GDPR, Brexit and Events

In the confusion over Brexit and its impact, part one of our GDPR, Brexit and Events duology will help shed light on Brexit's impact on GDPR and the events industry.

Arvi Virdee, June 27, 2019

The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of EU citizens. GDPR's reach is global, so can impact on any company, regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.

In June 2016, the UK voted to leave the European Union (Brexit) and is currently scheduled to do this by 31st October 2019, with a deal or without one. When it does so, not only will the EU GDPR continue to apply to UK companies that process the data of individuals in the EU, but the UK plans to create parallel legislation for individuals in the UK. This meaning there will effectively be 2 GDPR legislations in place, with implications on businesses globally.

The two articles look at the impact of Brexit on GDPR, and implications for all organisations operating in the events industry. Events tend to be international and involve the movement of large numbers of delegates, so will be impacted by both GDPR and Brexit. However, the main points are applicable to organisations in all sectors.

Principles of GDPR

1

The diagram illustrates the fundamental principles of GDPR. In summary:

  • Personal data consists of any data that can identify an individual
  • GDPR applies extraterritorially to any organisation that either offers goods and services or monitors the behaviour of EU citizens
  • there are six principles for processing personal data
  • for processing to be lawful, it must follow one of 6 principles
  • individuals have eight rights to their data
  • Organisations can either be Controllers or Processors, and they must have a written contract in place between them if they exchange personal data

GDPR after Brexit

2

Will GDPR still apply to UK businesses after Brexit?

According to the ICO website, the UK will write the EU GDPR into UK law as the 'UK GDPR', and it will apply extraterritorially to any business globally that either offers goods and services or monitors the behaviour of individuals in the UK.

As a consequence,  businesses may need to process the data of individuals in the UK separately from individuals in the EU to respect the two different regulations. This essentially means there will be two GDPR legislations - one for EU individuals and one for UK individuals.

GDPR for Events

3

Why Events?

There are many different organisations involved within the events lifecycle, as demonstrated in the image, each providing their specialised services. And there are many kinds of personal data, often shared between these organisations to allow them to perform their function. And because events tend to be global, this potentially means data is lists of personal data (often delegate lists) are passing from one organisation to another, often crossing borders.

GDPR has restrictions on how and when personal data can cross borders, as highlighted in the next section. For events, typical examples include:

  • A UK agency holds a conference in Dubai, with delegates from all over Europe
  • A global agency has its Paris and London offices co-ordinating an event in New York with attendees from across the globe
  • A Berlin-based corporate is holding an AGM in Madrid / with attendees from the UK and Asia
  • A London based agency uses a DMC in Greece (which is in the EU)… or Turkey (which is outside the EU)
  • A global corporation using multiple agencies in different countries or regions to manage their meetings management program

For each example above, multiple lists of personal data may be shared between numerous actors - corporate, agency, venue, hotel, DMC, transfer company, etc.

In the second article on GDPR, Brexit and Events, we'll go into depth around the transfer of international data and how Brexit could impact it. 

 

Disclaimer: The content of the two articles are for informational purposes only. They are not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.

Smartec Business Solutions provide a number of GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see https://www.smartecbs.com/solutions/gdpr, or call Smartec on +44 (0)1784 289974 or email info@smartecbs.com.

Share this article:

GDPR, Brexit and Events - Part 2 - International Data Transfer

In the second part of our GDPR, Brexit and Events duology, we dive into the impacts Brexit will have on the international transfer of data.

What does CCPA mean for Marketers and Event Professionals?

CCPA. Another acronym poised to potentially disrupt data-driven business. As the 5th largest global economy, California’s decisions on consumer privacy could have lasting world-wide effects as the law becomes more well-defined. With the recent GDPR ding against Google (for a whopping £44 million), it’s clear that these data laws will impact businesses.

GDPR for Events - FAQs

A collection of short video clips and associated transcripts from our GDPR for Events session, originally broadcast using Glisser LIVE.
© 2018 Glisser, all rights reserved