When you organise events and ask your visitors to register, you are officially processing personal data. From that moment, you have legal responsibilities regarding digital security and privacy. What should you as an event organiser keep in mind? And how do you help the IT department monitor this event data? Here’s a list of tips that will help you find out!
What is a data breach?
As event manager you continuously collect, process and use personal data. Think about it: How many registration lists are on your computer? How well is this data protected? Do you share these lists with suppliers, agencies, registration or software partners?
When a third party has been granted unlawful access to this data, this is referred to as a data breach. Examples include a lost USB stick, a hacker or a malware attack. Most data breaches are caused by human error. Therefore, always make sure your security policies are synced with all other parties involved.
As of 2018, a European regulation concerning Privacy and Data will apply. This policy holds the manager or director of an organisation responsible when a data breach occurs. In other words: if something happens to the data, it is not only unpleasant for your customers, but also your organisation is likely to be fined.
"Without awareness, you can not comply with privacy laws. Therefore, always make sure you know why you are processing certain personal data. " - Legal advisory office ICTRecht
Storing personal data: inside or outside the EU?
It is important to know where personal data is stored: inside or outside the European Union? The EU has strict privacy laws that ensure the security of your data. The US on the other hand, apply laws that are less strict, enabling the American government to easily access your data. This is not always desirable, so check if a company is located in the United States and find out about their policy.
Data breach = reputational damage
Since January 2016, companies in the EU have a reporting duty in case of a data breach. This means that all organisations (both companies and governments) must report directly to the Data Protection Authority when a (serious) data loss occurs. In some cases, you also have to inform the parties involved about the leak. This can cause serious damage to your organisation or your client!
Limit the amount of personal data
You will always need some information of your attendees: first name, last name and email address are standard questions in the registration form. Try to limit the amount of data to a minimum. Avoid collecting passport, credit card and medical data - these are very sensitive and require increased digital security. Always protect personal data, do this with the following tips:
5 Tips to protect personal data
1. Protect personal data with a (unique) password
When you save the personal data in Excel, protect the document with a password. Especially when you email it to a supplier. In this case, send the password separately, by SMS. This ensures that only you and the supplier can access the data.
2. Work with secure event software
When working with event software or external registration partners, ask them about their IT policy (certification and guidelines). Is the personal data encrypted before it is transferred from website to server? Where is the data stored, and how? Dive into the policies of your partners so you know if you can entrust them with your data.
3. Free does not mean ‘for nothing’
Free software is never completely free. Commercial products that do not require money for their services, often have a different business model. It is possible that these companies sell your data to third parties. Personal data is worth a lot of money! Consider whether you want to share your business database with a free service.
4. Never store passwords in your browser
When using software that stores your event data (and thus personal data), do not save the login information in the browser. Imagine: when someone gets access to your computer - this person also has access to the most valuable data with one click. Yes, it may be annoying to enter (and remember) your password, but the password is there for a reason!
TIP: use an tool to keep your passwords save.
5. Close a processor agreement with your supplier(s)
As from 25 May 2018, the General Data Protection Regulation (GDPR) will apply in the EU. From that moment on, you are obliged to have a data processing agreement with any personal data processor (such as an external web developer or marketing agency) that will be processing the personal data that your organisation has collected. The regulation defines how certain data should be processed and what the consequences are in case of incidents.
Because of new and stricter guidelines, it becomes increasingly important that you carefully process and protect personal data. As an event organiser, you carry an important responsibility. There’s no harm in getting more in-depth knowledge about your suppliers and partners. When your data is protected professionally, it will keep you from worrying!
Do you want to know the effect of privacy and security on the purchase of event software? Read here 6 reasons NOT to build your own event software.