The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of EU citizens. GDPR's reach is global, so can impact on any company, regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.
In June 2016, the UK voted to leave the European Union (Brexit) and is currently scheduled to do this by 31st October 2019, with a deal or without one. When it does so, not only will the EU GDPR continue to apply to UK companies that process the data of individuals in the EU, but the UK plans to create parallel legislation for individuals in the UK. This meaning there will effectively be 2 GDPR legislations in place, with implications on businesses globally.
The two articles look at the impact of Brexit on GDPR, and implications for all organisations operating in the events industry. Events tend to be international and involve the movement of large numbers of delegates, so will be impacted by both GDPR and Brexit. However, the main points are applicable to organisations in all sectors.
Principles of GDPR
The diagram illustrates the fundamental principles of GDPR. In summary:
- Personal data consists of any data that can identify an individual
- GDPR applies extraterritorially to any organisation that either offers goods and services or monitors the behaviour of EU citizens
- there are six principles for processing personal data
- for processing to be lawful, it must follow one of 6 principles
- individuals have eight rights to their data
- Organisations can either be Controllers or Processors, and they must have a written contract in place between them if they exchange personal data
GDPR after Brexit
Will GDPR still apply to UK businesses after Brexit?
According to the ICO website, the UK will write the EU GDPR into UK law as the 'UK GDPR', and it will apply extraterritorially to any business globally that either offers goods and services or monitors the behaviour of individuals in the UK.
As a consequence, businesses may need to process the data of individuals in the UK separately from individuals in the EU to respect the two different regulations. This essentially means there will be two GDPR legislations - one for EU individuals and one for UK individuals.
GDPR for Events
There are many different organisations involved within the events lifecycle, as demonstrated in the image, each providing their specialised services. And there are many kinds of personal data, often shared between these organisations to allow them to perform their function. And because events tend to be global, this potentially means data is lists of personal data (often delegate lists) are passing from one organisation to another, often crossing borders.
GDPR has restrictions on how and when personal data can cross borders, as highlighted in the next section. For events, typical examples include:
- A UK agency holds a conference in Dubai, with delegates from all over Europe
- A global agency has its Paris and London offices co-ordinating an event in New York with attendees from across the globe
- A Berlin-based corporate is holding an AGM in Madrid / with attendees from the UK and Asia
- A London based agency uses a DMC in Greece (which is in the EU)… or Turkey (which is outside the EU)
- A global corporation using multiple agencies in different countries or regions to manage their meetings management program
For each example above, multiple lists of personal data may be shared between numerous actors - corporate, agency, venue, hotel, DMC, transfer company, etc.
In the second article on GDPR, Brexit and Events, we'll go into depth around the transfer of international data and how Brexit could impact it.
Disclaimer: The content of the two articles are for informational purposes only. They are not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.
Smartec Business Solutions provide a number of GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see https://www.smartecbs.com/