In 2018 there was a lot of action on the part of event providers to take steps to comply with GDPR. It was and is all about the protection and security of personal data.
The good thing about GDPR was that organisations knew when everything had to be in place to comply. It was 25 May 2018. It was a date that created change for many companies.
GDPR continues today.
The challenge today
The challenge faced by many UK organisations is the issue of Brexit and how it impacts personal data security regulations.
Whilst the UK left the EU at 11pm on the 31st January 2020, both sides still need to decide what their future relationship will look like. This needs to be worked out during the transition period, which is due to end on the 31 December 2020 (unless it is extended).
During the transition period, the UK will continue to follow all of the EU’s rules.
There is uncertainty about what the future holds for data security. One thing that is clear is that there will be differences in data security requirements between the UK and the EU.
In essence there will be a “A data gap.”
How big is the data gap?
How much of an issue this gap is or how long the gap will be in place remains to be seen. In broad terms, whilst UK organisations will be able to send personal data across to the European Union, they may not be able to receive personal data in return. But why not? Simply, because the European country sending the personal data to the UK has to be sure that appropriate security measures are in place to protect it.
Helping get over the data gap
Is this is a big issue for organisations? As usual, with the complexity of the GDPR it depends. It depends on a number of factors.
The UK government has said that transfers of data from the UK to the European Economic Area (EEA) will not be restricted. However, from the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK.
We can use a fairly straightforward example to illustrate the Data Gap. Let’s imagine your event agency is based in the UK and you are producing an event. To help, you have enlisted the services of an event registration company (based in the Netherlands). The registration company is sent details of the delegates that are due to attend. The registration company is acting as a data processor for you. But, because they are based in the Netherlands, they do not have to send the processed information back to you. Unless you, as the UK company can provide them assurances that you have strict data security protocols in place that meet their requirements.
You need to consider what GDPR safeguards you can put in place to ensure that data can continue to flow into the UK.
For more information, read Data Protection if there’s a no-deal Brexit and our guidance on international transfers.
At the moment the solution to our fictional example of the UK event agency and the event registration company in the Netherlands, is to have Standard Contract Clauses in place.
Standard Contract Clauses are being referenced by the Information Commissioners’ Office (ICO) as a way forward. You would need one for each data processor or supplier. Effectively they would need to be in place before the 31 December 2020 to avoid any gap. You may need to provide other documentation about your security processes depending on what the European country requires.
The ICO have also produced an interactive tool on using standard contractual clauses for transfers into the UK to help you.
In time maybe an ‘Adequacy Agreement’ for Data Protection will come into force. But how much of that becomes reality depends in large part on how closely aligned the UK is with the EU in the future trading relationship.
The suggestion is not to wait for the ‘politicians’ magic wand but act now and be ready for changes on 31 December 2020. Technical Bulletins issued by the UK Government and updates from the ICO are worth a read to keep up to date.
Vault the data gap and win more business
Data security is always going to be an ongoing priority. After all, personal data is valuable currency. Event delegates want to know that their personal information is in safe hands. Those event organisations that truly embrace personal data security will become known for being reliable and trusted providers. They will embrace new requirements as being part and parcel of doing business. They will win more business and vault the data gap whilst other providers will be struggling to stand upright.
Good luck but do mind the gap.
Looking for Great Content?
Paul Cook writes dynamic event focused content for trade publications, associations, suppliers and websites. When you need a blog, an eBook or a business story to really connect with your audience, ask Paul to write it for you.