With Brexit comes new General Data Protection Regulations (GDPR) for event professionals, and Michael Begley, MD of Venuedirectory.com, says now’s the time the industry needs to get to grips with the new rules.
Brexit has brought with it many implications for businesses, but it’s the repercussions on data protection that many companies seem to be unaware of.
I'm in regular contact with venues, agencies and planners across the UK and many are currently unaware of the impact of Brexit on UK GDPR and EU GDPR, and the action they now need to take to ensure their business continues to operate legally.
I believe that now’s the time for event professionals to address this, using this current period when meetings and events are just starting to get going to ensure they’re fully prepared.
The UK’s GDPR regulations are now separate from the EU’s GDPR regulations, following the trade deal which came into effect on 1 January this year. This means there are now two data protection legislations instead of just one ‐ UK GDPR covering individuals in the UK and EU GDPR for individuals in the EU. Businesses holding both types of data will now need to adhere to each of the two separate legislations.
The UK is now officially considered a ‘third country’ under the EU GDPR. This means that UK businesses serving EU consumer will need to ensure they comply with both the UK and EU GDPR measures.
What does this mean for the business events industry?
- Firstly, UK companies which hold data for the EU now need to review and update their existing data sets. This is to determine which proportion is EU data (and therefore subject to EU GDPR regulations); which is UK data (subject to UK GDPR regulations) and which data falls outside of both of these categories, for example, data sets for individuals based in America or Asia.
- Secondly – and perhaps more significantly ‐ UK businesses need to appoint a representative within the EU to deal with any queries. These could be queries around a data breach or a data subject access request. This representative should reside in any one of the 27 EU countries, ‐ preferably the country in which a business has the most dealings ‐ and therefore be in situ to deal with requests from individuals, companies or authorities.
This has a huge impact on the events sector because, as we all know, there are many different organisations involved within the events lifecycle, each providing a specialised service. There are many kinds of personal data, often shared between these organisations, to allow them to perform their services.
What’s more, many events have a global reach resulting in lists of personally identifiable data (such as delegate lists) passing from one organisation to another, often crossing borders. Take, for example, a Berlin‐based corporate holding an AGM in Madrid with attendees from the UK and Asia – this results in multiple lists of personal data being shared between numerous actors ‐ corporate, agency, venue, hotel, DMC, transfer company.
It’s this data that now needs to be reviewed and segmented to determine which proportion is EU data (and therefore subject to EU GDPR regulations); which is UK data (subject to UK GDPR regulations) and which data falls outside of both of these categories, for example, data sets for individuals based in America or Asia.
Another step that business must take is to appoint a representative within the EU to deal with any queries. Under the EU GDPR, any organisation based outside of the European Economic Area (EEA) is required to appoint a 'representative' in the country where it does most of its personal data processing. After Brexit, the UK GDPR will have a similar requirement for any international organisation processing the data of individuals within the UK.
Not only does this mean that international organisations might now need to appoint two representatives (one in the UK, one in an EEA country), it also means that UK businesses may need to appoint a representative in the EU and vice versa.
For example, an events agency in Paris that regularly processes the data of delegates from the UK may need to name a representative in the UK. Likewise, for a UK DMC that provides events services to EEA agencies. The primary role of the representative is to communicate with the local supervisory authority, should there be an enquiry or a data breach, and to manage any data subject requests.
I’d urge event organisations who haven’t already addressed these data protection issues to action this soon.
Having access to the right information and support is crucial and I hope to provide support through a series of forthcoming webinars. We've partnered with data protection expert Arvi Virdee from Smartec to run a series of free half-hour webinars next week guiding event professionals through the process.
The Effect of Brexit on UK ‐ EU data webinar takes place on a choice of two dates: Wednesday 17 February at 14.00 GMT or Thursday 18 February 2021 at 10:00 GMT. Registration is free here.
A desire to travel led Holly Patrick to the business meetings and events world and she’s never looked back. Holly takes a particular interest in event sustainability and creating a diverse and inclusive industry. When she’s not working, she can be found rolling skating along Brighton seafront listening to an eclectic playlist, featuring the likes of Patti Smith, Sean Paul, and Arooj Aftab.
