By Arvi Virdee, managing director, Smartec Business Solutions Ltd
It sometimes feels like Brexit and GDPR are minefields through which many sectors are struggling to navigate, including the event industry. Event Industry News wanted to clarify some of the grey areas within the regulations for event professionals nationwide, so got in touch with qualified GDPR practitioner, Arvi Virdee to learn more.
What impact has GDPR had on the event industry since its introduction in May 2018?
The impact has been significant, given that the industry is so used to sharing large volumes of personal data between different organisations – delegate lists, rooming lists, A&D lists etc., shared between event owners, agencies, hotels, venues, etc., and given the global nature of events, this sharing of data is often between companies in different countries, some within the EU, others outside it.
Under GDPR, any exchange of significant volumes of personal data between two companies requires written contracts to be in place between them – if the companies are in different countries, an additional set of conditions may be needed before a transfer can proceed.
What have been the biggest challenges for businesses?
Understanding the sheer breadth of the legislation. Bigger organisations have dedicated privacy teams, but they don’t necessarily understand meetings and events; smaller organisations have had to assign internal resources which are not specialists in data management. GDPR introduced a new ‘language’ which many people find challenging – for example, some of the most common questions I hear from event planners are:
- If I send a rooming list to a hotel, is it a controller or a processor? (You are both likely to be controllers.)
- If I use a DMC, do I need to have a data protection clause in place? (It is in your interest to do this, as the DMC will likely share delegate data with other companies – if this leads to a data breach, you may be held liable.)
- Do I need consent before I can resume my email marketing? (Not necessarily – you may have a ‘legitimate interest’ to contact prospects on your list)
Brexit is scheduled to happen on 31st October 2019. Will GDPR still apply to UK businesses after the UK leaves the EU?
Yes, it will. The UK will be considered a ‘third country’ when it leaves the EU, and UK businesses will need to follow the rules set out for such countries if they process the data of individuals in the EU.
If the UK leaves with a deal, nothing will change immediately, as the ‘transition period’ will allow the UK to ‘transition’ to life outside the EU. However, if it leaves with no-deal, UK businesses may be immediately impacted. This is because they may need to have contracts in place before they can receive personal data from the EU partners, clients or suppliers.
They may also be required to appoint a ‘representative’ within an EU country if they do not have a branch or office in the EU – this is the same as the current arrange for any company in, say, India or China which regularly processes the data of EU citizens.
So the data of UK citizens will no longer be protected by GDPR after Brexit since the UK will be ‘third country’?
That’s correct as the GDPR is an EU regulation. However, the UK government intends to write the GDPR into UK law, making it the ‘UK GDPR’ and protecting the personal data of individuals within the UK.
This essentially means there will be two GDPRs running in parallel – the EU GDPR to protect the personal data of individuals in the EU, and a UK GDPR that protects the personal data of individuals in the UK.
What are some of the other implications of this?
Similar to the EU requirement for appointing a representative, EU and international organisations may be required to appoint a representative within the UK. For many organisations, this may mean having to appoint a representative in both the UK and an EU country, depending on the type, volume and regularity of the data they process.
Another implication is the potential for businesses to face fines from more than one regulatory body. We have seen how British Airways (BA) is facing a huge fine of £183m for a data breach that took place last year, after GDPR came into force. If the same thing happened after Brexit, it is possible BA could be fined by both the UK’s supervisory authority (the ICO), as well as an appointed supervisory authority in the EU, as it is highly likely that the breach would have affected the data of individuals in both the UK and the EU.
How can event businesses prepare for these changes?
As with all things to do with Brexit, there is much uncertainty – my advice would be for them to audit their data, understand who it is shared with and how, and to do this for the entire events lifecycle and across all their events. Then think about how they would separate UK and EU data, should they be required to.
As ever, awareness is the starting point.