8 Bad Data Security Habits Event Planners Should Quit

As an event planner, you may easily think that the whole issue of data security is something that needs to be dealt with by your IT and operations teams. But the reality is that there are many day-to-day things you may be doing that could easily put your organisation at serious risk of a data breach. And with GDPR now in place, it is more important than ever to understand exactly what you should and shouldn’t do when it comes to securing the personal information of people coming to your meetings and events.

Top 8 Data Security Red Flags for Meetings and Events

Most event planners will follow their own organisations’ data security policies when it comes to storing and sharing the data they collect from events – from communication procedures and firewalls to encryption and anti-virus software. However, whilst your IT department will focus on potential external threats like malware and ransomware, there is danger lurking from within.

According to InformationWeek, over 40% of global data loss is the direct result of internal threats which come from staff mishandling data – whether intentional or not.  In fact, research findings unveiled in a new eBook by Eventsforce highlighting the growing importance of data security in the events industry exposed a number of key vulnerability areas – including emails, passwords, event teams and printed delegate lists.

Have a look at the top things event planners should devote greater attention to prevent their attendees’ personal information from getting into the wrong hands:

Red Flag #1: Email Habits

Email communications is a top area of vulnerability. Many event planners have to use email to get the job done but this brings about a whole set of security issues that they need to address – especially when it involves people’s personal information.  What kind of information does the email have?  Who has access to this email?  What would happen if this information ended up in the wrong place?

Our advice would always be think about what you are sharing on email. If you don’t need to include personal information, then don’t do it (think about what you include in attached spreadsheets too!). Consider using your event management platform directly instead when sharing data with stakeholders.

Read: Top Subject Lines for Your Event Email Campaigns

Red Flag #2: System Passwords

Keeping the same password for your email, event management software and all the other systems you use around your events is a problem. Not using strong passwords (at least 15 characters) is also a problem as it means you are more likely to be hacked.

The Eventsforce study found that over 80% of event planners change their event management system passwords less than once a year.  Another one in three share their passwords with other people. This not only makes you vulnerable to a data breach – it also makes it difficult to accurately identify who has access to your systems at any given point in time.

Red Flag #3: Personal Vs. Sensitive Attendee Data

All types of personal information are valuable – but some are more valuable than others (especially when it comes to cyber criminals!).  Personal information can include things like names, addresses and phone numbers.   However, sensitive data is any information relating to your attendee’s racial origin, political opinion, religious beliefs (think about dietary requirements!), sexual orientation or mental and physical well-being.

The loss of this type of data could result in more significant risks to a person’s rights and freedoms (ex. unlawful discrimination).  Under GDPR, you’ll need to be extra careful when dealing with sensitive data – as you can be subject to higher fines and penalties from breaches that involve the loss of such data.

Red Flag #4: Event Teams

Your event team are both your strongest asset and also your greatest weakness when it comes to data security and the likelihood of a breach. They deal with a large volume of personal information around your attendees which needs to be collated, processed, stored and shared – so they need to understand what they can and cannot do when it comes to protecting your attendee data.

Some examples of what could go wrong include; leaving delegate lists on display whilst you are called away. Leaving delegate badges unattended on the registration desk or not reporting a stolen or misplaced tablet quick enough. Also – don’t forget about the issue of team members sharing information with suppliers without the proper safety checks.

Red Flag #5: Device Theft

Laptops and devices such as tablets and Smartphones play a vital role in event planning. They also carry a lot of sensitive information around your events; including access to registration systems, spreadsheets, attendee lists etc.  Sure, passwords help to protect these digital devices  from security breaches, but they are not a failsafe way to guard your confidential information against getting into the wrong hands. Any theft or loss of a device that contains sensitive data would need to be reported internally as a potential data breach.

Your organisation may have its own policies with regards to encrypting the information on these devices in order to prevent the exposure of data if that item is stolen or misplaced.  If you don’t know them, ask.

Read: How to Minimise the Risk of Device Theft at Events

Red Flag #6: Event Venues

Venue site visits are an essential part of your job. Making sure the venue is perfect also does a lot for your attendees’ event experience. But are you placing enough attention on data security?  Have you checked if you have any secure places to lock laptops or documents in?  Have you checked the security of the preparation and organisers’ rooms? Be prepared by asking your venue provider these essential questions.

Also, if there is more than one organisation hosting an event at the venue, what impact does that have on you? For example, organisations that work in the same sector would be unlikely to want to be in the venue at the same time together. If they compete with each other, then the risk of being snooped on is more. Some organisations (regardless of whether they compete or not) may want to be anonymous and not have their presence displayed in the first place.

Red Flag #7: Wi-Fi Connectivity

One of the first things that attendees look for at events is the ease and ability to access a Wi-Fi network. If they cannot gain access or if the speed is too slow then they are likely to complain to you. Unfortunately, many attendees do not ask about the network security. However, under GDPR. you would be well advised to understand how secure the network is before inviting attendees to use it.

It is too simplistic to just direct attendees (and staff) to a Wi-Fi network and not point out any risks. If the network is open and the attendees are hacked then you will have a big issue if you didn’t warn them. There are also security risks when your event team uses the Internet in a public place. Some Wi-Fi providers operate in an ‘open’ mode, which means there is a risk of anyone else connected to the same network to intercept your traffic.

Read: Top Wi-Fi Considerations for Event Planners

Red Flag #8: Event Technology

GDPR regulations require compliance by both data controllers and data processors.  In the case of meetings and events, the company hosting the event (data controller) is also responsible for making sure that tech vendors that process data on their behalf (ex. Registration systems, event management software, mobile apps, surveys, networking tools etc.) are also fulfilling their legal responsibilities – including the safety of your event data.

When it comes to data security, there will need to be a binding contract with clear instructions from you, the event planner, to the technology company. You need to make sure the company has high levels of security in place. If they don’t, you would have to balance that against the probability of a data breach for your event attendees. If there is a breach on their side, what peace of mind can they offer you? Will they be able to help you report the breach to authorities within the 72-hour deadline?  You will need to apply the same checks with all the other third parties that process personal information on behalf of your event – from hotels and venues to transport providers and event management agencies.


If there is one thing that GDPR has achieved is that the ownership and responsibility for data security now rests on everyone. It’s a good thing – especially for events.

The volume of personal information we collect in our industry is staggering. Doing things that minimise the risks of this data getting into the wrong hands will show your attendees that you are on the case and looking after them properly. After all, why would people want to work with organisations who are doing as little as possible to safeguard their personal information?

This article only gives a high-level overview of the key vulnerability areas around meetings and events.  If you would like more information on what steps to take to address each of these risk areas, along with how to brief team members and what do to do in the case of a security breach, then please download ‘The Event Planners Guide to Data Security’ here.

If you would like to get regular articles on all things event tech, along with some expert advice on new trends and getting the most out of your technology investments, then please sign up to our weekly EventTech Talk Newsletter here.