In February 2018, Meetings Today interviewed Larry Samuelson, senior vice president, general counsel and corporate secretary for Cvent for a story on how the leading cloud-based enterprise event management company is dealing with the implementation of the Global Data Protection Regulation, or GDPR, which exposes companies to fines of up to $25 million, or 4 percent of their annual revenue, for misusing the personal data of European Union Citizens.
You have someone from an EU company attending your meeting or even just in your database?
Listen up, because you’re liable.
In the interview, we learned that Cvent has been on top of GDPR preparation from the very beginning, as part of its standard data protection policies and procedures for clients.
Now, with May 25, 2018, and the actual “D-Day” for implementation of the new regulation looming heavy, we reached back out to Cvent to pose the following question: What do you need to do NOW if you aren’t GDPR compliant?
Following is the advice Samuelson offered for meeting professionals and their organizations who have let the all-important date of May 25, 2018, creep up on them unprepared:
There is a lot of information out there on how GDPR will impact the meetings and events industry, and the sense of urgency around the new law is understandable. The fines can be crippling to a business, not to mention what a GDPR infraction could do to its brand.
However, the spirit of GDPR is to put the security and privacy of personal data at the forefront and for organizations to develop trust and transparency in their relationships with their customers—and if more people approach the regulations with that mindset, it’s an easier idea to grasp and prepare for.
[Related Content: GDPR Is Ready to Bite the Meetings Industry]
After preparing Cvent and our customers for GDPR over the last year, I am intimately aware that no two companies are the same, and that each business will have its own path to compliance based on the data collection processes already in place.
The easiest way to address what you should do NOW, other than working with a legal advisor or privacy expert, is to put your business in the hypothetical situation where it has been flagged for a GDPR infraction and could be facing heavy fines.
It is key to note that there are many determining factors that go into deciding what that fine amount will be. For each non-compliance situation, factors that will be addressed include the following: nature of infringement, intention, mitigation, history, cooperation, data type, notification, certification and preventative measures already taken.
So, it is important to keep all those in mind. Check off the ones that you know you are okay with—if you know you’re a cooperative business, with no malintent or history of data concerns, then check those off as non-issues. Then determine which of these factors most concerns you?
That’s where you should put your efforts RIGHT NOW.
For example, if your top concern on that list is the preventative measures (or lack thereof), what can you do now to show that you are taking the steps to be compliant? You should conduct an organizational information audit and consider the following questions:
- Do we collect information from EU residents?
- If so, where is that personal data stored?
- Who has control and access and is it shared with third parties?
Then address any issues within that chain.
Overall: Prioritize on areas with the highest risks and impact.
Think about any high-risk data processing within your business. Consider those activities with higher fines attached, such as sensitive data, consent and subject access rights.
Then, put your effort into addressing those areas.
This presentation can help as it provides 10 steps toward compliance and highlights key questions you should ask as you prepare. The key takeaway here is that taking ANY step toward compliance, no matter how small, will make a positive impact and could certainly help lessen any fine that might (hypothetically) come your way.
Larry Samuelson is senior vice president, general counsel and corporate secretary for Cvent, a cloud-based enterprise event management company. Samuelson specializes in advising senior executives regarding the legal risks and opportunities facing a company. He has been helping Cvent get ready for GDPR well ahead of schedule.