What to Ask Suppliers
How will you know if technology suppliers are truly in compliance with GDPR and following privacy-by-design principles? Following are suggested RFP questions for them, proposed by Lenos Software co-founders
Debbie Chong, CEO, and Patti Tackeff, president.
Such placement could equate to marketing without consent; attendees have not agreed to receive marketing info from your suppliers.
• Does the software allow the data controller -- the client -- to manage data and consent?
Can the customer specifically manage consent, withdrawals of consent and automatic, secure deletion of personal data? If so, are those capabilities native to the solution or part of a third-party application?• Does the supplier use website cookies/trackers or registrant data to market its software, share with data marts or sell data without customer consent?
Such practices would have to be both clearly spelled out and then consented to by the registrants.• Is the software developed based on privacy-by-design principles?
This is the idea behind GDPR.
• Has the supplier ever had a data breach? What is the policy for handling data breaches in the future?
The GDPR spells out specific notification protocol to follow in the event of a breach. - M.J.S.
When personal data is breached in the corporate world, it's big news. More than 145 million of us have been notified by credit bureau Equifax that our personal information has been compromised. Likewise for millions of Facebook users, in misuse that led CEO Mark Zuckerberg to a grilling by Congress. The list goes on, and it grows almost daily.
All of this is unfolding just as the European Union's new General Data Protection Regulation goes into effect. By this point, you're probably at least somewhat familiar with GDPR and the fact that any organization that deals with data from any EU citizen must abide by the regulation or face fines. But meeting professionals have to be more than familiar with GDPR; regardless of one's role within an organization, data protection is now an obligation and the responsibility of all involved. The failure of anyone on the team to follow the proper protocol could be the mistake that causes the company to pay heavily in fines, reputation, customer retention or all of the above.
"I still see a lot of denial going on with many planners," notes Kevin Iwamoto, senior consultant with GoldSpring Consulting. "A lot of them strongly feel maybe rightfully so that this is not their core area of responsibility. But you can't just ignore it and hope that it goes away. You've got to raise your hand and ask the questions is somebody in the company working on this?"
As of today, May 25, the EU has begun enforcing GDPR compliance. Cases can now be filed, and the EU court can levy fines. The regulation applies to data belonging to anyone holding an EU passport or residing in the EU including U.S. expats on work assignments. Despite a two-year warning period provided by the EU, many U.S. companies are only now scrambling to put proper processes in place. "We've seen things evolve pretty slowly," says Patti Tackeff, president of the strategic meetings and event management technology platform Lenos Software. "In the fourth quarter of 2017, most people in the meetings industry hadn't heard of GDPR. In the first quarter of this year, people began to ask what it was. And even in the second quarter, people were saying, 'No worries, we'll be ready on the 25th. Take our word for it.'"
Since its launch in the late 1990s, Lenos was built on privacy-by-design principles. Co-founder and CEO Debbie Chong had been a regulatory lawyer focusing on cybersecurity issues in the financial-services industry before she and Tackeff launched the business.
In January of this year, Lenos released its GDPR Consent and Data Management Module, a tool that applies the company's data-privacy management expertise and understanding of the regulation to help streamline compliance, and it already has proven an essential aid for multinational clients. But even as of mid-May, says Tackeff, many in the meetings industry weren't onboard with compliance efforts. "We're still hearing meeting professionals say that privacy is not high on their requirements list," she says.
Iwamoto, who has been an outspoken proponent of GDPR readiness efforts for more than a year and a half, agrees that preparations have progressed very slowly. A collective epiphany occurred a few months before implementation, he acknowledges, but compliance remains far from universal. Iwamoto points to a survey GoldSpring conducted several weeks before May 25, which found that 13 percent of respondents including meeting mangers, travel managers and industry executives still had done "absolutely nothing to prepare."
It isn't too late
GDPR is complex and, in many facets, open to interpretation. No doubt that is why many planners have been reluctant to put related data concerns on their already overflowing plates. But deadlines aside, GDPR readiness should be thought of as a continuing process an opportunity to clean up our industry's collective act.
"In the case of an incident," says Iwamoto, "if you can demonstrate that you're in process, it will probably go better for you in the courts. If you're one of the 13 percent that hasn't done a thing [to prepare], it will probably not go well."
