GDPR: What We’re Doing for Compliance and How it May Affect You

padlocked gate for GDPR

Concerns regarding data security and privacy continue to increase around the world. Corporations and organizations, as well as governmental departments and nation states, are all creating their own version of data security or privacy policies and compliance programs. 

With the nature of our connected world, this is the reality in which we all live for the foreseeable future. Of particular significance relating to data security and privacy is the European Union’s (EU) General Data Protection Regulation (GDPR) that was adopted in 2016 and becomes effective May 25, 2018. This regulation is the EU’s attempt to provide better protection for EU citizens, and to allow them more control over their personal information while providing businesses a clearer environment within which to operate. This regulation affects any events that involve collection of personal data from an EU citizen who attends events anywhere in the world (EU attendees).

There are two defined roles for organizations in regards to GDPR:

  • Data Controllers: Organizations which own or manage personal data of any EU citizen.
  • Data Processors: Vendors utilized by Data Controllers to process or store data.

GDPR becomes effective May 25, 2018

As a registration, air booking, housing, event planning, mobile app, lead and behavioral tracking vendor in the events industry, GDPR largely applies to Maritz Global Events as a Data Processor. Under GDPR, Data Controllers are responsible for complying with the principles of processing personal data outlined by GDPR. Data Processors, such as Maritz Global Events, are responsible for implementing technical and organizational measures that allow Data Controllers to comply with the regulation. As data is collected by Data Controllers and Data Processors, both are required to understand and follow the requirements of the regulation.

These are seven of the key requirements of GDPR:

  1. Consent: EU attendees must consent to store and use their data. Event organizers must provide an explanation of how an attendee’s data will be used. The attendee must actively opt-in or opt-out of allowing their data to be used.
  2. Breach Notification: EU attendees and authorities must be notified within 72 hours of discovering a security breach that impacts their personal data.
  3. Access: EU attendees must have access to their records. If an attendee requests their records, event organizers must provide them and include information on where the records are stored, what they are being used for and provide the attendee an opportunity to correct any incorrect information.
  4. Right to be Forgotten: EU attendees have the right to instruct event organizers to delete or not share their personal information.
  5. Data Portability: EU attendees have the right to ask event organizers to provide their personal information to another data controller. The file must be in a commonly used digital format.
  6. Privacy by Design: Organizations must have data privacy controls and security developed into all products and systems from the beginning. Privacy considerations must be built into any and every system that is collecting personal data such as registration systems, email systems and CRMs.
  7. Data Protection Officer (DPO): Organizations that handle large amounts of data must identify an individual within the organization to oversee data. This person is responsible for ensuring internal data protection policies are updated, staff trainings are conducted and processing activities are documented.

Our customers will be responsible for complying with GDPR requirements on any data they retain.

Maritz Global Events’ Registration, Air, Housing and Lead Services

As your events partner, Maritz Global Events is taking actions to ensure we adhere to GDPR guidelines, specifically focused on registration, air booking, housing and lead services. As Data Processors, Maritz Global Events will consult with customers to help them understand our role in becoming compliant with GDPR. We will review and share how GDPR requirements impact the registration, air booking, housing and lead retrieval services provided by Maritz Global Events. However, our customers will be responsible for complying with GDPR requirements on any data they retain – including registration, air booking, housing, membership, exhibiting and financial data.

Here is a high-level overview of the actions Maritz Global Events is taking to become compliant with GDPR regulations as a Data Processor.

  1. Consent: For all registration and housing websites, Maritz Global Events will provide customers a templated notification that can be used to notify all EU web users of the purpose and intent of the data collection, how it will be used and stored, who controls the data, how lead retrieval services will work and who to contact with questions. Modifications can be made to this message if the required information is conveyed.
  2. Breach Notification: Maritz Global Events already adheres to breach notification regulations as a standard policy.
  3. Access: Upon request by an EU attendee, Maritz Global Events will email electronic copies of the attendee’s information.
  4. Right to be Forgotten: Maritz Global Events will remove Personally Identifiable Information (PII) from our databases upon request by an EU attendee.
  5. Data Portability: Maritz Global Events will transfer attendee data to the appropriate third party as requested by the attendee and/or customer.
  6. Privacy by Design: Maritz Global Events already follows this practice and is currently compliant.
  7. Contractual Agreements: Maritz Global Events will present current customers with contract addendums that specify acknowledgement, roles and responsibilities of all parties regarding GDPR.

download button

For quick reference of GDPR’s seven requirements, download this helpful infographic.


Maritz Global Events is not a professional security and privacy consultancy firm, therefore we recommend and encourage all customers to seek their own expert advice for GDPR compliance concerns. 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Our Blog

Archive