Are you ready for the EU’s General Data Protection Act?

Europe’s new General Data Protection Act (GDPR), effective May 25, 2018, provides region-wide protection to individuals against unauthorized use or distribution of digital information, including their names, email addresses, photographs, and every type of digital information.

The protection is extensive, and applies to all residents of the EU (and as of now, including the UK), with respect to any information gathered – regardless of the location of the meeting or organization collecting the information.   That means if an EU citizen (or resident) attends a meeting in the US, the rules of the GDPR apply.

The restriction against use or distribution of information extends not only to the company sponsoring an event, but also to “processors” – that is – any person or entity assisting or responsible for various aspects of a meeting or marketing effort.  In the case of a meetings manager, a “processor” includes any hotel, transportation supplier, or other aspect of a program during which lists are shared.   Care must be taken that all lists are properly disposed of following the execution of a meeting, and as little information as possible should be distributed to any supplier.


Meeting invitations for EU-based events should include a statement advising prospective attendees that “Pursuant to the GDPR, all participants consent to the collection and distribution of information about the attendee as required for the operation of the program.   This includes the possibility of photography and audio/video recording of the sessions, and the sponsor’s intention to retain a copy of such information for future training purposes.”

Consent is implicitly given by during the online registration process, however, statements regarding privacy should be included in all invitations distributed to EU participants.

There is much to be learned about how, as a practical matter, downline providers of services will comply with the directive.   The Regulation allows for a two year “grace-period” during which, presumably, violators will be given an opportunity to correct any improper processes.  

At Summit Management, we immediately delete any meeting related content materials following the completion of a meeting.   Hard copies of supporting information are professionally destroyed three years after the meeting takes place.   We are making it part of our standard procedures to include notification about GDPR compliance.

While not directly affecting US operations, any client with significant European Operations should be aware of the scope of the new regulations.   We expect the impact on Corporate Marketing Operations to be especially difficult to manage since so much information is shared electronically.  

The Summit Team will monitor developments regarding GDPR compliance and we’ll update you with further details as they become available.    For more information about the program, you can find the official description of the program here: