icca congress - 13.11.2017 - is your business ready for gdpr and e-privacy regulatory changes? - the...
TRANSCRIPT
International Congress and Convention Association #ICCAWorld iccaworld.org
It’s coming on 25th May 2018 and it will affect you!
IS YOUR BUSINESS READY FOR GDPR AND E-PRIVACY
REGULATORY CHANGES?
56th ICCA Congress
The Impact on the MICE Sector
International Congress and Convention Association #ICCAWorld iccaworld.org
56th ICCA Congress
Sli.do #ICCA
International Congress and Convention Association #ICCAWorld iccaworld.org
• What is the General Data Protection Regulation (GDPR)?
• Why is it so important that associations and those engaged within the MICE sector understand the relevance and ramifications of GDPR?
The Session
International Congress and Convention Association #ICCAWorld iccaworld.org
Introductions
• Emma Sanders
Director, Global Data Partners
• Caroline Mackenzie
Director, Global Association Partners
• Martin Sirk
CEO, ICCA
• Alain Pittet
IAPCO Council Member
Managing Director, Congrex Switzerland
International Congress and Convention Association #ICCAWorld iccaworld.org
International Congress and Convention Association #ICCAWorld iccaworld.org
What are your current concerns about GDPR?
• Lots of conflicting advice & opinions
• Little knowledge on the legislation
• How does this impact my business?
• What are my responsibilities?
• How does this affect the data you already hold?
• What impact will this have on our sales and marketing activity?
• Will this restrict my business activity?
• What happens if I breach the regulations?
• When should I be taking steps to ensure compliance?
• What practical steps should I be taking now?
International Congress and Convention Association #ICCAWorld iccaworld.org
• Provide a top level introduction to GDPR
• What are the important changes and areas of compliance
• Clarify myth vs reality
• Identify who is impacted
• What actions are we taking now and what actions should you be taking now
• What best practices you need to put in place
• An understanding of the implications of non compliance
• Consider some questions relevant to the MICE Sector with contributions from
the floor
What we plan to cover in this session
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Essentials
Emma SandersDirectorGlobal Data Partners
International Congress and Convention Association #ICCAWorld iccaworld.org
Data Protection Evolution
Organisation for Economic Co-
operation and Development (OECD)-
Guidelines on the Protection of
Privacy and Transborder Flows of
Personal Data
EU Data Protection Directive
95/46/ec
European Commission’s trans-Atlantic
data protection agreement “safe
harbour”
EU Directive 2002/58/EC ; the protection
of privacy in the electronic
communications sector
1st iPhone released
1980
1995
2000
2002
2016
2015
2007
2018
EU GDPR regulation approved
*** 25 May 2018 - EU GDPR
Enforcement ***
European Court of Justice ruled the
“safe harbour” agreement 2000 is no
longer valid
International Congress and Convention Association #ICCAWorld iccaworld.org
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is
a regulation by which the European Parliament, the European Council and the
European Commission intend to strengthen and unify data protection for
individuals within the European Union (EU).
International Congress and Convention Association #ICCAWorld iccaworld.org
Definition of GDPR
“The principles of .. the protection of natural persons with regard to the
processing of their personal data should, whatever their nationality or
residence, respect their fundamental rights and freedoms, in particular their
right to the protection of personal data.”
International Congress and Convention Association #ICCAWorld iccaworld.org
What is the purpose of GDPR?
PROTECTION
DIGITAL AGE
HARMONISE
LESS ADMINISTRATION
International Congress and Convention Association #ICCAWorld iccaworld.org
6 Fundamental Principles of GDPR
GDPR
1 2
5 4
36
Lawfulness,
fairness,
transparency
Integrity and
confidentiality
Storage
LimitationAccuracy
Data
Minimisation
Purpose
Limitations
International Congress and Convention Association #ICCAWorld iccaworld.org
6 Fundamental Principles of GDPR
1
2
3
Lawfulness,
Fairness,
Transparency
Data Minimisation
Purpose
Limitations
• “Specified, explicit and legitimate purposes”
• Specific processing purpose that the subject has been made
aware
• Data collected be “adequate, relevant and limited to what is necessary
i.e. No more than the minimum amount of data should be kept for
specific processing
• Lawfulness – tests described in GDPR
• Fairness – match description
• Transparency - tell what data processing will be done
International Congress and Convention Association #ICCAWorld iccaworld.org
6 Fundamental Principles of GDPR
5
4
6Integrity and
confidentiality
Storage Limitation
Accuracy • Data must be “accurate” and where necessary kept up to
date”
• Personal data is “kept in a form which permits identification of
data subjects for no longer than necessary”
• Data handled “in a manner [ensuring] appropriate security
International Congress and Convention Association #ICCAWorld iccaworld.org
Definitions
01 What is Personal Data?
02 What does Personal Data look like?
03 Data Controllers and Processors
04 Liability of control of Personal Data
International Congress and Convention Association #ICCAWorld iccaworld.org
What is Personal Data?
