Prepare for the Worst
Data breaches happen, and the regulations require companies to be prepared for them. Set up internal procedures that include monitoring to detect breaches and a team of experts to analyze them. Create a hierarchy of reporting: Who will be notified, when and in what order?
Collect advice from multiple sources and consult legal and other experts before finalizing agreements. Be ready to make adjustments according to how regulations are enforced.
The General Data Protection Regulation is the result of four years of work by the European Union to bring data-protection legislation in line with previously unforeseen ways that data is now used. It gives people more say over what companies can and cannot do with their data, and imposes severe fines for noncompliance and breaches.
The regulation, which began being enforced on May 25 of this year, applies to any company or organization that does business in the EU or that processes personal data of EU residents.
Following are general steps meeting and event planners should be implementing now, provided by Larry Samuelson, senior vice president and general counsel with meetings-tech giant Cvent.
(For more insight, see this month's feature.)
• Determine how GDPR affects your company. In most cases, organizations that plan meetings are data controllers - they control how the attendee personal data is being used and processed, and to what ends. Data processors simply process the information on behalf of the data controller. If you use a company like Cvent, you are the data controller and Cvent is the data processor. The controller, however, bears ultimate responsibility for the data, including making sure that any data processors that touch the information abide by the new regulations.
• Conduct an organizational information audit, including all subcontractors related to the data supply chain. Consider where personal data is stored, who has control and access, whether it is shared with third parties, whether it is shared with data processors and whether your subcontractor arrangements meet GDPR requirements.
• Understand the legal grounds for collecting data. Do you ask for consent when collecting data for your events? If not, heads up: That's required. Review your privacy and social media policies to ensure you are being transparent about how you're processing the data. The policies should be written clearly and tailored to their audience.
• Review and strengthen your IT operations. These systems and processes must comply with the rights of the people whose data you've collected, including their right to be forgotten (have their data permanently deleted or obfuscated) and the right to data portability (take their data with them to other parties or platforms). Identify security measures that are in place and whether they're sufficient, who has access to the data, and what plans are in place for data retention and destruction.
• Review your policies, processes and training. Your staff must understand the new obligations, and they need appropriate training for their data responsibilities. Identify what happens when roles change, as well as the policies governing any freelancers, casual workers and subcontractors.
• Determine whether or not you need a data-protection officer. If your core activities require regular and systematic monitoring of data, you need a DPO. Consult a legal/GDPR expert to help with this.
• Build a comprehensive, ongoing GDPR implementation and compliance program, with clear goals, priorities and timing, and with allocated resources. While May 25 was the day the enforcement began, data protection is an evolving work in progress.
• Prioritize areas with the highest risk and impact. Consider the activities associated with the steepest fines, such as sensitive data, consent and subject-access rights.