“I’m in regular contact with venues, agencies and planners across the UK and many are currently unaware of the impact of Brexit on UK GDPR and EU GDPR, and the action they now need to take to ensure their business continues to operate legally,” says Michael Begley, managing director of venuedirectory.com.
“There are some simple and immediate steps that organisations should take in order to address data protection regulations and ensure that events can continue once the world opens up again. To support our industry on the road to better business I’ve partnered with data protection expert Arvi Virdee from Smartec to launch a series of short and focused webinars to guide them through this challenge,” Michael Begley explains.
How Brexit has affected the event industry’s EU data
The EU General Data Protection Regulation (GDPR) came into force in 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of individuals within the EU. GDPR’s reach is global, so can impact on any company regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.
The UK’s GDPR regulations are now separate from the EU’s GDPR regulations, following the trade deal which came into effect on 1 January this year. This means there are now two data protection legislations instead of just one – UK GDPR covering individuals in the UK and EU GDPR for individuals in the EU. Businesses holding both types of data, will now need to adhere to each of the two separate legislations.
The UK is now officially considered a ‘third country’ under the EU GDPR. This means that UK businesses serving EU consumer will need to ensure they comply with both the UK and EU GDPR measures.
What does this mean for the business events industry?
There are two actions that meetings and events organisations now need to take:
- Firstly, UK companies which hold data for the EU now need to review and update their existing data sets. This is to determine which proportion is EU data (and therefore subject to EU GDPR regulations); which is UK data (subject to UK GDPR regulations) and which data falls outside of both of these categories, for example, data sets for individuals based in America or Asia.
- Secondly – and perhaps more significantly – UK businesses need to appoint a representative within the EU to deal with any queries. These could be queries around a data breach or a data subject access request. This representative should reside in any one of the 27 EU countries, – preferably the country in which a business has the most dealings – and therefore be in situ to deal with requests from individuals, companies or authorities.
UK businesses need to appoint an EU representative only if they do not already have a branch or office in the EU. If they do, this branch or office would act as the representative, although privacy notices would need to be updated to this effect.
It’s important to note that these new measures work both ways. UK law now requires EU companies who hold UK data to have a representative in the UK, and EU based companies need to review and separate their data sets to determine which is now subject to UK GDPR regulations.
What are the implications UK businesses don’t undertake these two activities?
The meeting and event industry is truly global with many different companies – venues, DMCs, agencies and corporates – all involved in planning a single event. This means that there are many different kinds of personal data often shared between these organisations – and across borders – to allow them to perform their service. For example, if you’re a UK agency hosting a conference in Dubai, with delegates from all over Europe, you’ll be affected by these changes. If you’re a London based agency using a DMC in Greece, you’ll be affected. If you’re a global agency with offices in London co-ordinating an event in New York with attendees from across the globe, you’ll be affected.
The upshot of not adhering to the new data protection requirements is potential loss of business. For example, if a UK venue is approached by an EU based corporate but doesn’t meet EU GDPR measures, they will not be able to fulfil the essential requirements for delivering the business.
Webinars to support event professionals
Michael Begley continues: “Event professionals should act now, using this current time when meetings and events are currently on hold, in order to ensure they’re fully prepared and have the correct elements in place in order to do business again.
“Having access to the right information and support is crucial and I hope to provide support through a series of forthcoming webinars. We’ve partnered with data protection expert Arvi Virdee from Smartec to run a series of free webinars guiding event professionals through the process.”