Executive Summary

The EU’s General Data Protection Regulation (GDPR) has come at a time when many businesses might be heading to a world of digital dictatorship. The GDPR makes organizations around the world liable for any violation of user privacy and deviations from a high data security standard. Besides, in MICE industry, almost all usual activities, such as registering, using event application, doing surveys, engaging in social media, collecting business cards and scanning badges are under the regulation. If MICE stakeholders are not well-prepared to comply with the GDPR, they will be charged with heavy fines like some world-famous organizations. However, if MICE stakeholders can deal with the GDPR regulations, they will be able to build a stronger relationship with attendees through trust and transparency, but there might be challenges lying ahead. The GDPR regulation is an important matter, of which all stakeholders in MICE industry should be aware!

Key Fact and Figures:

Importance of Data Privacy:

In the age of digital obesity and rampant mechanization, data has become a core of any business model including MICE industry. Data privacy is a branch of data security and is concerned with the proper handling of data; consent, notice and regulation obligations. According to Cybersecurity Ventures, a global research company, cybercrime will cost the world more than $6 trillion annually by 2021. This is a serious matter about which every organization has to be concerned The EU’s General Data Protection Law which became effective on May 25th, 2018 came at a time where all businesses might be heading to a world of digital dictatorship. The General Data Protection Regulation (GDPR) makes organizations liable for any violations of user privacy and deviations from a high data security standard. It aims to give EU citizens more control over on how their personal data is used. Any organization that collect and process personal data of European citizens falls under GDPR regulation even though they are based outside of the EU. The personal information includes ID/Passport details (name, address, race, biometric data), contact information (email addresses, telephone numbers), digital data (photographs and videos), sensitive data (financial and payment information), HR records, employment details, gender, disabilities, dietary preferences or any information that can identify a living individual. This must be concern as a responsibility of protecting the privacy of individual when dealing business.

In 2017, Europe became the second continent that generates revenue for MICE industry in Thailand with 11.56% in Corporate Meeting and 13.78% in Non-Corporate Meeting (TCEB, 2018). Therefore, GDPR regulation really matters for MICE stakeholders in Thailand. MICE stakeholders who are in possession of European’s personal data must comply with GDPR regulation. GDPR also applies to third parties who are involved in MICE activities and keep personal data of Europeans. The third parties aforementioned are as follows: technology providers, event management companies, registration software companies, and any related event technology system companies. To comply with GDPR regulation, there are 6 requirements for MICE stakeholders to follow: 

  • Consent: Event organizers will be required to obtain their attendees’ consent to store and use their data, as well as explain clearly how it will be used. Consent must be an active and affirmative action by the attendees, instead of passive acceptance through pre-ticked boxes.
  • Breach Notification: GDPR makes it compulsory to notify both users and data protection authorities within 72 hours of discovering a security breach. This is a major problem as breaches can happen anytime and no one will know about it until someone finds out. Failure to report a breach within the designated time limit can result in heavy fines.
  • Access: Organizations are expected to be prepared to answer questions concerning all private records of the attendees’ personal data - what data is being processed, where the data is stored and for what purpose is being used - in the format of digital copies if requested by attendees. Organizations need to be able to provide this for free within 30 days of the request.
  • Right to be Forgotten: Mice organizers have to delete and stop sharing personal data of EU citizens or residents with any third party whenever they ask for it. Also, all related third parties that have previously obtained consent such as hotel, suppliers, and venue have to stop processing it as well.
  • Data Portability: Attendees have the right to ask the event planners to give them back a copy of all personal data they previously provide or send to another third party who might possibly be a competitor of the attendee. The data has to be provided in the most commonly used and machine-readable format so that the success organization or company can import and make use of the data readily
  • Privacy by Design: organizers and event planners have to incorporate data security into their products and services from the design process. All the tech systems which store and manage personal data from the attendees are to be designed with the privacy as a priority. Therefore, in case it is required that new technologies or systems be created, the developer has to bear this concept in mind and make sure that Privacy by Design encompassed in every step of development.

MICE stakeholders should meet with these six requirements since the regulation affects almost every Mice activity such as gathering attendees’ personal data through registration systems, collecting business cards, and scanning badges. The GDPR applies to not only European attendees’ personal data but also personal data of all EU citizens involved in MICE activities. Hence, there are a lot of direct and unavoidable impacts of the GDPR on Mice Industry. To comply with the GDPR, personal information of European attendees in MICE activities can’t be used in any activities without their consent.

Moreover, using pre-ticked boxes and automatic opt-ins to get consent in marketing mailing lists will no longer be allowed. Consent under the GDPR must be unambiguous. The ticked boxes option must be separated from terms and conditions and have to clarify exactly what data to be used, where to be stored and who to use them. For example, one option box is for getting event notifications by email, another one is for receiving SMS and the other one is for receiving marketing information from a specific sponsor in the event.

Mice organizers and event planners should also make the withdrawal as easy as it is to give consent. Furthermore, data security is another issue that affects MICE industry. MICE stakeholders have to prove that their security system can protect attendees’ personal data under the GDPR requirements.

Data protection and data security must be a part of all the systems and processes in data management system such as a feature to detect and report data breaches to the authorities, a feature for an individual to access, or a feature to transfer and withdraw consent of personal data. All personal information must be stored in an encrypted format.

