is an issue that the C-level suite has to
take on, and as Deb said, you’ll see more
data protection officers and IT getting involved in meetings.
Q What kind of data are we talking about? Will GDPR govern personally identifiable information, or does it go
Chong: GDPR compliance will have far-reaching implications in how you handle the PII of
your customers, partners, prospects and employees. But it goes beyond PII. For example,
[a meetings technology company] is managing
data that identifies our customers’ best salespeople, when you talk about incentive [pro-grams]. We know housing requirements or
sleeping arrangements. We know dietary issues
of participants. All of this is extremely confidential and sensitive client information. Meetings touch so much data, both the data that I
provide, as well as data that [a technology sys-tem] possibly receives like my IP address, my
search history, my Web track on my location.
[Marketers can also] infer data based on my
online behaviors. [The tech provider] might
even share that data with a data mart … and
other companies might be buying [my data],
even if it’s aggregate, to remarket other products to me. Until now, these have been a privity
of contract issue. Now, they’re going to become
a GDPR issue.
Q Participant behavior data is becoming such a big part of meetings and events
and often is provided to sponsors as part of
the value of their investment. Will GDPR
interfere with this?
Iwamoto: [GDPR] will change the way meeting participants opt in or provide permissions
about how their data can be used. I envision
that everything will need a data [usage policy]
and companies will have to be more transparent about how the data is used.
Chong: Conference producers will have [to
require] sponsors to sign an agreement that
they will not transfer that data and use it
except for the purposes agreed to by the person who provided the data. Under GDPR,
participants will also be able to revoke their
consent to share data, and that will add
another task to data management. [Corpo-rate clients] will need to check the tires on
their technology [to understand] whether
the solution can handle the permissions and
proper opt-ins. We’re in the world of Big
Data and Fortune 500 companies. Technology systems need to handle data according
to these requirements so that no one has to
perform manual tasks. This will mitigate
risk to a certain extent.
Chong: The data controller, so in this case
the corporate client. The controller has an
agreement with the data processor, which is
the technology company. As a processor, I
would not take any instructions other than
from the controller because the controller is
responsible under GDPR for managing the
data, for treating it the way it’s supposed to
Q Many companies access technology through the third party. Is the liability
still the same?
Chong: The data controller is still liable. For
a limited number of programs, we appreciate
[that] licensing via a third party makes sense.
However, for a strategic meetings management program, we recommend companies …
go direct to a technology provider to ensure
that there is privity of contract to address any
potential liabilities. The company data protection officer, a requirement of GDPR compliance, will get involved in the selection and
management of technology in both scenarios.
Q Many companies have so-called “no- cost” SMMP agreements with third
parties, funded mainly by hotel commissions.
They don’t have resources for a technology RFP or other SMMP tasks. Is it realistic
to think that these companies will change
course because of GDPR?
Iwamoto: By program size and by activity, people need to do the math and do the financials
as to whether going direct makes sense, or
should they license to a third party, an intermediary. Every company is going to come to a
different financial conclusion.
Chong: I respectfully disagree, if we are talking
about enterprisewide SMMP.
Iwamoto: I just went through it with a midsize client where they wanted to go direct to
the [technology] supplier, but when they did
the financials and the head-count resource
allocation internally, they could not get that
approved. They [went] through a third-party
Chong: I had the opposite. A client [told me
recently] they had not gone direct and their
CFO is now insisting that they go direct. I
think any organization is going to be at risk if
they don’t go direct. How will they explain, if
the third-party [mismanages the data or mismanages the technology], that suddenly the
end client corporation is getting fined? So I
disagree, I respectfully disagree.
Iwamoto: If that’s going to happen, then GDPR
might force more direct contracting with suppliers. But currently, it’s a matter of head-count
resource and budgets and financials that lead
people to go through the third party. If they do
go that route, however, I foresee GDPR compliance becoming part of the auditing process.
We do audits all the time for different components of travel and meetings, so I envision that
this will become a separate audit stream.
Q Will GDPR, then, force a shift in how meetings technology is priced or tiered
so it fits more types of end clients?
Chong: I don’t believe this is all because of pricing. That’s just sort of a misnomer in the marketplace. We have clients that might just need
our systems for one program a year, and then
we have others who are doing 5,000 programs
a year. They’re not paying the same thing. Plus,
the technology is priced based on usage. Corporations have to weigh the cost of [the right
technology and contracts] against the risk of
being fined for GDPR violation. Beyond the
fine itself, think about public perception. If a
company gets fined, everyone is going to start
looking and saying, “What else did they do?”
Q What about corporate data, like book- ing patterns, hotels and locations—
basically the RFP history? Is that corporate
data ever sold to meetings suppliers and
would GDPR come into play here?
Chong: If I’m responsible for sourcing meetings and I’ve set my profile and the sourcing
technology is sharing my buying patterns and
my profile data in a dashboard to vendors in
the marketplace, there is no privity to take actions as you are not a party to the contract if
your end user is not aware and has not given
the company permission to use the data in
that way. Practices and other behaviors that
produce covert revenue streams will be challenged in the world of GDPR. Overall, GDPR
will help in all of our efforts to further professionalize our industry and provide the visibility that it deserves in terms of how meetings
and events impact revenue generation and
corporate success rates overall.
Q Kevin, do you agree?
Iwamoto: I do, but I also think we should
underscore that this goes way beyond meetings and affects how companies need to
be looking at data governance overall and
how meetings fit into that. We know that
the U.S. has some of the lowest data privacy
standards in the world. In Europe, data privacy is a right. GDPR is pushing that issue
on a global scale.