Article 4
‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’)”.
It adds that:
an identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification
number, location number, an online identifier...
International Congress and Convention Association #ICCAWorld iccaworld.org
What does personal data really look like?
Who am I?
Who
knows all
this stuff?
• Gender
• Age
• Ethnicity
• National Insurance Number
• Employer
• Work email
• Personal Email
• Blood Type
• Number of Children
• Religion
• IP address
• Facebook page etc
International Congress and Convention Association #ICCAWorld iccaworld.org
Sensitive Data
Data consisting of racial or ethnic origin, political opinions, religious
or philosophical beliefs, or trade union membership, genetic data,
biometric data, data concerning health or data concerning a natural
person's sex life or sexual orientation.
What is considered “Sensitive Data”?
International Congress and Convention Association #ICCAWorld iccaworld.org
Data Controllers and Data Processors
• “the Controller shall be responsible for, and be able to demonstrate
compliance with the six principles”.
A Data Controller is …
• “the natural or legal person, public authority, agency or other body
alone or jointly with others, who determines the purposes and
means of the processing of personal data...”.
• ‘processor’ means a natural or legal person, public
authority, agency or other body which processes
personal data on behalf of the controller;
A Data Processor is …
International Congress and Convention Association #ICCAWorld iccaworld.org
But what does this mean?
Controller is a data owner/organization collecting information (i.e. you!)
Processor is anyone who is working with your data (i.e. mailing house,
email broadcaster, venue)
Important: GDPR obligations are now shared between controllers
and processors
Processors subject to fines where they have not complied with
obligations under Regulation or acted outside instructions of controller
International Congress and Convention Association #ICCAWorld iccaworld.org
Key Changes ......
01 Regulation vs Directive
02 Increased Territorial Scope
03 Penalties
04 Consent
07 Right to be Forgotten
06 Right to Access
09 Data Security
08 Data Protection Officers
05 Breach Notification
International Congress and Convention Association #ICCAWorld iccaworld.org
Regulation vs Directive
vs
International Congress and Convention Association #ICCAWorld iccaworld.org
Increased Territorial Scope of GDPR
A data controller or processor in the European Union protects all data subjects
regardless of their nationality, residency, location and place of processing.
A data controller or processor not in the European Union protects any
data subject ‘in the Union’, where processing relates to;
• Offering goods or services (marketing)
• Monitoring behaviour which takes place in the union
International Congress and Convention Association #ICCAWorld iccaworld.org
Example
A US-based company decides to carry out an email marketing campaign to residents of the UK
• It creates a lead generation ‘pop up’ form on it’s www.bigcompany.com website to collect
email addresses for the marketing campaign.
• It plans to use MailChimp as its email service provider
Does GDPR apply?
International Congress and Convention Association #ICCAWorld iccaworld.org
Penalties
Factors for non-compliance:
• How long the infringement lasts
• The number of individuals affected
• The level of impact
• companies can be fined up to €20 million, or
• 4% of their global annual turnover of the preceding financial year (whichever is higher)
In Addition:
• personal damage that may be claimed by individuals
• personal liability of managers within your organisation
• damage to reputation Lost business to those competitors who have complied to GDPR
Each instance of noncompliance:
International Congress and Convention Association #ICCAWorld iccaworld.org
Penalties
International Congress and Convention Association #ICCAWorld iccaworld.org
Consent
Organisations and Event Organisers will be required to obtain data
subjects consent to:
• store personal data
• use their data (explain clearly how it will be used)
Consent must be:
• active, affirmative action by the data subject
• not passive acceptance through pre-ticked boxes or opt-outs
International Congress and Convention Association #ICCAWorld iccaworld.org
Consent
Defined in the Regulation as
• Freely Given
• Specific
• Unbundled
• Granular
• Named
Additionally
• Informed
• Unambiguous • Documented
• Prominent
• Data subject rights
International Congress and Convention Association #ICCAWorld iccaworld.org
Consent
Written, including electronic or oral statement
Includes• Ticking a box when visiting an internet website
• Choosing technical settings
• By any other statement or conduct which clearly indicates acceptance
Does Not include
• Silence
• Pre-ticked boxes
• Inactivity
International Congress and Convention Association #ICCAWorld iccaworld.org
Privacy Notices
● What individuals need to know:
○ Name/contact details of the data controller
○ Is the data for direct marketing purposes?
