Try Glisser

GDPR, Brexit and Events

In the confusion over Brexit and its impact, part one of our GDPR, Brexit and Events duology will help shed light on Brexit's impact on GDPR and the events industry.

Arvi Virdee, June 27, 2019
Blog 26 Five GDPR Questions

The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, requiring organisations to put data protection measures in place when either offering goods and services or monitoring the behaviour of EU citizens. GDPR's reach is global, so can impact on any company, regardless of where in the world they are based. Failure to comply can lead to hefty fines and considerable reputational damage.

In June 2016, the UK voted to leave the European Union (Brexit) and is currently scheduled to do this by 31st October 2019, with a deal or without one. When it does so, not only will the EU GDPR continue to apply to UK companies that process the data of individuals in the EU, but the UK plans to create parallel legislation for individuals in the UK. This meaning there will effectively be 2 GDPR legislations in place, with implications on businesses globally.

The two articles look at the impact of Brexit on GDPR, and implications for all organisations operating in the events industry. Events tend to be international and involve the movement of large numbers of delegates, so will be impacted by both GDPR and Brexit. However, the main points are applicable to organisations in all sectors.

Principles of GDPR

The diagram illustrates the fundamental principles of GDPR. In summary:

  • Personal data consists of any data that can identify an individual
  • GDPR applies extraterritorially to any organisation that either offers goods and services or monitors the behaviour of EU citizens
  • there are six principles for processing personal data
  • for processing to be lawful, it must follow one of 6 principles
  • individuals have eight rights to their data
  • Organisations can either be Controllers or Processors, and they must have a written contract in place between them if they exchange personal data

GDPR after Brexit

Will GDPR still apply to UK businesses after Brexit?

According to the ICO website, the UK will write the EU GDPR into UK law as the 'UK GDPR', and it will apply extraterritorially to any business globally that either offers goods and services or monitors the behaviour of individuals in the UK.

As a consequence,  businesses may need to process the data of individuals in the UK separately from individuals in the EU to respect the two different regulations. This essentially means there will be two GDPR legislations - one for EU individuals and one for UK individuals.

GDPR for Events

Why Events?

There are many different organisations involved within the events lifecycle, as demonstrated in the image, each providing their specialised services. And there are many kinds of personal data, often shared between these organisations to allow them to perform their function. And because events tend to be global, this potentially means data is lists of personal data (often delegate lists) are passing from one organisation to another, often crossing borders.

GDPR has restrictions on how and when personal data can cross borders, as highlighted in the next section. For events, typical examples include:

  • A UK agency holds a conference in Dubai, with delegates from all over Europe
  • A global agency has its Paris and London offices co-ordinating an event in New York with attendees from across the globe
  • A Berlin-based corporate is holding an AGM in Madrid / with attendees from the UK and Asia
  • A London based agency uses a DMC in Greece (which is in the EU)… or Turkey (which is outside the EU)
  • A global corporation using multiple agencies in different countries or regions to manage their meetings management program

For each example above, multiple lists of personal data may be shared between numerous actors - corporate, agency, venue, hotel, DMC, transfer company, etc.

In the second article on GDPR, Brexit and Events, we'll go into depth around the transfer of international data and how Brexit could impact it. 

 

Disclaimer: The content of the two articles are for informational purposes only. They are not intended to be legal advice, and nor should it be construed as such. Please consult a data protection professional or legal adviser for guidance on your specific circumstances.

Smartec Business Solutions provide a number of GDPR services for the events sector, including data audits, outsourced DPO and representative services. For details, see https://www.smartecbs.com/solutions/gdpr, or call Smartec on +44 (0)1784 289974 or email info@smartecbs.com.
GDPR CCPA
Share this article:
A Question of Trust

A Question of Trust

ISO 27001 certified tech providers stand-out from the competition because they are best placed to help organizations protect their data assets and meet compliance objectives. This is particularly important for virtual events platforms who must be trusted to keep event data and content safe.
Event Planning Featured Opinion GDPR Edu Thought Leadership
Mike Fletcher, September 3, 2021

Does data governance and security still matter in 2020?

As the explosion of virtual events rocks the business world have you stopped to ask yourself what’s happening with all that event data?
Event Planning Featured GDPR Thought Leadership
Vanessa Lovatt, November 23, 2020
4 Cybersecurity Tips for Virtual Events

4 Cybersecurity Tips for Virtual Events

For most people, the past several months have included a combination of operating remotely and social distancing to flatten the curve due to the global pandemic. In particular, event professionals have seen events be cancelled, postponed, and shifted to a virtual format to stabilize the industry and keep participants safe while virus transmission remains a risk.
Event Planning GDPR Thought Leadership
Ramona Jean, August 19, 2020
© 2024 Glisser, all rights reserved