The General Data Protection Regulation (GDPR), an EU legislation concerning the protection of personal data, comes into effect on May 25th.
Unless you’ve been hiding under a rock, you’ve probably heard about it by now. In essence, GDPR requires organizations to ensure that individuals are given full control over how their personal data is being used, thereby granting them more rights on the one hand, and adding more obligations on corporations around the protection of their personal data, on the other.
At CWT Meetings & Events, we’ve been updating our global privacy program since the regulation was first announced in early 2016. Perhaps because GDPR has been talked about so much, misconceptions abound about this European text, and false beliefs are held by some of our clients.
With this series that we’re rolling out on the eve of the next phase in data protection, we’re aiming to debunk the myths, and sort fact from fiction.
In doing so, we wish to provide some clarity on what GDPR means and how it should be applied. Step into our virtual data protection lounge, from now until the 25th.
Myth #1: Prior consent is required for everything and our clients and attendees need to re-consent to everything we do
This is probably the main misunderstanding related to GDPR that many organizations still believe in; that consent is the only legal basis for handling personal data. You may have heard that our attendees would have the right to say “yes” or “no” from the 25th of May, with regard to every piece of data collection and processing and that they will be able to withdraw their consent at any time. This is not the case. Consent is but one of several legal grounds that can be used for the lawful processing of personal data. In actual fact, it's not the main one to be appropriately relied upon in a number of scenarios.
The vast majority of our business is conducted through contracts with our clients and is not based on the principle of individual consent. Our relationships are primarily business-to-business, as opposed to directly with consumers, like a retailer. That means that while we may have to update privacy policies and attendee notices we do not have to obtain fresh consent from individual attendees for our travel services. In most cases at CWT Meetings & Events, the legal rationale for processing attendee data is based on the fulfillment of our commercial agreements.
Check-in for the second myth buster, next week. I'll explore whether GDPR is a revolution - or more of an evolution.
Blog Author: Christel Cao-Delebarre, Global Privacy Officer, CWT