○ Third party usage - will you be sharing data with other companies?
○ How long will you keep the data for?
○ Data subject rights (erasure, portability, rectification etc)
○ Information about profiling
● Concise, transparent, intelligible and easily accessible
● Written in clear and plain language, particularly if addressed to a child; and free
of charge.
International Congress and Convention Association #ICCAWorld iccaworld.org
Examples of Consent
International Congress and Convention Association #ICCAWorld iccaworld.org
Legitimate Interest vs Consent
Recital 47
“The processing of personal data for direct marketing purposes may be regarded as
carried out for a legitimate interest.”
● Do you have a relationship?
● Weigh up the legitimate interest of the organisation with the rights of the consumer
● Reasonable
● Provision of unsubscribe or opt-out normally satisfies test
There is no hierarchy of legal grounds – all are equally valid
International Congress and Convention Association #ICCAWorld iccaworld.org
International Congress and Convention Association #ICCAWorld iccaworld.org
Breach Notifications
Compulsory to notify both users and data
protection authorities (supervisory authority)
within 72 hours of discovering a security
breach.
Are your current systems setup to identify a
breach?
DID YOU KNOW?
UK mobile operator TalkTalk
was fined a record £400,000 for
security failings which led to the
theft of personal data of almost
157,000 customers in 2015.
Under the new rules, that fine
would have amounted to
£59 million!
International Congress and Convention Association #ICCAWorld iccaworld.org
Right To Access
• what personal data your organisation is processing
• where the data is stored
• what it’s being used for
Be prepared to provide information to data subjects on request regarding:
Be able to provide this for free within 30 days of the request
The right for Data Subjects to ask a Data Controller to
provide a copy (free of charge) of all the personal information
being processed about them.
International Congress and Convention Association #ICCAWorld iccaworld.org
Right To Be Forgotten
EU citizens and residents at any time will be able to ask you to:
• delete their personal data
• stop sharing it with third parties that they have previously given consent
to (ex. suppliers, hotels, venues etc.) – who will also be obliged to stop
processing it
Organisations storing delegate data for long periods of time and using it as an
asset to market other client events to will be in trouble, unless consent has been
granted or if Legitimate Interest is being used!
International Congress and Convention Association #ICCAWorld iccaworld.org
Data Protection Officer
DPO appointment will be mandatory:
• core activities consist of processing operations / monitoring of data subjects on a
large scale
• special categories of data or data relating to criminal convictions and offences
An individual or legal entity appointed to inform and advise
the Data Controller or the Data Processor and the
employees who carry out processing of their obligations
under GDPR. The DPO should monitor compliance and
cooperate with the Supervisory Authority.
International Congress and Convention Association #ICCAWorld iccaworld.org
Data Protection Officer
DPO Appointment and job function:
• Professional qualities and, in particular, expert knowledge on data protection
law and practices
• May be a staff member or an external service provider
• Contact details must be provided to the relevant DPA
• Must be provided with appropriate resources to carry out their tasks and
maintain their expert knowledge
• Must report directly to the highest level of management
• Must not carry out any other tasks that could results in a conflict of interest.
International Congress and Convention Association #ICCAWorld iccaworld.org
Data Security
“In order to maintain security and to prevent processing in
infringement of this regulation, the Controller and Processor
should evaluate risks inherent in the processing and implement
measures to mitigate those risks, such as encryption”
● Encrypting or Pseudonysing data means data cannot be accessed or
looked at, without access rights (key or password protected).
● This helps with unlawful or unauthorised access to Personal data - this
measure minimizes risks to the Data Subjects, and would be recognized
as data protection by design process.
● Personal Data must be securely kept by the Data Controller, ensuring
measures are taken to prevent a data breach.
International Congress and Convention Association #ICCAWorld iccaworld.org
B2B vs B2C
International Congress and Convention Association #ICCAWorld iccaworld.org
• When dealing with sole traders or partnerships, the rules governing B2C
marketing will apply.
