Are you doing enough to keep your
attendees’ sensitive personal data safe from breaches?
We all collect a lot of data in the course of our meeting planning processes. Some of it is fairly innocuous, such as attendee names and contact information. Some of it is pretty personal, such as special dietary requests and information about physical disabilities and medical needs that may need accommodation while on site. If your meeting includes anyone from the European Union, all of that data falls under the EU’s General Data Protection Regulation, or GDPR, which went into effect in the Spring of 2018.
While there’s plenty of information available on the intersection of GDPR and meeting planning (such as this comprehensive guide from MeetingsNet, I recently had the opportunity to chat with John Noltensmeyer, head of global privacy and compliance solutions with the data security platform company TokenEx. Here are some of the useful insights he shared for meeting organizers who want to ensure they are keeping up with not just the GDPR, but also data privacy regulations already in place or pending in other countries around the world, as well as the California Consumer Privacy Act (CCPA), which goes into effect in January 2020 here in the U.S.
Most meeting professionals ask attendees if they have any special dietary requirements or medical conditions that will need to be accommodated on site. Would this sort of information fall under GDPR protections?
John: The GDPR is intended to give people greater control over their personal data, some of which is more sensitive than others. In the U.S., we would consider social security numbers to be sensitive data. In Europe, where there has historically been persecution based on religious beliefs and sexual orientation, for example, there also has been a greater history of data privacy protections, such as the current GDPR.
Personal data that reveals the religious beliefs of an individual or that relates to their health is considered to be sensitive data and as such, has specific requirements under the GDPR. Responses to questions regarding special dietary requirements can potentially reveal the religious affiliation or health information of the attendee and should be treated as sensitive data.
What can meeting professionals do to ensure that they and their organizations are handling this personal data appropriately internally under GDPR requirements?
John: It’s critical that organizations inform the data subject how their personal data will be used at the time it is collected, as well as how long the organization will keep the data. If an organization is collecting attendee personal data such as dietary requirements or medical conditions related to attending a specific event, that data should be deleted at the event’s conclusion.
For example, the registration form could include a statement such as, “For the purposes of meal planning, we would like to know if you have any dietary restrictions. We will share that information with our catering vendor, and promptly delete the information at the conclusion of the conference.”
How can meeting professionals work with any vendors or suppliers, including their host hotel or convention catering department, to ensure the third parties they work with also are in compliance with GDPR?
John: The GDPR covers data controllers — those who collect the data and make decisions on how it is processed. And “processed” is an all-encompassing term that includes both storing it and sharing it with third parties. The meeting organizer, as the data controller, bears the responsibility for protecting that data both in house and while it is being used by a vendor.
Contractual agreements need to be in place between the meeting organization and their vendors/suppliers explicitly stating how all personal data is to be used. These agreements should expressly prohibit the vendor from sharing the personal data with others without the prior consent of the meeting organization as well as stipulating that the data be deleted when no longer required to fulfill the requirements of the contract.
Rather than approach data privacy protection as something that is inhibiting commerce or making your life more difficult, think of it as another way to keep individuals attending your conference safe.
Do the data planners collect related to dietary and medical-related requirements also fall under the new California Consumer Privacy Act? Are there other data protection regulations/laws that planners should be aware of?
John: Dietary and medical information collected from an event attendee that can be used to identify that individual would be considered personal information under the CCPA. However, where the GDPR protects the data of all EU citizens, the CCPA only applies to for-profit organizations that meet certain thresholds based on annual revenue or the total number of California citizens the business collects personal information on. There are now over 100 countries with data protection laws as well as multiple U.S. states. It is incumbent on an organization to monitor these laws.
The GDPR is one of the most comprehensive data privacy regulations in the world today, so many would consider GDPR compliance to be a best practice. While meeting organizers still will have to be cognizant of the specific requirements of other regulations, such as the CCPA, if they take steps to comply with GDPR, they generally speaking will be in a good position to comply with other data privacy regulations.
Is this even something that meeting professionals should be concerned with, or should responsibility for compliance lie elsewhere in the organization? Are there consequences for planners and/or the meeting department for noncompliance?
John: While the IT department may handle the technical end, it is unlikely to be aware of what meeting-related data the organization is collecting, why it’s being collected, or how long it is being kept. Consequently, it is essential for meeting professionals to work with the IT department to adequately safeguard the personal information the organization collects as well as comply with the applicable privacy laws. Meeting planners may not face direct individual consequences for noncompliance with the GDPR, but they are likely to experience the fallout from a fine resulting from GDPR noncompliance as well as the ensuing loss of customer trust.
I understand that meeting planners have more than enough to worry about without having to keep abreast of all the data privacy regulations, but it is important to communicate what you are collecting and how you are protecting that data with both the IT department and your data protection officer, or other department that is in charge of compliance. If you do want to track what’s happening in this area, the International Association of Privacy Professionals has a number of free resources on its website that non-members can access.
Do you have any suggestions for things planners should be doing now as they collect and manage their attendees’ personal dietary- and medical-requirement data?
John: Rather than approach data privacy protection as something that is inhibiting commerce or making your life more difficult, think of it as another way to keep individuals attending your conference safe.
Inform event attendees how their personal data will be used at the time it is collected, as well as how long the organization will keep the data. If an organization is collecting attendee personal data such as dietary requirements or medical conditions related to attending a specific event, that data should be deleted at the event’s conclusion.
Let people know that you respect their data and will protect it, that you won’t resell it or use it for any purpose other than what you need for the event, and that when the event is over, their data will be purged. That messaging can go a long way toward building trust that you respect their privacy, just as you would want the organizations you deal with to respect your own.