If someone else at your organization is heading up compliance efforts, adds Iwamoto, now's your chance to get involved. "If you're working for a multinational company, someone is probably already doing this," he notes. "And that can work to your benefit, but you have to find out who it is. If you don't ask the questions and something happens on your watch, you are foolish to think that your company is not going to hold you somewhat accountable."
The basics of GDPR
Whether you need to jump-start data-protection efforts at your organization or get up to speed to assist a compliance team, planners do need to take specific actions, advises Kevin Iwamoto.
The GDPR essentially divides parties into data controllers and data processors. Data controllers are the ones for whom the data is collected; corporate planners represent the controller. Data controllers are ultimately responsible for compliance and will be held accountable for missteps.
Data processors are any other parties that might touch the data technology platforms, event management companies, DMCs, hotels, etc. They must be compliant, of course, but it is up to the data controller to ensure they are to ask the right questions and design contracts accordingly.
Following are three critical action items for meeting planners.
1. Conduct a data audit. What data is being collected, and who is touching it? "This is a great opportunity to clean up one's act," Iwamoto points out. "Because oftentimes what people find is that their processes are outdated, and they're collecting more data than they need." Find the inefficiencies and decide what must be fixed.
"I think this is where most companies are now," Iwamoto adds, "trying to address and fix some of these gaps."
2. Understand peoples' rights with respect to personal data. "The biggest change is that somebody, at any time, has the right to demand to know what information you have on them," says Iwamoto. "And that person also has the right to ask that it be deleted. And you can't charge a fee you have to be able to provide the data, delete it or let them use it, all for free."
3. Collect consent for everything, and disclose what you're doing with the data. You must have consent from individuals for any information you collect about them, and you must tell them exactly what their information will be used for. "Consent forms have to change," Iwamoto states. "They can't be full of legal jargon. You have to make everything straightforward and simple to understand. You have to disclose at which points their information will be collected registration, mobile app, etc. and what it will be used for in each instance."
And if individuals don't consent? "I say that means they can't attend," says Iwamoto. "If they're not agreeing to any of this, you don't want them at your event."
That's not likely to happen though, he adds. "Most attendees understand that their data is going to be repurposed in some way, shape or form. What GDPR says is that you have to disclose up front exactly what it's being used for. If they don't agree with that, they shouldn't be attending anyway."
Doing the right thing
While the above three action items are important, GDPR regulations are quite intricate, and interpretations of the new rules vary. No one knows exactly how the courts will enforce certain aspects of the law; it's best to consult multiple sources and a legal expert before finalizing policy or agreements. (A frequently updated list of helpful resources can be found on the Empowerment + site.)
Despite the uncertainties, "GDPR is the best regulatory solution to data protection that we have seen so far worldwide," says Alison Cool, a University of Colorado professor of anthropology and information science.
What's most important for planners, Cool says, is to think carefully about which attendee data they actually need a concept that could be in conflict with the rush to capitalize on, and possibly monetize, Big Data. "Too often, the attitude is to collect as much data as possible and then figure out what is useful later on," she says. "Organizations that collect data about meeting attendees might look to the GDPR's principle of 'data minimization' as a start and then sit down as a group and talk about the ethical values of the organization, and what they are trying to accomplish through this data collection."
The move to protect personal data might be fueled by a fear of fines, but the misuse of personal data also can damage a company's reputation. Clients and the public are paying greater attention to corporate ethics and steering their business to firms that do the right thing.
"At the end of the day, we all come out of this as better companies," says Marty MacKay, DMCP, president of global alliance for Hosts Global. MacKay has undertaken a massive training program to make sure all Hosts DMCs are in compliance around the world and she's working closely with clients as well, helping them understand their roles as data controllers and extend the needed protections to agreements with other suppliers.
"Trusted partners should have no issue with transparency," MacKay says. "When the truth and transparency is there with your suppliers, one party can say, 'We're going to tighten this up,' and you can support them. It's a journey not a sprint. There are a lot of people out there trying to do the right thing and improve the industry as a result."
"The ethical discussion should really be a meeting with all members of the organization to avoid creating the sense that data protection is only a legal or technical problem," adds Alison Cool. "It is an ethical problem that everyone in the organization really should be thinking about."