On May 25, 2018 – GDPR (General Data Protection Regulation) will become fully enforceable throughout the European Union – at which time organisations in non-compliance will face hefty fines. Therefore, Congrex Switzerland is working with a Data Protection Officer to present our clients an all-in-one package to be compliant with the EU GDPR change as of 1st May 2018.
GDPR for the meetings and association industry
The European Parliament approved GDPR in April 2016. Once the regulation takes effect, this EU data protection directive will require associations and event organisers to make modifications to how data is collected, stored, and handled.
Until now, compliance with data security was regulated by the 1995 Data Protection Directive, which set the standard regarding data protection. GDPR will replace and expand the scope of the 1995 regulations. Like its predecessor, the new data protection regulations will apply to the collection and storage of personal data of people who reside in an EU member state (including UK residents), yet it will bring about a significant change involving the extent of its implementation.
GDPR will apply to all organisations that collect personal data on European residents, irrespective of where those organisations are based. This means that you will be bound by the new regulations even if your association is based outside Europe, or if your event is held outside the EU. If your members or attendees are EU residents, you should fully understand what is entailed in the updated regulations and establish the procedures needed for GDPR compliance.
The basics of GDPR terminology
The new data protection laws make a clear distinction between two types of data handlers. Controllers are individuals or organisations that oversee operations related to data processing. On the other hand, processors are the individuals or organisations that carry out data processing on behalf of or at the request of a controller. The fundamental distinction is who handles data: is it your organisation, or is it a third party, like an event organiser or a marketing contractor? In any case, both controllers and processors have defined responsibilities and the obligation to carry out all their processing data operations respecting the rights and freedoms of EU residents, who are deemed data subjects.
Data subjects have fundamental rights that associations safeguard, as described in the “What are the requirements of GDRP?” section below.
Implications of non-compliance
Both controllers and processors (which may be different entities or the same) are subject to stiff fines for non-compliance. These vary depending on the type of the data breaches, levels of cooperation, intention, and mitigation efforts, but can be as high as 4% of the organisation’s annual global revenue or €20 million, whichever is greater. At the lower level, an organisation can be sanctioned with 2% of their annual revenue or €10 million, whichever is greater.
What are the requirements of GDPR?
Under the GDPR, the following rights of data subjects must be respected by both controllers and processors:
- Consent: The conditions for consent have been strengthened. Approval must be explicit and separable from other matters and provided in a clear and easily accessible form, using precise and understandable language. It must be as easy to withdraw approval as it is to give it.
- Breach Notification: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach.
- Right to be Forgotten: EU citizens and residents have the right at any time to ask to delete their personal data and end sharing it with third parties.
- Data Portability: Individuals have the right to ask your organisation to give them back a copy of all the personal data or send this data to another organisation.
- Privacy by Design: Organisations need to have data security built into processes from the very start.
- Data Protection Officer: Obliged to have a DPO, who will be in charge of GCPR compliance
The underlying principles of GDPR are privacy by design and data minimisation. Privacy by design means data protection must be embedded into technical and organisational systems and procedures. Privacy must be the key consideration guiding how much data is collected, the extent to which it is processed, how long it is stored for, and how it is made accessible. You can learn more about this concept here. Organisations must also incorporate the principle of data minimisation into their operations by exclusively collecting the minimum amount of data needed for each purpose and limiting access to data as much as possible. On the whole, GDPR requires that organisations foster a proactive culture of respect towards user/member privacy. Both principles should be built into event registration forms, terms and conditions, an association’s user interface, membership details, marketing analytics, and any process where personal data is collected.
What steps is Congrex Switzerland taking to comply with GDPR?
At Congrex Switzerland we have already started a comprehensive review of internal data collection systems and methods to safeguard the privacy of our clients.
- We have completed an exhaustive analysis of what needs to change to help our clients seek and manage consent from their members and contacts.
- We have incorporated privacy by design and data minimisation into the technical applications we use to interact with our clients.
Is there anything Congrex Switzerland clients should be doing?
If your organisation has members who reside in EU member states, or if you organise events attended by EU residents, you should start preparing for the implementation of GDPR now. Firstly, ensure you analyse the 3 Ws of data protection:
- What data you have
- Where did you obtain it
- Who has access to such data
Document your findings and extend the procedure to all kinds of data you currently possess, including but not limited to financial information, website data, and data collected/processed by third parties, such as payment gateways and processing companies, online data analytics, and content management systems.
Be meticulous about defining how you obtain and manage consent for data collection, and ensure every change you suggest safeguards the fundamental rights of your users, members, or event participants. Overall, you should strive to make data protection an integral part of your organisational culture and/or of your event.
Lastly, determine who is your supervisory authority, mainly if you are involved in cross-border data processing. Get more details here.Detailed information on GDPR can be obtained from: The European Commission’s Data protection portal and GDPR.
Congrex Switzerland is an internationally operating agency delivering customised solutions. This encompasses the overall organisation of conferences and meetings including the management of hotel rooms and the strategic consultancy. Annually Congrex Switzerland organises approximately 33 events with over 73’000 delegates. Amongst our clients are international associations, governmental organisations and corporations.
If you wish to receive additional information about Congrex Switzerland, please feel free to contact us.