May 25 is the day that the General Data Protection Regulation (GDPR) goes into effect. The GDPR provides EU citizens specific privacy rights regarding the collection, storage, transfer and use of their personally identifiable information. Non-compliance with the GDPR may result in significant fines and penalties of “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,” according to the GDPR’s regulation 2016/679.

In March, I attended a roundtable event co-hosted by Key Events and Lenos Software on GDPR compliance and how it will affect those of us in the meetings and events industry. 

Debra Chong, CEO and co-founder of Lenos Software, is also an attorney who is an expert on GDPR, privacy and regulatory requirements. She spoke at length about the intricacies of the regulation and some of the many potential legal ramifications.

While the regulation addresses the rights of EU citizens specifically, Chong recommends that companies apply the rights provided by the GDPR to all individuals. This approach engenders trust and provides transparency.

 “There is no bulletproof test to determine when the requirements of the GDPR should apply to an individual,” Chong stated.

She continued, “We recommend adapting all data collection processes to match the GDPR requirements, as it will ensure full compliance. Trust has always been of paramount importance in data collection, but with this new regulation we are seeing a shift towards trust as the new currency of the Internet.”

It’s not just enough for your organization to be GDPR compliant – it’s also important to make sure that all your event suppliers are compliant. Many widely accepted data collection practices will no longer be allowed.

Chong explained that if a vendor’s privacy policy is posted on a client’s website, data collection is governed by the vendor’s policy - not the client’s. Even having a “powered by” on your website, with a link to the supplier’s website technically can be construed as marketing without express consent.

Chong and Lenos Software President, Patti Tackeff, are passionate about the privacy rights of individuals. Since its founding in 1999, the company has been committed to “Privacy by Design" principles. Privacy by Design is a development methodology that puts data privacy and security at the core at the outset of the design process.

Lenos Software now offers a GDPR Consent and Data Management Compliance Module for its Event Marketing Cloud and Strategic Meetings Management (SMM) Platform. The module, which was rolled out to Lenos clients in January to ensure they meet the May 25 deadline and document their compliance, is now generally available.

The Lenos GDPR Consent and Data Management Compliance Module enables customers to automatically:

• Track and retain privacy policies, as well as ensure their integrity
• Prominently display the privacy policy to ensure informed consent
• Require an affirmative consent from an individual before their data is collected
• Enable registrants to edit the data that is collected
• Provide registrants the ability to withdraw consent
• Enable and track communications in consent management
• Identify if the registrant that has withdrawn consent has registered for other meetings and events
• Track registrant transactions to determine whether data has been shared with third-parties in fulfillment of their meeting/event participation
• Ensure the secure and permanent deletion of personally identifiable information
• Transfer GDPR related data and information to Salesforce
• Reproduce and replicate GDPR requirements across multiple meetings and events
• Maintain record-keeping to comply with the GDPR and enable a customer’s standard operating procedures, internal controls and audit requirements

Events are a known collection point for personal data, which means they are more likely to be scrutinized. If you are holding an event after the GDPR takes effect and collect any personally identifiable data – even if that data is collected prior to May 25 – without obtaining EU citizens’ express consent, you could be fined.

“Many companies we speak with have not realized that planning to be compliant on May 25, 2018 is too late,” said Chong.

She added, “Companies currently collecting data for marketing events and meetings taking place after the May deadline need to be fully compliant today.”