Meeting Evolution (ME) has reviewed the requirements of the European Union (EU) General Data Protection Regulation (GDPR) and is providing the following statement to explain the requirements for compliance.
What is GDPR?
As it relates to the meetings industry, GDPR consists of new regulations developed by the EU to strengthen the protection of personal data that is entered, stored and accessed via on-line registration systems, mobile apps, lead retrieval systems and post-event surveys for citizens of European Union countries. GDPR will become enforceable on May 25, 2018.
There are two (2) primary components in complying with the GDPR:
• You, as the owner of the data, need to appoint a Data Controller Officer (DCO) who is responsible for developing and implementing the GDPR compliance.
• ME, as the provider of the processing technology, is required to appoint a Data Processor Officer (DPO) that is responsible for assisting the DCO in making sure that controls are in place.
What data is protected?
Personal information that is entered and/or stored including: names, physical addresses, email addresses, computer IP addresses, session attendance, frequent flyer information, food preferences, passport/visa information and more.
How will this impact my meetings?
If you are running meetings – either in an EU country or where EU citizens might be attending – you will need to provide the following:
• Individuals – attendees, speakers and vendors from EU countries must be provided with an Opt-in checkbox with a date/timestamp and a link to your GDPR Compliance Document that details how their data will be used and stored. The wording on the Opt-In should include reference that they have read and understand the Compliance Document – much like we have all become used to with the Privacy Statements on websites. They must complete this step before moving through the registration process.
• Your Compliance Statement must list everywhere that the data would be used or stored – so if you use an e-marketing, survey, CRM or other systems where their data is transferred to, you need to identify each of these and a brief explanation of how their data might be used.
• You need to provide the ability for a person to request that their information be removed from your databases – when requested you need to then provide a validation that their data has been removed or the ability for them to remove their information themselves.
ME Obligations under GDPR
As your technology provider ME is required to facilitate your compliance with GDPR. Where you request an individual complete personal profile information, the form needs to have a brief statement about GDPR compliance, a link to your Compliance Statement and an Opt-In/Confirmation check box that is stored, along with a date/timestamp with the individuals profile information.
Logic will need to be in place prompting for their Country as one of the first steps and, if from an EU country, providing the above fields and links. This way your non-EU individuals will not need to deal with the GDPR fields. If you are providing a list of invitees and/or potential registrants, you will need to provide us with the Country so we can automatically prompt if applicable and store the information.
Once permission is granted and the individual registers for subsequent meetings, a brief statement will be displayed indicating that they have already Opted-In and be given the option to review your policy again but will not be required.
Who Is Responsible for Compliance?
The ultimate responsibility rests with you – the data controller. So it is important that you develop a GDPR Compliance Statement, appoint a DCO and coordinate with ME to implement the above steps into your registration or mobile APP system.
For More Information please contact our DPO:
Vice President & DPO