“In 2015, there were 38% more security incidents detected than in 2014” as reported by PwC, The Global State of Information Security. And that number may continue to grow unless privacy and security becomes a bigger priority for the events industry.
As event professionals, we are often more concerned about the participant experience (hotel accommodations, meeting room setup, and food and beverage) than we are thoughtful about participant personal data. As a former corporate event planner, I’m guilty. I spent more time anticipating client’s onsite needs, ensuring the speaker was comfortable with the room set, and securing space with natural light, then I considered information security.
It was a naive approach. I guess I assumed it wasn’t my responsibility or that my infosec team was diligent, even though I played a role in sourcing new event management systems or mobile apps. A decade later now at SpotMe, the trusted event app platform and global app partner for high-stakes events, it’s quite the opposite and the app is an integral part of the digital event experience.
Event professionals from Intel, PwC, Red Hat, SAP, Novartis, and Roche rely on SpotMe to not only drive ideation, networking, team building, strategy rollouts, and education, but also to provide the highest level of data protection. Security reviews, rigorous questionnaires, and penetration tests are part of everyday enterprise conversations and in 2016 alone, we have completed more than 60 security assessments with our Fortune 500 clients. I see first hand how event professionals, who can speak the language and understand the challenges, have a strategic role in their organizations and are prepared for the ever-evolving digital landscape.
Answer the following questions to gauge how proficient you are, and if you can’t answer these questions, keep reading to find out how you can start to make your data systems more secure.
Questions to ask about your organization
- What is your internal data classification? How do you distinguish between public, internal and confidential data?
- What type of personal data does your organization collect?
- Who are your stakeholders and data subjects? Who are you collecting data from?
- Are your data subjects located in a jurisdiction that requires higher data privacy commitments than yours? Are your data subjects located in the European Union?
- What is your organization cloud vendor vetting process?
Questions to ask your technology providers
- Do you own my data? If so, what do you use it for? Shockingly, some technology providers have a legal right to user your data (including participant data) for their own marketing purposes. This should be avoided at all costs.
- Where will you physically store my data? Is this something I can control?
- Is data encrypted and how is your data protected at rest and in transit?
- How do you restrict access to the data? What is the authentication and authorization concept?
- Can you share the results from a third party penetration test? Does your organization perform SSAE 16 SOC2 reporting?
- How long do you store it in your systems, and where is it stored? When do you delete it? Will I get notified before you delete my data?
- Who in your organization has access to our event data and how is access controlled and revoked? Does temporary staff have access my data? Does your company conduct employee background checks? What happens when someone leaves your organization?
Did you struggle to answer the questions above? Start by joining the conversation. Here’s how:
- When a new technology is rolling out at your organization, ask to listen in on the security review discussions. Ask all your questions, require clarification, and don’t buy into the “if you can’t convince them, confuse them” tactics.
- Review your organization’s infosec standards with a team member that can “translate” these technical concepts for you.
- Walk through your attendee’s touch points pre-event, onsite, and post-event to determine where is their personal information exposed.
- Make a clear distinction between data security, which encompasses processes in place to ensure data is kept confidential and data privacy, defined as the appropriate use of data.
- Annually evaluate and require evidence from your technology providers to ensure standards are met.
Today protection of attendees extends beyond physical threats, it’s our responsibility to protect attendees from cyber attacks and identity theft. Familiarize yourself with the language, hazards, and measures to mitigate risk. Address data privacy and data security as distinct issues, and disclose your data privacy efforts to your participants.
A tasteless meal, a horrid speaker, or distrustful sleep can be forgotten, but a security breach can have more lasting consequences for your participants and your organization.