ICCA Congress - 13.11.2017 - Is your business ready for GDPR and E-Privacy regulatory changes? - The...

International Congress and Convention Association #ICCAWorld iccaworld.org

It’s coming on 25th May 2018 and it will affect you!

IS YOUR BUSINESS READY FOR GDPR AND E-PRIVACY

REGULATORY CHANGES?

56th ICCA Congress

The Impact on the MICE Sector


56th ICCA Congress

Sli.do #ICCA


• What is the General Data Protection Regulation (GDPR)?

• Why is it so important that associations and those engaged within the MICE sector understand the relevance and ramifications of GDPR?

The Session


Introductions

• Emma Sanders

Director, Global Data Partners

• Caroline Mackenzie

Director, Global Association Partners

• Martin Sirk

CEO, ICCA

• Alain Pittet

IAPCO Council Member

Managing Director, Congrex Switzerland


What are your current concerns about GDPR?

• Lots of conflicting advice & opinions

• Little knowledge on the legislation

• How does this impact my business?

• What are my responsibilities?

• How does this affect the data you already hold?

• What impact will this have on our sales and marketing activity?

• Will this restrict my business activity?

• What happens if I breach the regulations?

• When should I be taking steps to ensure compliance?

• What practical steps should I be taking now?


• Provide a top level introduction to GDPR

• What are the important changes and areas of compliance

• Clarify myth vs reality

• Identify who is impacted

• What actions are we taking now and what actions should you be taking now

• What best practices you need to put in place

• An understanding of the implications of non compliance

• Consider some questions relevant to the MICE Sector with contributions from

the floor

What we plan to cover in this session


GDPR Essentials

Emma SandersDirectorGlobal Data Partners


Data Protection Evolution

Organisation for Economic Co-

operation and Development (OECD)-

Guidelines on the Protection of

Privacy and Transborder Flows of

Personal Data

EU Data Protection Directive

95/46/ec

European Commission’s trans-Atlantic

data protection agreement “safe

harbour”

EU Directive 2002/58/EC ; the protection

of privacy in the electronic

communications sector

1st iPhone released

1980

1995

2000

2002

2016

2015

2007

2018

EU GDPR regulation approved

*** 25 May 2018 - EU GDPR

Enforcement ***

European Court of Justice ruled the

“safe harbour” agreement 2000 is no

longer valid


What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is

a regulation by which the European Parliament, the European Council and the

European Commission intend to strengthen and unify data protection for

individuals within the European Union (EU).


Definition of GDPR

“The principles of .. the protection of natural persons with regard to the

processing of their personal data should, whatever their nationality or

residence, respect their fundamental rights and freedoms, in particular their

right to the protection of personal data.”


What is the purpose of GDPR?

PROTECTION

DIGITAL AGE

HARMONISE

LESS ADMINISTRATION


6 Fundamental Principles of GDPR

GDPR

1 2

5 4

36

Lawfulness,

fairness,

transparency

Integrity and

confidentiality

Storage

LimitationAccuracy

Data

Minimisation

Purpose

Limitations



1

2

3

Lawfulness,

Fairness,

Transparency

Data Minimisation

Purpose

Limitations

• “Specified, explicit and legitimate purposes”

• Specific processing purpose that the subject has been made

aware

• Data collected be “adequate, relevant and limited to what is necessary

i.e. No more than the minimum amount of data should be kept for

specific processing

• Lawfulness – tests described in GDPR

• Fairness – match description

• Transparency - tell what data processing will be done



5

4

6Integrity and

confidentiality

Storage Limitation

Accuracy • Data must be “accurate” and where necessary kept up to

date”

• Personal data is “kept in a form which permits identification of

data subjects for no longer than necessary”

• Data handled “in a manner [ensuring] appropriate security


Definitions

01 What is Personal Data?

02 What does Personal Data look like?

03 Data Controllers and Processors

04 Liability of control of Personal Data


What is Personal Data?

Article 4

‘personal data’ means any information relating to an identified or identifiable

natural person (‘data subject’)”.

It adds that:

an identifiable natural person is one who can be identified, directly or indirectly,

in particular by reference to an identifier such as a name, an identification

number, location number, an online identifier...


What does personal data really look like?

Who am I?

Who

knows all

this stuff?

• Gender

• Age

• Ethnicity

• National Insurance Number

• Employer

• Work email

• Personal Email

• Blood Type

• Number of Children

• Religion

• IP address

• Facebook page etc


Sensitive Data

Data consisting of racial or ethnic origin, political opinions, religious

or philosophical beliefs, or trade union membership, genetic data,

biometric data, data concerning health or data concerning a natural

person's sex life or sexual orientation.

