Event professionals are understandably concerned about the attendee experience when it comes to hotel accommodations, meeting room setup, food and beverage, etc. But relatively few are as thoughtful about participants' personal data. As a former corporate event planner, I'm guilty.
At the time, I assumed securing data wasn't my responsibility, or that my information-security team was diligent, even though I played a role in sourcing new event-management systems and mobile apps. A decade later and with experience at an event-app platform, I understand the stakes and can see how event professionals must have a strategic role in their organisations and adapt to the ever-changing digital landscape.
This checklist, designed to gauge planner proficiency, is adapted from one I prepared for the blog at Social Tables (socialtables.com), found at bit.ly/2sMQAtZ.
Questions for your organisation
What is your internal data-classification system? How do you distinguish between public, internal and confidential data?
What type of personal data does your organization collect?
Who are your stakeholders and data subjects? From whom are you collecting data?
Are your data subjects located in a jurisdiction that requires higher data-privacy commitments than yours? Are your data subjects located in the European Union?
What is your cloud-vendor vetting process?
Questions for Tech providers
Do you own my data?
If so, what do you use it for? (Some technology providers have a legal right to use it, including participant data, for their own marketing purposes. This should be avoided. Be sure to read the fine print on this issue before signing a contract.)
Where will you physically store my data? Is this something I can control?
Is data encrypted? How is your data protected at rest and in transit?
How do you restrict access to the data? What is the authentication and authorisation concept and process?
Can you share results from a third-party penetration test?
Does your organisation perform SSAE 16 SOC 2 (ssae-16.com) reporting to evaluate security and privacy standards?
For how long do you store data in your systems, and where is it stored? When do you delete it? Will I receive advance notification before you delete my data?
Who in your organisation has access to my event data, and how is access controlled and revoked?
Does temporary staff have access my data? Does your company conduct employee background checks? What happens when someone leaves your organisation?
HOW TO STAY INFORMED
When a new technology is rolling out at your organisation, ask to listen in on any security-review discussions. Ask all your questions, and require clarification as needed to be sure you fully understand the data-security protocols.
Review your organisation's information-security standards with a team member who can clearly translate these technical concepts for you.
Walk through your attendee's touch points pre-event, on-site and post-event to determine where their personal information might be exposed.
Make a clear distinction between data security, which encompasses processes in place to ensure data is kept confidential, and data privacy, defined as the appropriate use of data.
Annually evaluate and require evidence from your technology providers to ensure standards are being met.
+ It's your responsibility to protect attendees from cyber attacks and identity theft.
+ With the help of your organisation's information-security team, familiarize yourself with measures to mitigate risk.
+ Thoroughly vet technology vendors to ensure that their handling of data conforms to your standards.
+ Using Demographic Data to Boost ROI
+ How Secure Is Delegate Data?