How will Brexit impact on General Data Protection Regulation at meetings?

Major changes came into force on 25th May 2018, in the shape of the General Data Protection Regulation. Known as GDPR, the legislation comprises stricter EU privacy laws, which are aimed at all events collecting and holding data about EU citizens.

It has completely changed the way that meetings and event planners can collect, process and protect attendees’ personal information. The legislation is something that event organisers in the UK have had to take on board, because ignoring it would have serious consequences.

Tougher privacy laws
The introduction of GDPR forced event planners to play a bigger part in securing any data collected from attendees. Both the event planner and the venue hosting the meeting must be compliant with GDPR. Not doing so could result in large fines.

Compared with the existing data protection regulations at the time, non-compliance with GDPR came with very serious financial implications, so it was in companies’ best interests to be prepared.

Nine months down the line, event organisers have developed a good understanding of GDPR. In a nutshell, it is aimed at stamping out data breaches, when information is lost, stolen, or released to people who may have malicious intent.

It means personal data must be gathered legally and under strict conditions, with the people who are collecting it being obliged, by law, to protect it from misuse and exploitation.

Post-Brexit GDPR
Businesses and organisations in the public and private sectors invested a lot of money in ensuring compliance. A large part of the resources have funded the improved technology required to collect and manage data legally.

Now, within less than a year, event organisers may have to rethink their strategies again, depending on the outcome of Brexit and whether the UK gets a deal or not.

GDPR allows personal data to be shared between EU member states, but not to so-called “third countries” outside the EU. This means that after Brexit, the UK will become a “third country”.

The transfer of personal data will be prohibited from EU member states to the UK, unless a potentially costly and complex data transfer solution is put in place.

This would mean that delegates from EU member states attending events and conferences in the UK would potentially have to be treated differently, in terms of data collection and protection, than delegates from the UK.

Decision of adequacy
Any UK companies hoping that GDPR will quietly go away after Brexit will be disappointed. It’s here to stay and will be enforced by the UK’s Information Commissioner’s Office after Brexit.

Yet in Europe, organisations will no longer be permitted to send personal data about employees, suppliers and customers to the UK. This means the information can’t be sent even to members of the same corporate group, unless a legal data transfer solution is put in place.

It would be possible, under provision in the GDPR, that the European Commission could issue a “decision of adequacy” if a country could demonstrate it had put in place satisfactory data protection laws. This would mean EU member states could transfer personal data to the approved country, in the same way as if it was a member state.

This uncertainty is causing headaches for event planners. In a survey carried out among UK event organisers, 81% of respondents said data security was a bigger priority for them than ever before as a result of GDPR and Brexit.

Although, in theory, the UK could meet the criteria of being an “adequate” country, it isn’t a foregone conclusion that this would be the case in practice.

Brexit is a politically-charged issue – and to further complicate matters, Britain is demanding an “enhanced adequacy decision”, which would enable our ICO to continue to participate in the European Data Protection Board.

The ICO is an independent body set up in the UK to uphold information rights and data privacy. The request for the ICO to participate in the EDPB after Brexit has been met with opposition from EU leaders once we’re no longer a member state.

Worst case scenario
If the no deal Brexit goes ahead and the UK becomes a “third country”, EU member states will no longer be legally bound to transfer personal data without a complex solution being put in place.

This would be the worst case scenario for events and conference organisers with international links.

Unfortunately, as Brexit approaches with no deal on the table, and with just weeks to the deadline, there is no clarity for event organisers.

It’s difficult to predict if or even when a “decision of adequacy” will be put in place. Business leaders are advising companies to plan for the worst-case scenario, with a data transfer solution ready to implement if the UK leaves the EU with no deal – to become an unapproved country on 29th March.

Don’t let choosing the location for your next event add to your headaches. &Meetings can provide the perfect venue! Give us a call on 0800 073 0499 to take advantage of a wealth of quality meeting rooms at sensible prices.

© fotogestoeber / Adobe Stock