What is considered “Sensitive Data”?


Data Controllers and Data Processors

• “the Controller shall be responsible for, and be able to demonstrate

compliance with the six principles”.

A Data Controller is …

• “the natural or legal person, public authority, agency or other body

alone or jointly with others, who determines the purposes and

means of the processing of personal data...”.

• ‘processor’ means a natural or legal person, public

authority, agency or other body which processes

personal data on behalf of the controller;

A Data Processor is …


But what does this mean?

Controller is a data owner/organization collecting information (i.e. you!)

Processor is anyone who is working with your data (i.e. mailing house,

email broadcaster, venue)

Important: GDPR obligations are now shared between controllers

and processors

Processors subject to fines where they have not complied with

obligations under Regulation or acted outside instructions of controller


Key Changes ......

01 Regulation vs Directive

02 Increased Territorial Scope

03 Penalties

04 Consent

07 Right to be Forgotten

06 Right to Access

09 Data Security

08 Data Protection Officers

05 Breach Notification


Regulation vs Directive

vs


Increased Territorial Scope of GDPR

A data controller or processor in the European Union protects all data subjects

regardless of their nationality, residency, location and place of processing.

A data controller or processor not in the European Union protects any

data subject ‘in the Union’, where processing relates to;

• Offering goods or services (marketing)

• Monitoring behaviour which takes place in the union


Example

A US-based company decides to carry out an email marketing campaign to residents of the UK

• It creates a lead generation ‘pop up’ form on it’s www.bigcompany.com website to collect

email addresses for the marketing campaign.

• It plans to use MailChimp as its email service provider

Does GDPR apply?

http://www.bigcompany.com/


Penalties

Factors for non-compliance:

• How long the infringement lasts

• The number of individuals affected

• The level of impact

• companies can be fined up to €20 million, or

• 4% of their global annual turnover of the preceding financial year (whichever is higher)

In Addition:

• personal damage that may be claimed by individuals

• personal liability of managers within your organisation

• damage to reputation Lost business to those competitors who have complied to GDPR

Each instance of noncompliance:


Penalties


Consent

Organisations and Event Organisers will be required to obtain data

subjects consent to:

• store personal data

• use their data (explain clearly how it will be used)

Consent must be:

• active, affirmative action by the data subject

• not passive acceptance through pre-ticked boxes or opt-outs


Consent

Defined in the Regulation as

• Freely Given

• Specific

• Unbundled

• Granular

• Named

Additionally

• Informed

• Unambiguous • Documented

• Prominent

• Data subject rights


Consent

Written, including electronic or oral statement

Includes• Ticking a box when visiting an internet website

• Choosing technical settings

• By any other statement or conduct which clearly indicates acceptance

Does Not include

• Silence

• Pre-ticked boxes

• Inactivity


Privacy Notices

● What individuals need to know:

○ Name/contact details of the data controller

○ Is the data for direct marketing purposes?

○ Third party usage - will you be sharing data with other companies?

○ How long will you keep the data for?

○ Data subject rights (erasure, portability, rectification etc)

○ Information about profiling

● Concise, transparent, intelligible and easily accessible

● Written in clear and plain language, particularly if addressed to a child; and free

of charge.


Examples of Consent


Legitimate Interest vs Consent

Recital 47

“The processing of personal data for direct marketing purposes may be regarded as

carried out for a legitimate interest.”

● Do you have a relationship?

● Weigh up the legitimate interest of the organisation with the rights of the consumer

● Reasonable

● Provision of unsubscribe or opt-out normally satisfies test

There is no hierarchy of legal grounds – all are equally valid


Breach Notifications

Compulsory to notify both users and data

protection authorities (supervisory authority)

within 72 hours of discovering a security

breach.

Are your current systems setup to identify a

breach?

DID YOU KNOW?

UK mobile operator TalkTalk

was fined a record £400,000 for

security failings which led to the

theft of personal data of almost

157,000 customers in 2015.

Under the new rules, that fine

would have amounted to

£59 million!


Right To Access

• what personal data your organisation is processing

• where the data is stored

• what it’s being used for

Be prepared to provide information to data subjects on request regarding:

Be able to provide this for free within 30 days of the request

The right for Data Subjects to ask a Data Controller to

provide a copy (free of charge) of all the personal information

being processed about them.


Right To Be Forgotten

EU citizens and residents at any time will be able to ask you to:

• delete their personal data

• stop sharing it with third parties that they have previously given consent

to (ex. suppliers, hotels, venues etc.) – who will also be obliged to stop

processing it

Organisations storing delegate data for long periods of time and using it as an

asset to market other client events to will be in trouble, unless consent has been

granted or if Legitimate Interest is being used!


