< PrevNext > SMMP Compliance Will Get Real with GDPR By GoldSpring Consulting senior consultant Kevin Iwamoto / January 29, 2018 Share The countdown to May 25, 2018, is set for compliance with the European Union’s General Data Protection Regulation. Strategic meetings management program leaders can leverage the opportunity to get visibility and oversight of rogue meetings and events spend. One of the most common challenges among SMMP global category leaders is their inability to see local country spend and local country preferred supplier agreements. GDPR offers an opportunity for SMMP category leaders to access all this information through a GDPR-readiness audit. Violating GDPR will result in fines of 4 percent of annual global revenue or 20 million euros, whichever is greater, so it shouldn’t be difficult for SMMP category leaders and procurement to get approval to conduct such audits and then bring the rogue spending and supplier agreements into the SMMP. Here’s what I see in the market, and many companies will scramble to make the May deadline: The PII Governance Gap Audit: If you think about all the personal data flowing through business travel, meetings and events, the data-governance-gap audit is critical. SMMP leaders will figure out what personal data they have about attendees, speakers and sponsors; where it came from; and whether they have adequate consent to use it. Under GDPR, existing preselected boxes and opt-ins are not enough.Data Storage: SMMP leaders are scouring the systems where data is stored and analyzing when it was last used and what was it used for. Data accuracy is key here, as are the processes in place to keep the data safe and, important for meetings, whether that data has been shared with other suppliers and partners. SMMP leaders will be busy ensuring they have adequate consent from participants and that sponsors and suppliers are compliant with GDPR regulations.Existing data may take a hit. Corporates will have to communicate incorrect information back to individuals. They will also be obligated to destroy the data if they never had the proper consent in the first place. This happens often when merging registration and attendee lists from other meetings and events. Indeed, this practice will require much more oversight, and that necessitates a clear understanding of what personal data is held, where it came from, where it is stored and who it was shared with.Documentation: Organizations will have to be ready to show they complied with data protection principles by having effective policies and procedures in place. And just as financial audits are standard for travel programs, the meetings industry should get ready for personal data audits to become the norm.It’s hard work, but it’s not bad news. The GDPR requirements will allow SMMP leaders to get local country spend transparency and consolidate it under the main corporate SMMP governance umbrella for greater control in 2018.