The EU General Data Protection Regulation (GDPR) on data protection has now been in force for almost a year. It has had a direct impact on the meetings industry across Europe and beyond. As a professional conference organiser with a focus on compliance, at Congrex Switzerland, we started taking steps towards GDPR implementation before May 2018.
Our efforts focused on building GDPR requirements into our operational practices and technical applications. This has been a broad-ranging endeavour with implications for every organisational department, from IT to Housing and including Marketing and Meeting Planning. In this article, we outline the impact of GDPR and how we have handled the new requirements, hoping that this serves as a useful guideline to other professionals in the meetings industry.
GDPR & IT In The Meetings Industry
As a conference organiser, Congrex is a data owner, a controller, and a data processor. This means we need to comply with different requirements and have a number of obligations that need to be compatible across our different roles. This requires taking a comprehensive approach to enforcing GDPR in all our IT operations. After auditing our data protection policy, we classified our course of action into two distinct areas:
- Replacing suppliers and services that were not GDPR compliant.
- Consulting our clients as part of our needs analysis process.
- Signed all necessary data processing contracts, ensuring all rights and duties were clearly stipulated.
- Designated an internal DPO (data protection officer) with legal expertise, as required by Articles 37 and 39 of GDPR. The DPO’s primary role is to monitor all practices related to data protection so we can revise them on an as-needed ongoing basis.
- Modified some of our software to ensure it was in line with GDPR concerning the rights of data subjects.
- Applied greater scrutiny to any IT-related operations that involved processing or transferring personal data.
- Trained all internal staff to create a culture of data protection awareness.
GDPR & Meeting Planning
GDPR’s impact is somewhat limited in this department. The main change involves the event enrolment process. In addition, we have modified our forms and no longer ask delegates for specific personal data.
GDPR & Housing
The changes here have been substantial, as GDPR requires data encryption and the set up of individual access systems when dealing with personal information. This means we’ve had to redesign our communications with hotels and other travel service providers.
For example, credit card data are now sent to service providers via a secure link or over the cloud instead of over plain e-mail. The same applies to delegate lists that are routinely sent to hotels, which are now password-protected and sent over the cloud. Moreover, third-party room reservations are now available via a secure system, which includes individual log-in credentials for each delegate.
GDPR & Registration Services
Following GDPR implementation, our registration department no longer collects delegates’ data. These include an address, marital status, e-mail, and others. Previously, this type of data was passed on to our clients at their request, usually after a meeting was over for follow-up purposes.
On the one hand, this reduces the volume of work for our department. But on the other, it incurs additional costs and effort. For example, signs must be set up at the venue to make delegates aware of opt-out possibilities. We also need to get very granular, specifying what data we’re collecting and for which purposes.
Overall, GDPR has been a positive addition to our operations, making them more robust and reliable. It has also brought value to our clients, who now have full control over their personal data. However, we’re facing new challenges as a result of these regulations. Many suppliers and clients aren’t aware of the full scope of GDPR. So data collection and handling are now longer processes as we need to explain the changes. At the same time, GDPR compliance is labour intensive. It has added 1-2 additional steps to the workflow of most departments. Looking ahead, our main priorities are raising GDPR awareness among all parties involved, and streamlining further our operations while keeping GDPR principles at the core of what we do.