Data Protection Officer

DPO appointment will be mandatory:

• core activities consist of processing operations / monitoring of data subjects on a

large scale

• special categories of data or data relating to criminal convictions and offences

An individual or legal entity appointed to inform and advise

the Data Controller or the Data Processor and the

employees who carry out processing of their obligations

under GDPR. The DPO should monitor compliance and

cooperate with the Supervisory Authority.


Data Protection Officer

DPO Appointment and job function:

• Professional qualities and, in particular, expert knowledge on data protection

law and practices

• May be a staff member or an external service provider

• Contact details must be provided to the relevant DPA

• Must be provided with appropriate resources to carry out their tasks and

maintain their expert knowledge

• Must report directly to the highest level of management

• Must not carry out any other tasks that could results in a conflict of interest.


Data Security

“In order to maintain security and to prevent processing in

infringement of this regulation, the Controller and Processor

should evaluate risks inherent in the processing and implement

measures to mitigate those risks, such as encryption”

● Encrypting or Pseudonysing data means data cannot be accessed or

looked at, without access rights (key or password protected).

● This helps with unlawful or unauthorised access to Personal data - this

measure minimizes risks to the Data Subjects, and would be recognized

as data protection by design process.

● Personal Data must be securely kept by the Data Controller, ensuring

measures are taken to prevent a data breach.


B2B vs B2C


• When dealing with sole traders or partnerships, the rules governing B2C

marketing will apply.

• For any B2B marketing, the content must be a relevant to the recipient’s

job role (Legitimate Interest).

• At point of marketing execution, and OPT OUT must be provided along with

clear T&Cs/Privacy Notices (which must align with GDPR guidelines)

• Email marketing consent will not change under GDPR. Current rules come

under the existing country email legislation (UK: PECR/Privacy & Electronic

Communications Regulations.

• Current email regulations under review and will be replaced by ePrivacy

regulation.

B2B vs B2C


Email Marketing - Opt In/Opt Out Current Leglislation


• Intended to be consistent with GDPR

• Correct the fragmented pattern of national laws

• Issues in current draft

– Consent vs Legitimate Interests

– Definition of direct marketing

– TPS and telephone marketing

– B2B Marketing

Timings for implementation ????

ePrivacy


• This affects you all:

o Venues

o CVBs / National Bureau / Development Authority

o Associations

o PCOs / Event Management Companies

o Marketing support agencies

o Tech companies

o Representation companies

o Market research organisations

o Publishing / Media Groups

o Trade shows and professional bodies

o Service suppliers to Event Organisers and Venues

So why is GDPR relevant to you?


Implications for the MICE Sector

Using pre-ticked consent boxes and vague opt-outs

within registration forms

Not having the proper processes and systems in

place that store consent

Sharing delegate lists freely with venues,

speakers and other attendees

Not paying attention to the data freelancers and

temp staff have access to

Emailing unsecure spreadsheets

Leaving printed registration lists unattended on-

site

Gathering attendee

marketing data


Event attendees will have the right to:

In Summary:


Event organisers will have to demonstrate:

In Summary:


GDPR Plan and Prepare

Caroline MackenzieDirectorGlobal Association Partners


Mythbusters


GDPR Myths

#1 The biggest threat is eye-watering fines

• will only be applied to companies that flout the laws

• fail to notify the Information Commissioner’s Office of data-privacy

breaches that “affect people’s rights and freedoms.”

#2 ‘Consent’ is the only way to process data

• consent

• contractual fulfilment

• legal basis

• protect the individual’s “vital interests”

• administering justice

• “Legitimate Interest”


GDPR Myths

#3 GDPR is a Europe-only issue

• international company offering goods or services to EU

individuals

• International company monitoring behaviour of EU individuals

#4 GDPR is limited to personally identifiable information (PII)

• no – PII is personal data

• PA extends beyond the definition of PII

#5 GDPR will NOT apply in the UK due to Brexit

• UK will still be in EU on 25 May 2018

• UK businesses will want to work with EU

• GDPR will form part of UK law post Brexit


GDPR Myths

#6 Everyone needs a Data Protection Officer

• public authorities

• organizations engaged in large scale systematic monitoring EU PD

• organizations engaged in large scale processing of sensitive personal data

• good practice?!

#7 Controllers and processors will only have to answer to a

single data protection authority

• lead supervisory authority has to be elected

#8 GDPR will only apply to new data we collect

• NO – all personal data stored and collected


GDPR Myths

#9 Our data is stored with my cloud service provider / IT provider so

it’s their responsibility to remain compliant with the GDPR, not

mine

• public authorities

• organizations engaged in large scale systematic monitoring EU PD

• organizations engaged in large scale processing of sensitive personal data

• good practice!

