A data breach... That sounds like some remote matter. Still, it happens more often than you think! For example, when you lose your USB stick on the train, forget your laptop at a venue, or send an email with personal data to the wrong person. All these situations are examples of a possible data breach. As of May 25, 2018, a new EU privacy law (General Data Protection Regulation or GDPR) applies to organisations, obliging them to report every data breach to the European Supervisory Authority (ESA). If the data are not carefully processed and/or saved, your organisation will risk high penalties. In this blog, we’ll explain what a data breach is, what to do when it happens and - most importantly - what you can do to prevent it.
What is a data breach?
We speak of a data breach when a person or organisation loses control over the destination of a large amount of sensitive personal data such as information about health or religion, but also financial or login information.
What to do in case of a data breach?
When personal data has become public, the first thing you do is report it to the security department or the Data Privacy Officer (DPO) of your organisation. He or she will estimate whether it is, in fact, a data breach - and how serious the situation is. If a data breach occurs, the new GDPR obliges the organisation both to document it internally and notify the ESA within 72 hours.
The ESA will then investigate the consequences and risks, and assess whether the organisation has carefully handled the data. If this the data were not processed and stored according to the new policy, your organisation will risk a fine up to €20 million - or 4% of your global revenue (which can add up to an even higher amount). And besides, don’t underestimate the consequences of reputation damage.
How to avoid a data breach?
As an event manager, you collect a lot of personal data during the registration process. Moreover, you work at different locations and multiple suppliers that process personal data are involved in the process. In other words, there is a considerable risk of a data breach. Therefore it is important to develop a safe working method, together with your colleagues in Security/Legal. The following steps are crucial (and in many cases even mandatory) for data breach prevention.
Outside the organisation: Clear alignment with the suppliers
- Step 1: Make a list of which partners/suppliers process personal data on behalf of your organisation: think of Email Service Providers (ESP) and registration (software) partners.
- Step 2: Find out how they process and store personal data. Is it safe? If companies are certified (for example, ISO 27001), ask for the scope of this certification. Of course, check this within your own organisation as well.
- Step 3: Check where your partner’s data centres are located. Will the data remain within the EU? Many European companies demand that data stays within the EU because of a stricter privacy protection compared to other countries (eg. the US).
- Step 4: Close a data processing agreement with all suppliers that process personal data (on your behalf). The topics included in a processing agreement will be discussed in the following blog.
- Step 5: If you can’t avoid sharing (Excel) files containing personal data with external suppliers, always protect the document with a password - especially when sending these files by email. Send the password separately, via SMS. This ensures that only you and the supplier can access the data.
Each organisation follows a different security policy. It’s important that you, together with your DPO, create a protocol for processing event-related personal data. This requires an open approach in which all parties agree on the security and privacy.
A data breach occurs when a person or organisation loses control of the destination of (a large amount) sensitive personal data. In May 2018, a new EU privacy law will be introduced, whereby companies will be held responsible when the data is not processed and stored carefully. In that case, the organisation runs the risk of a (high) fine. It's important to realise that organising events involves a risk of data loss. You can minimise these risks by properly managing the personal data processing process. Start preparing in time!
This is the 2nd of 3 blogs on preparing for the new privacy law. Read more in our next blogs:
- Part 1: Start preparing for the new EU data privacy law (GDPR)
- Part 3: How to make a solid data processing agreement?
- Download: the GDPR white paper