee lists. How do you stay GDPR compliant?

Grau: If you’re sending personal data, it needs to be encrypted. It’s also good to add a statement anytime you send an email out—and maybe it even becomes part of your signature line—that the attached data must be deleted within 30 days after the event concludes or at the point it’s no longer needed. We need to give guidance so the partner knows the process. If you’re ever audited, you can then also show that the guidance was in the contract or the addendum and that you instructed the partner to remove the data at the conclusion of the event.

BTN: What about the meetings agency? For transient programs, travel management companies are generally considered a controller. Is that different for meetings?

Scholar: While I thought that the meeting agency would be the data processor, recently a major meetings agency explained to me that for some actions they are the controller and in other cases they  may be the processor.  

BTN: What about technology suppliers? Do they stay in their processor roles?

Patten: As a technology provider, we’ll be pushing out information saying, “OK, here’s what we have available to help companies with GDPR compliance.” Ultimately, though, it’s up to the company to make sure their meetings are compliant. From the tech perspective, we don’t manage compliance, but we will provide the tools to do so.

BTN: Let’s talk about some of these GDPR tools and how you envision them working as a meeting gets pushed through a technology-enabled process. A lot of it pivots on the concept of consent.

Patten: GDPR requires a layered approach to consent. Companies may determine they need the permission of the meeting requester before they even get to the concept of meeting participants. Even if the organizer is an internal employee, using their information associated with the event could be interpreted to require consent and they may opt in to [event organization-related] marketing or research strategies or not. If the company takes this route, we will have the tools to do it, with consent to be part of the meetings management process.

BTN: From a meetings management point of view, is requester consent reasonable? How are you planning to manage it?

Grau: Every company is different, but you likely have a call with the meeting requester to go over the event details. If they selected either “yes” or “no” for the marketing or the survey, it’s a good opportunity to have a conversation to make sure that they understand the implications of their choice. Marketing might be a quarterly newsletter. If they checked no, it’s an opportunity to say, “Did you know this is how we share our quarterly travel, meetings and events information?” or, “This is an opt-in to participate in a satisfaction survey that we use to improve our meetings services for you.” That allows them to revise their choices.

BTN: What about the more traditional concern about meeting participants? What types of consent will companies need to collect from them?

Patten: You need separate consent for each of the reasons you’re going to use that data—for example, using someone’s information for planning the meeting. You may choose to include only a “yes” choice for this because if the [prospective] participant won’t allow that use, they can’t really continue. For other purposes like survey purposes or marketing purposes or sharing with third-party event sponsors, the event still provides value if they opt out. In these cases, organizers will need to provide separate consent for each potential use and participants will deliberately choose how the host organization can use their data. As a tech provider, we’ll have something like a library of consent purposes and options that clients can use, but it will be up to the company to decide which ones are required.

BTN: One of the central tenets of GDPR is the individual’s right to withdraw their data. How will this be achieved?

Patten: Cvent will have a system in place to obfuscate the data. The record will stay intact and for reporting purposes, you can see that somebody attended, but none of the individual’s personally identifiable information will be readable. It’s not encryption or anything; it’s going to be wiped out. We’ll be able to do this with all attendee data from a given event after 30 days or whatever the client wants. Or, we can also do it on an individual basis, should the client contact us and say, “John Smith wants his info wiped out,” we’ll strike it from the entire database for that client but not out of any [other client’s] database.

BTN: This all sounds great for meetings that are pushed through technology systems. What about the others?

Scholar: We’re never going to get 100 percent of our meetings in a technology, so the best thing you can do is to give [ad hoc meeting organizers] a checklist on the things that must happen. For example, you need to make sure attendee lists of any kind are always encrypted when sent via email. You may also have some manual consents and more pushing of paper back and forth. But you really have to make sure those [ad hoc organizers] understand that compliance process.

Grau: And just a note that at the conclusion of a meeting or event, any paper or anything that could have anyone’s personal information on it needs to be shredded. That sweep at the end of the event has always been important, and it remains so now. It’s not just about complying with GDPR, it’s about actually protecting people’s information.