#10 GDPR will NOT apply to use as we only deal in B2B

engagement not B2C

• Not only about consent

• Other aspects of GDPR apply to both B2C and B2B


Next Steps


What Should I Be Doing Now?

AwarenessInformation

You Hold

Communicating

Privacy Information

Individual RightsSubject Access

Requests

Legal Basis for

Processing Personal

Data

Make sure decision makers and key

personnel within your organisation are

fully aware of the pending changes.

They need to have a clear understanding

of its impact.

You need to document what Personal

Data you hold, where it came from and

who you share it with. You may need to

organise an Information Audit.

Review your current privacy notices and

put in place necessary changes so they

align with GDPR

Check your procedures to ensure they

cover the GDPR rights individuals have,

including how you delete Personal Data

or how you provide data in electronic

format.

Update/create processes and

procedures as to how you will deal with

these within the new timescales

Review what personal data you

currently process, make changes (if

necessary) in line with GDPR and

document these processes.


What Should I Be Doing Now?

Consent Children Data Breaches

Data Protection by

Design AND Data

Privacy impact

Assessments

Data Protection

OfficersInternational

Review how you are currently seeking,

obtaining and recording Consent, and

whether you need to make changes to

comply with GDPR

Review/put in place systems to verify

individuals ages and collect Parent/

Guardian consent for data processing

activities.

Make sure you have right procedures in

place to detect, report and report

Personal data breaches.

Familiarize yourself with the guidance

(see ICO), look at implementation plan.Designate a DPO.

If your organization works internationally

(has 2+ offices), you need to determine

your Supervisory Authority you will

come under.


What Preparations Are Membership

Organisations Undertaking?

Martin Sirk, CEO, ICCA


The ICCA database is a significant research and marketing data for our

organisation. I regularly use the search functions to identify future events that

can potentially come to our venue and align to current targeted campaigns.

I use the download function to segment data into Excel and then upload the

organizational contact information and event history into our own CRM system.

Can I still do this?


Discussion and Questions


GDPR Checklist …….

✓✓✓✓✓✓


Thank you

Emma Sanders

Director

Global Data Partners

T: +44 1442 780708

E: [email protected]

Caroline Mackenzie

Director

Global Association Partners

T: +44 7379 429500

E: [email protected]

GDPR BRAIN DATE SESSION – TUES 14 NOVEMBER 16:00

www.iapco.org

gdpglobal data partners

gapglobal association partners

We are happy for you to retain our personal details should you wish to contact us regarding; this

presentation, GDPR for the MICE sector or other association conference related matters.


Question:

What about consent that’s taken by phone or on paper forms?

Answer:

• If Consent is being used as the mechanism (not legitimate

interest), GDPR Applies to any personal data captured

• Need to be able to prove consent given and for what purpose


Question:

I attend an educational event and am given a list of attendees, including

their names, roles and organisation. I use this to source phone and email

numbers on the internet and add to my marketing database. Is this OK?

Answer:

It depends;

• What consents were given when data was collected?

• Is their a legitimate interest?

• Note current email marketing legislation for your market, not just

pending changes under ePrivacy (i.e. current opt in requirements)


Question:

Will I still be able to use my current mailing lists and databases?

Answer:

• If current database has been collected using consent mechanism, need to

ensure this is GDPR compliant - if it’s not, then you will need to align to new

GDPR regulations.

• Check what data you currently hold, where it is from, when it was collected,

when it was last validated/refreshed?


Question:

Can I store personal data from any business cards I collect from events

and tradeshows?

Answer:

It depends;

• Is it for business purposes?

• Is it to add to a marketing list?

• If in doubt take extra measures


Question:

How long can I keep a contact on my database?

Can I still invite past attendees to my other events?

Answer:

• If applicable use Legitimate Interest

• Ensure you apply opt outs at point of marketing execution

• If using email, check your local/current legislation (i.e. opt in)

• Ensure GDPR is followed (privacy statements, right to be forgotten,

right to access, etc.)


Question:

What if I’m buying or sharing third-party lists for my events? How will

GDPR affect this?

Answer:

• Make sure that you are allowed to share data you have from 3rd party

sources with other organisations!

• Make sure that organisation selling / sharing data has appropriate

consents/GDPR compliant


Question:

What happens if we don’t meet the requirements in time for the deadline?

Answer:

• Don’t miss the deadline - do your Data Audits NOW!

• Risk of fines

ICCA Congress - 13.11.2017 - Is your business ready for GDPR and E-Privacy regulatory changes? - The...

Business

Transcript of ICCA Congress - 13.11.2017 - Is your business ready for GDPR and E-Privacy regulatory changes? - The...