The European Union’s new General Data Protection Regulation will come into effect in May. Here’s why event planners in Asia need to pay attention.
In the current information age, data is big business — and so is data protection. When it comes to meetings and events, the seemingly endless flow of data across country and regional borders can be difficult to manage, and it’s about to get a whole lot harder.
On 25 May, the European Union will enact new data-protection laws, known as the General Data Protection Regulation (GDPR) across all 28 EU countries. The laws impose strict new rules on controlling, processing, and sharing the personal data of EU citizens. This includes the transfer of data outside the EU — and applies to all companies working with Europeans, regardless of geographic location.
For Tiffany Morris, general counsel & vice president of global privacy at global data-management company, Lotame, this is a danger point for event planners and service providers in Asia.
“With GDPR, the thing to keep in mind is that the law applies if a company is collecting personal data from Europe,” Morris said. “It doesn’t matter if the company is in Europe, it doesn’t matter whether the consumer on which you’re collecting data in a European resident. If your event happens to be at a Marriott hotel in London, for example, and people are registering for your event, then GDPR would kick in because that personal data is flowing from Europe to the collecting entity. That’s a big change — and what we lawyers call an ‘extra-terrestrial law.’ [It] has boundaries far beyond the jurisdiction in which the law has been established.”
GDPR also stipulates that organisations must have the clear consent of an individual to use their data for a specific purpose.
For event marketers looking to leverage data collected at events, Morris offered this advice: “You really need to articulate to consumers what information you’re collecting and for what purpose,” she said, “and if you’re sending it to third-parties. In many cases you may need opt-in consent from the user or you may need to establish ‘lawful means’ to process the data under GDPR.”
Morris said that her “biggest concern for clients,” especially those operating in online advertising, is the use of cookie IDs — considered the currency of online marketing. “Historically we haven’t considered this data to be detailed enough that it would identify a user individually, but under this new law, it does,” she said. “That’s a really big shift for us.”
According to Felix Rimbach, director of research and development at event services and technology company, Globibo Singapore (which has offices across Asia, Europe, and the U.S.) data transparency is another sore point.
“The legislation describes very clearly that policies can no longer be hidden in complicated and convoluted legal jargon,” Rimbach said. “This is a rather common practice in Asia and Europe and requires immediate attention, especially for terms and conditions used in registration processes.”
Transparency also comes to the fore when it comes to working with third-party suppliers and ensuring they are compliant with GDPR.
Morris recommended establishing data-processing agendas. “These documents establish what security and technical safeguards need to be in place, who can touch the data, under what conditions it can be processed, and very specifically outline what the third party can and cannot do with the data.”
The increased use of real-time messaging apps, facial recognition, and live streaming at events also presents a problem. To navigate the GDPR rules, Rimbach recommended that all event professionals attain legal advice to review internal data processing and storage systems in order to make necessary changes before the May deadline.
“The complexity of current event technologies has significantly increased — cloud storage, system interfaces, and networked processing have become difficult to comprehend as well as to isolate properly. We clearly recommend planners to seek strong legal support to get ready for the change.”
Rimbach fears many planners in APAC are not prepared for the impending changes, and may be unaware that failure to comply can result in huge fines. “Even if planners in Asia comply with local standards in their corresponding home markets, they become directly liable to potential fines which are linked to the overall revenues of the company,” he said. “We are afraid to say that we see a big gap in regards to future compliance with the new regulations. A majority of organisations have made some good basic steps to comply with local data protection policies, but the unique and rather novel reach of this legislation, especially with regards to processing event registrations, has not been fully acknowledged.”