Furthermore, Mice organizers have to ensure that all tech event companies or relevant companies collecting and analyzing personal data from attendees have the system which comply with the GDPR. If the organizers who are in possession of European’s personal data are not GDPR compliant, they are liable to fines either at the lower level or at the higher level, which is up to €10 million or €20 million respectively. That is to say, all MICE stakeholders should be well-prepared to comply with the GDPR.

Case Studies of Personal Data Breach Under the GDPR Regulation 

Several well-known organizations that hold European’s personal data didn’t prepare well for GDPR compliance. They failed to keep personal data and then they were charged with breaking the GDPR laws.

Case Study 1: Google was fined £50 million for their last lack of transparency and valid consent

According to Commission Nationale de l'Informatique et des Libertés (an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to use of personal data, Google LLC was imposed a €50 million fine on the 21st of January 2019 for non-compliance with the General Data Protection Regulation (GDPR) because Google LLC was not able to satisfactorily inform the users about how their data was collected and used in advertisements and marketing messages. Moreover, Google LLC failed to require consent from user for the purpose of using their data in personalized ad. All of these incidents implied that Google LLC lacked transparency, information, and valid consent regarding personalized ads. In the case of Google LLC, it is the first time that a U.S. tech company faced punitive actions under Europe’s new digital privacy law.

Considering technology and innovations used in MICE activities such as VR/AR and IoT, Mice organizers and event planners have to unavoidably deal with personal data. If event planners do not obtain the consent of attendees before processing their personal data and clarifying them how their data is to be stored and used, MICE organizers will be liable to a heavy fine like in Google LLC's case. Thus, any Mice organization or Mice company involving Europeans must ensure that their system complies with the GDPR regulation. 

 Case Study 2: Facebook hit with £500,000 fine for failing to protect their users’ data

The Information Commissioner’s Office (ICO) announced that Facebook was fined £500,000 [CQ1] for the Cambridge Analytica data scandal, which they allowed third party developers to harvest the personal data of millions of people’s Facebook profiles without their consent. Facebook was unable to keep personal information of its users secure as a result of failing to examine developers using its platform properly. 300,000 people were convinced to install a personality testing application that fed back the data of both users and their friends from Facebook, enabling the developer to harvest profiles of more than 87 million people worldwide without their knowledge. A subset of the data was later shared with other organizations, including SCL Group, the parent company of Cambridge Analytica, which was involved in running targeted Facebook adverts in the US political contests.  One of the commissioners said that in any eventuality the lack of controls from Facebook meant the data of UK residents was “put at serious risk” of being used for political campaigning. The fine would inevitably have been significantly higher under the GDPR.

In the context of MICE industry, this can happen when it is necessary to share attendee’s personal data with venues, speakers and sponsors. In order to avoid being fined, the event planners must obtain consent and specify which third parties will use their data clearly. Apart from that, they have to ensure that the systems used by the third party comply with the GDPR.

Case Study 3: Marriott data breach, the biggest breach in 2018, hit up to 383 million hotel customers

Forbes reported that Marriott, where its accommodation has a main presence in EU, had a data breach and was under investigation by Information Commissioner’s Office (ICO). Marriott International announced about the amount of exposed data including 5.25 million unencrypted passport details, 20.3 million encrypted passport numbers and 8.6 million encrypted payment cards. After the incidence, Marriott tried to lessen the fury of EU privacy regulator by compensating with a passport replacement and establishing informative web page for giving an answer to breach victims. However, the company may end up by paying the strictest fine with the amount of $915 million.

These cases indicate that data security system is a must-have for any organization handling with personal data including MICE stakeholders. Event planners have to ensure that data protection is plug in at the initial design stage and must have features to detect and report when data is breached to authority within 72 hours of it happening.

Key Implications of GDPR for MICE Industry

GDPR requirements focus on the rights of attendees over the organizations. However, the event organization can benefit from it if they are well-prepared and implement GDPR effectively. Attendees will feel more secure about how their personal data is processed and protected since the compliant organizations have the ability to protect attendees’ personal data. Moreover, one of the GDPR requirements, especially the right to track one’s personal data, will ensure that the organizations handle their personal data in a transparent way. This will lead to more trust in the organizations and willingness to provide more accurate personal information for Big data to be utilized more effectively then improve MICE activities to fit them more. Therefore, GDPR can strengthen attendee’s relationship through trust and transparency.

However, MICE organizers may face with some challenges because to comply with the GDPR proves to be complicated and needs massive investment of implementing data security system. The software that provides cybersecurity, data loss prevention, data protection, data monitoring and data management features should be implemented system-wide for a better insight and control those who process the data. All these features will come at a high cost. The limitation of creating MICE innovation services is another challenge for implementing GDPR regulation. Most of innovative technologies in MICE activities involve personal data such as AI, VR/AR and facial recognition. The GDPR conditions make these technologies more complicated in terms of processing and analyzing personal data when there is an endless need of consent for every data process. If innovative technologies are not a part of MICE activities or events, the enjoyment of attendees regarding innovative services and applications which are the key factor in retaining attendees might be obstructed. The complicated and inconvenient compliance process of GDPR as well as a high cost of security software system are limiting factors of creating innovative MICE products or services in the future.

All of these substantiate that GDPR plays a crucial role for any companies from any corner of the world that are handling or are to handle personal data of EU citizens. Those companies or organizations should take into account how to store and keep the personal data secure from any incidents.