• For any B2B marketing, the content must be a relevant to the recipient’s
job role (Legitimate Interest).
• At point of marketing execution, and OPT OUT must be provided along with
clear T&Cs/Privacy Notices (which must align with GDPR guidelines)
• Email marketing consent will not change under GDPR. Current rules come
under the existing country email legislation (UK: PECR/Privacy & Electronic
Communications Regulations.
• Current email regulations under review and will be replaced by ePrivacy
regulation.
B2B vs B2C
International Congress and Convention Association #ICCAWorld iccaworld.org
Email Marketing - Opt In/Opt Out Current Leglislation
International Congress and Convention Association #ICCAWorld iccaworld.org
• Intended to be consistent with GDPR
• Correct the fragmented pattern of national laws
• Issues in current draft
– Consent vs Legitimate Interests
– Definition of direct marketing
– TPS and telephone marketing
– B2B Marketing
Timings for implementation ????
ePrivacy
International Congress and Convention Association #ICCAWorld iccaworld.org
• This affects you all:
o Venues
o CVBs / National Bureau / Development Authority
o Associations
o PCOs / Event Management Companies
o Marketing support agencies
o Tech companies
o Representation companies
o Market research organisations
o Publishing / Media Groups
o Trade shows and professional bodies
o Service suppliers to Event Organisers and Venues
So why is GDPR relevant to you?
International Congress and Convention Association #ICCAWorld iccaworld.org
Implications for the MICE Sector
Using pre-ticked consent boxes and vague opt-outs
within registration forms
Not having the proper processes and systems in
place that store consent
Sharing delegate lists freely with venues,
speakers and other attendees
Not paying attention to the data freelancers and
temp staff have access to
Emailing unsecure spreadsheets
Leaving printed registration lists unattended on-
site
Gathering attendee
marketing data
International Congress and Convention Association #ICCAWorld iccaworld.org
Event attendees will have the right to:
In Summary:
International Congress and Convention Association #ICCAWorld iccaworld.org
Event organisers will have to demonstrate:
In Summary:
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Plan and Prepare
Caroline MackenzieDirectorGlobal Association Partners
International Congress and Convention Association #ICCAWorld iccaworld.org
Mythbusters
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Myths
#1 The biggest threat is eye-watering fines
• will only be applied to companies that flout the laws
• fail to notify the Information Commissioner’s Office of data-privacy
breaches that “affect people’s rights and freedoms.”
#2 ‘Consent’ is the only way to process data
• consent
• contractual fulfilment
• legal basis
• protect the individual’s “vital interests”
• administering justice
• “Legitimate Interest”
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Myths
#3 GDPR is a Europe-only issue
• international company offering goods or services to EU
individuals
• International company monitoring behaviour of EU individuals
#4 GDPR is limited to personally identifiable information (PII)
• no – PII is personal data
• PA extends beyond the definition of PII
#5 GDPR will NOT apply in the UK due to Brexit
• UK will still be in EU on 25 May 2018
• UK businesses will want to work with EU
• GDPR will form part of UK law post Brexit
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Myths
#6 Everyone needs a Data Protection Officer
• public authorities
• organizations engaged in large scale systematic monitoring EU PD
• organizations engaged in large scale processing of sensitive personal data
• good practice?!
#7 Controllers and processors will only have to answer to a
single data protection authority
• lead supervisory authority has to be elected
#8 GDPR will only apply to new data we collect
• NO – all personal data stored and collected
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Myths
#9 Our data is stored with my cloud service provider / IT provider so
it’s their responsibility to remain compliant with the GDPR, not
mine
• public authorities
• organizations engaged in large scale systematic monitoring EU PD
• organizations engaged in large scale processing of sensitive personal data
• good practice!
#10 GDPR will NOT apply to use as we only deal in B2B
engagement not B2C
• Not only about consent
• Other aspects of GDPR apply to both B2C and B2B
International Congress and Convention Association #ICCAWorld iccaworld.org
Next Steps
International Congress and Convention Association #ICCAWorld iccaworld.org
What Should I Be Doing Now?
AwarenessInformation
You Hold
Communicating
Privacy Information
Individual RightsSubject Access
Requests
Legal Basis for
Processing Personal
Data
Make sure decision makers and key
personnel within your organisation are
fully aware of the pending changes.
