Privacy is a top of mind concern for many organizations these days. High profile data breaches, the new European GDPR law, and the upcoming California Consumer Privacy Act (CCPA) has made it imperative that all organizations protect the data of their customers. Securing and protecting the customers’ privacy is not just the job of the IT department – it requires the effort of all employees with access to the organization’s data.
Meeting planning departments are no exception to making privacy a top priority. As we mentioned in Why Would Hackers Attack Your Conference? there are many reasons why planners can become a target of an attack. Fortunately, best security practices and the new regulations are creating a road map for how you can design your event to put privacy first.
Know the Responsible Parties
A key to protecting privacy is to know the various roles one can play. Here are the three roles you need to understand:
- Data Subject. This is the person that is the subject of the data in question. For example, the person filling out your online registration form.
- Data Controller. This is the person or organization that decides what and how information is to be collected and its purposes. For example, if you setup and collect the information from the online registration form, then you are the data controller. The controller has a series of obligations to the data subject, many of which will be discussed in more detail below. However, the heart of these obligations consists of protecting the personal data and being transparent about the purposes for which the data will be used.
- Data Processor. This is a person or organization that processes personal data for the controller. For example, if you are planning a conference but are using a third party software company for online registration, the latter is a data processor for you. In all likelihood, an event planner will be using many data processors.
An important thing to keep in mind is that you may be both the data controller and data processor. For example, independent meeting planners often find themselves in both roles. They may be managing registrations at the behest of their clients. In this case, the independent is the processor and the client is the controller – the client is telling the independent what data to collect. On the other hand, the independent may be setting up online registration for their own events using third-party event management software. In this case, the independent is the controller and the software company is the processor.
As a controller, you always want to make it contractually clear what the responsibilities are of your processors.
Create a Data Map of Your Organization
Do you know what data your organization collects, how it is used, who has access to it, and where it goes? In the end, you cannot protect data you do not understand.
A great place to start is to download this popular data map template. The next step is to fill this out for a basic data collecting activity for your event such as online registration or lead retrieval. Where does the data go after the show and what happens to it? If you are unable to complete the exercise, you need to contact your IT department to figure out how your data is being used.
Secure Your Data
Your organization must follow best practices to secure its data. The Payment Card Industry Data Security Standard (PCI DSS) is a great place to start – it is particularly useful for protecting internal services. Employee training is another critical aspect of data security. Training helps your organization’s staff to anticipate daily threats such as phishing attacks and weak passwords.
Your software vendors need to be fully cognizant of the need for high security. Any products that manage money, such as online registration, need to be PCI compliant. All online forms should be SSL (https on the browser line), which means that all data transmitted is encrypted. Note that unencrypted data can be viewed by cyber thieves who are plugged into internet routes. Even simple forms such as surveys should be SSL encoded.
Do not forget physical security. Your office probably has a lot of documents that may be useful to a hacker. As discussed below, onsite at the conference has also become a target of hackers.
Be Transparent & Offer Consent
The data subject must consent to the use of their data. The acceptance of this data includes:
- A description of how the data will be used in a clear and unambiguous manner.
- Active opt-in to the data usage. No more pre-ticked checkboxes or “silent consent.”
- Descriptions of how data will be used must include all systems where the data will be transferred, including third-party suppliers.
- Ability to contact the data controller.
In effect, this means the end of list re-purposing. If someone signs up for your online newsletter, you cannot give that email address to another party without the EXPLICIT permission of that person.
Create a Need to Know Environment
Your staff will typically have access to a wide variety of event data including registration lists, exhibitors and sponsors, transaction information and so forth. To best protect your data, you should restrict access on a “need to know” basis. For example, the accountant does not necessarily need access to the registration lists.
Train Your Staff
Similarly, your staff should be trained to understand the importance and principles of data privacy. Many data leaks are due to human error. For example, your staff should know how to identify potentially harmful emails such as phishing attacks.
Typically, there is much data exchange between event planners and vendors. Best practices should be setup to ensure safe data transfers, such as creating vendor portal pages for data downloads.
If your event is targeting European citizens, your staff should definitely be trained on the principles of GDPR.
Secure Your Event Onsite
The registration area is usually where you welcome your attendees, but hackers may also find this a good location to start their shenanigans. If you have kiosks, attackers can easily install viruses or even replace your form with their own screens to capture personal information and credit cards. The most dangerous threats are actually with the Wi-Fi networks at your venue and related hotels. Wi-Fi is a premium for travelers, so free hotspots can be especially tempting. Unfortunately, it is very easy for an attacker to create a hotspot that seems safe. For example, they can use host names such as “Starbucks” or “Convention Center.” This tactic can easily deceive even people who are technically oriented.
Even promotional giveaways can be a problem. For example, there have been numerous cases where hackers left thumb drives with a supposed company logo at various locations at a conference. Thinking that these were free promotional items, people with security clearance took these to their offices and—wham-o!—the hackers were inside secret military facilities. The U.S. Department of Defense has banned thumb drives as a result of these Trojan horse breaches.
In light of this, a complete security audit of your onsite registration technology should be in order.
Ready to secure your event? We can help. EventRebels offers an end-to-end suite of event management software tools for conference, tradeshow and event organizers including a GDPR and Privacy Toolkit.