Marty MacKay, DMCP, president, Hosts Global’s Alliance of DMC’s. Marty has spent her entire career mastering the event world. Her professional background began on the client side, where she learned the event business from the ground up while working at a leading fortune 500 company. Since joining Hosts Global in 2013, she has more than doubled the size of the Alliance and introduced best practices and standards across the membership. Marty is the president of ADMEI and leader in the hospitality industry’s focus to drive emergency preparedness.

On May 25th, the EU’s General Data Protection Regulation (GDPR) becomes enforceable and the magnitude of its implications for the meetings industry is indeed huge. So many aspects of our people-focused business include collecting — and sharing — personal data about clients and event attendees. Names, addresses, phone numbers, birthdates, emails, preferences and more are needed for airport manifests, tour registrations, restaurant reservations, recreation safety waivers, etc. We reuse data from prior events to prepare for the next. We keep in touch via email marketing. All of this and more will be impacted by GDPR’s requirements to obtain specific consent from individuals regarding how their data will be collected, managed and stored or deleted. At the core, GDPR is driving new conversations between clients and Destination Management Companies (DMCs) to ensure compliance. Our team at Hosts Global is diligently preparing our DMCs worldwide for these critical conversations and compliance requirements. As we prepare, we want our clients to rest assured that their people’s data will be handled securely, but we need everyone’s cooperation to get there — including our clients, so we wanted to share some insight on the conversations and challenges ahead.

New Roles and Responsibilities Require New Client Conversations

Under GDPR, the client/DMC relationship now encompasses the roles of Data Controller (client) and Data Processor (DMC). As such, we have new responsibilities to each other, requiring new conversations to ensure we stay on top of our respective data chains and provide exemplary experiences for our guests.

Questions DMCs Should be Asking Their Clients:

• Have you requested consent from your attendees to send us their personal information?
• How will you be sending the data? Is your method secure?
• Are you sending us more data than you have asked consent to send?
• Does that consent include providing the information to our subcontractors?

Questions Clients Should be Asking Their DMCs:

• What are your Standard Operating Procedures (SOPs) for securely transmitting data?
• How does your DMC identify and close data control gaps? Or more specifically, how is data securely transferred across all parties involved in our event?

These conversations need to occur at the very beginning of building of a program since the most important aspect of GDPR compliance is consent. This means consent from event attendees that that their Personally Identifiable Information (PII) will be shared with event suppliers, including the DMC who will also be passing along elements of guest’s PII to their subcontractors.

Many of our clients also require registration websites for their events. It is important to make sure you are working with a GDPR-compliant registration provider.

Questions to Ask Your Registration Provider:

• Have you ever posted your privacy policy on a client’s registration (e.g., website/registration forms) website or email that is sent from your tool? If so, is this the default mode?
• Have you ever posted your marketing links or “powered by” on a client’s registration website or email that is sent from your tool? If so, is this the default mode?
• Does your registration website or email that is sent from your tool use cookies or tracking mechanisms and for what purpose? Is data obtained through cookies, etc. sold or shared data with Data Marts or any other third-parties without express consent from the client?

It’s a lot to wrap your arms around. Ultimately, continuous, open communication and prudent processes will undoubtedly pave the way to a smoother GDPR transition.

Common Myths

“GDPR is specific to EU citizens and my group isn’t from the EU, so this doesn’t affect me”
How can you tell? At Hosts Global, we understand that we don’t (and can’t) know the citizenship of all our event attendees. So, we’re taking a holistic approach to protecting each individual’s data and will work to universally apply new SOPs to every attendee — not just Europeans — going forward.

“I don’t do meetings outside of the United States, so this doesn’t affect me.”
Unfortunately, that isn’t true. If you handle meetings anywhere across the globe where you have EU citizens attending, you must adhere to the GDPR regulations for protecting their privacy.

Expect Hiccups and Hurdles

We should not expect initial GDPR compliance to be easy or simple. We all store so much data that we never think about. Having to confront legacy data systems, clean them up and manage them in new ways is a monumental undertaking. I know this all too well. Our own Hosts Global website is undergoing revisions to ensure it is GDPR compliant ahead of the deadline. We have work ahead of us. Every time we get one thing done, something else pops up. But we persevere. Temporary hassles spurred by GDPR are far outweighed by the long-term benefits of better data protocols. After all, it’s all about providing our clients and their attendees with the utmost in care, protection and service.

Trust as the New Currency

Though GDPR is a product of the digital age, its success — indeed all of our successes — depends on the enduring, timeless value of effective communication and trusted relationships. We look forward to driving these new conversations with you. C&IT