They need to have a clear understanding
of its impact.
You need to document what Personal
Data you hold, where it came from and
who you share it with. You may need to
organise an Information Audit.
Review your current privacy notices and
put in place necessary changes so they
align with GDPR
Check your procedures to ensure they
cover the GDPR rights individuals have,
including how you delete Personal Data
or how you provide data in electronic
format.
Update/create processes and
procedures as to how you will deal with
these within the new timescales
Review what personal data you
currently process, make changes (if
necessary) in line with GDPR and
document these processes.
International Congress and Convention Association #ICCAWorld iccaworld.org
What Should I Be Doing Now?
Consent Children Data Breaches
Data Protection by
Design AND Data
Privacy impact
Assessments
Data Protection
OfficersInternational
Review how you are currently seeking,
obtaining and recording Consent, and
whether you need to make changes to
comply with GDPR
Review/put in place systems to verify
individuals ages and collect Parent/
Guardian consent for data processing
activities.
Make sure you have right procedures in
place to detect, report and report
Personal data breaches.
Familiarize yourself with the guidance
(see ICO), look at implementation plan.Designate a DPO.
If your organization works internationally
(has 2+ offices), you need to determine
your Supervisory Authority you will
come under.
International Congress and Convention Association #ICCAWorld iccaworld.org
What Preparations Are Membership
Organisations Undertaking?
Martin Sirk, CEO, ICCA
International Congress and Convention Association #ICCAWorld iccaworld.org
The ICCA database is a significant research and marketing data for our
organisation. I regularly use the search functions to identify future events that
can potentially come to our venue and align to current targeted campaigns.
I use the download function to segment data into Excel and then upload the
organizational contact information and event history into our own CRM system.
Can I still do this?
International Congress and Convention Association #ICCAWorld iccaworld.org
Discussion and Questions
International Congress and Convention Association #ICCAWorld iccaworld.org
GDPR Checklist …….
✓✓✓✓✓✓
International Congress and Convention Association #ICCAWorld iccaworld.org
Thank you
Emma Sanders
Director
Global Data Partners
T: +44 1442 780708
Caroline Mackenzie
Director
Global Association Partners
T: +44 7379 429500
GDPR BRAIN DATE SESSION – TUES 14 NOVEMBER 16:00
www.iapco.org
gdpglobal data partners
gapglobal association partners
We are happy for you to retain our personal details should you wish to contact us regarding; this
presentation, GDPR for the MICE sector or other association conference related matters.
International Congress and Convention Association #ICCAWorld iccaworld.org
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
What about consent that’s taken by phone or on paper forms?
Answer:
• If Consent is being used as the mechanism (not legitimate
interest), GDPR Applies to any personal data captured
• Need to be able to prove consent given and for what purpose
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
I attend an educational event and am given a list of attendees, including
their names, roles and organisation. I use this to source phone and email
numbers on the internet and add to my marketing database. Is this OK?
Answer:
It depends;
• What consents were given when data was collected?
• Is their a legitimate interest?
• Note current email marketing legislation for your market, not just
pending changes under ePrivacy (i.e. current opt in requirements)
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
Will I still be able to use my current mailing lists and databases?
Answer:
• If current database has been collected using consent mechanism, need to
ensure this is GDPR compliant - if it’s not, then you will need to align to new
GDPR regulations.
• Check what data you currently hold, where it is from, when it was collected,
when it was last validated/refreshed?
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
Can I store personal data from any business cards I collect from events
and tradeshows?
Answer:
It depends;
• Is it for business purposes?
• Is it to add to a marketing list?
• If in doubt take extra measures
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
How long can I keep a contact on my database?
Can I still invite past attendees to my other events?
Answer:
• If applicable use Legitimate Interest
• Ensure you apply opt outs at point of marketing execution
• If using email, check your local/current legislation (i.e. opt in)
• Ensure GDPR is followed (privacy statements, right to be forgotten,
right to access, etc.)
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
What if I’m buying or sharing third-party lists for my events? How will
GDPR affect this?
Answer:
• Make sure that you are allowed to share data you have from 3rd party
sources with other organisations!
• Make sure that organisation selling / sharing data has appropriate
consents/GDPR compliant
International Congress and Convention Association #ICCAWorld iccaworld.org
Question:
What happens if we don’t meet the requirements in time for the deadline?
Answer:
• Don’t miss the deadline - do your Data Audits NOW!
• Risk of fines