The Facebook data scandal that’s unravelled this week is an important reminder to everyone in the events industry as to why GDPR is happening. The incident has shaken up people’s trust in the way organisations manage their personal information and highlighted the need for more tighter regulations around data protection.
Event planners should use this opportunity to learn from the mistakes made by both Facebook and Cambridge Analytica and think very carefully about how they’re going to look after the personal information of attendees in a post-GDPR world.
Download eBook: The Event Planner’s Guide to GDPR Compliance
Why is Facebook in Trouble?
In 2014, Facebook invited users to find out their personality type via a quiz developed by a Cambridge University researcher. About 270,000 users’ data was collected, but the app also collected some public data from users’ friends. Facebook has since changed the amount of data developers can gather in this way, but a whistle-blower says the data of about 50 million people was harvested for political consultancy firm, Cambridge Analytica. He claims the firm used the data to psychologically profile people and influence voters on behalf of clients – including Donald Trump’s presidential campaign. Facebook says users’ data was obtained legitimately but Cambridge Analytica failed to delete it when told to do so. Meanwhile, Cambridge Analytica denies any wrongdoing – saying it did delete the data when told to by Facebook.
The repercussions of this incident so far? Facebook has lost around $50 billion in its market value over two days and we’re now seeing the #DeleteFacebook campaign which is rapidly sweeping across the Internet, as people leave the site in protest again its use of data harvesting and manipulation. Advertisers are also now telling Facebook ‘enough is enough’ with news on the BBC emerging that the ISBA, a trade body which represents major UK advertisers, will meet Facebook this week saying if the company fails to provide assurances about the security of users’ data, advertisers may spend money elsewhere.
How is it Related to GDPR?
According to Reuters, privacy experts have said the data breach is a prime example of the kind of practices that GDPR is supposed to prevent or punish: “Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it would cost Facebook 4% of their global revenue,” said Austrian privacy campaigner and Facebook critic Max Schrems. Because a UK company was involved and because at least some of the people whose data was misused were almost certainly European, GDPR would have applied.
The maximum GDPR fine would come into play in an incident like this because of the number of users affected and what appears to have been inadequate monitoring of third-party data practices: “The fact of the matter is that Facebook lost control of the data and wasn’t adequately monitoring what third-parties were doing,” said Scott Vernick, partner and expert in privacy and data security at law firm, Fox Rothschild.
The article goes further to say that the firestorm has prompted a furious response from lawmakers on both sides of the Atlantic, raising the prospect of expanding GDPR’s approach to privacy protection regulations to other countries. Again, a warning for organisations of what may lay ahead once the new legislation comes into force.
Facebook founder, Mark Zuckerberg, has admitted that the social network ‘made mistakes’, apologising for the incident and admitting that a huge ‘breach of trust’ has occurred – but needless to say, damage is done. People have lost confidence in Facebook and the way it manages their personal information. And this is key when you look at why GDPR is happening in the first place.
GDPR is all about the protecting the rights of individuals over organisations. And it’s happening because current legislations no longer meet the privacy needs of the connected world we live in today. We’re giving away our personal information freely to organisations without much thought into how they’re using it and how they’re keeping it safe from both theft and manipulation. And this is exactly what GDPR wants to address: that organisations dealing with personal data (the events industry is no exception here) are doing so in a transparent and secure way – and always in the individuals best interests.
Ironically, Zuckerberg’s response to the incident reiterates the same thing: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”
The Importance of Data Security in Events
GDPR will certainly change attitudes to individual rights when it comes to data protection – especially in events. It will also change the mindset of event planners when it comes to deciding what data they should collect from attendees, how they use that data for things like marketing campaigns and personalisation, and what they need to do to keep that data safe.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
In fact, the issue of data security in a post-GDPR world is hugely important for the events industry. A survey by Eventsforce last month assessing the GDPR readiness of more than 120 event professionals found that 81% believe data security will be a bigger priority for their events after the May 2018 deadline. And yet surprisingly, only 30% have taken steps to update their data security practices or prepare for a data breach (both of which are key to compliance requirements).
Data security is also an important issue when assessing the GDPR readiness of technology providers that process personal data on behalf of events (ex. registration systems, mobile apps, surveys, networking tools). The survey, however, found that only 41% of event planners were confident that their systems met the new requirements.
As an event professional, you may think that the whole issue of data security is something that needs to be dealt with by your IT, legal and operations teams – but the reality is that there are many things event planners do today that can put their organisations at a serious risk of a data breach and non-compliance to the new GDPR requirements:
- Emailing unsecure spreadsheets that contain personal attendee data
- Not paying attention to the data freelancers and temp staff have access to
- Leaving printed registration lists unattended on-site
- Not reporting theft or loss of laptops and devices that contain personal information
- Not changing system passwords often enough/sharing passwords with others
It is therefore more important than ever for event planners to understand what they should and shouldn’t do when it comes to collecting, processing and securing the personal information of attendees under GDPR.
What Should Event Planners Do?
Most event planners will follow their organisation’s own set of data security and protection policies when it comes to storing and sharing event data – from communication procedures to firewalls, encryption and anti-virus software. However, it is important to take some additional steps that will help your events meet GDPR requirements and minimise the chances of data getting into the wrong hands:
1) Keep Your Data Safe
GDPR makes ‘Privacy by Design’ a legal requirement, which put simply means that privacy concerns should be a consideration from the offset in any event planning campaign – and not simply an afterthought. Data protection and processing safeguards must become part of the DNA of all the systems and processes you have in place. This will be a major shift in thinking for event planners and something they need to think about now, not later.
You need to think about risk factors and see how you can minimise them. For example, find out who has access to your event data, whether they need to have that access and what happens to that access when the event is over? You should also assess the kind of personal information you’re collecting in registration forms, apps and surveys around your events. Do you need to ask your attendees all the demographic information you currently do? If you’re never going to use their phone numbers, then don’t ask the question. If you only need to verify they’re over 18, don’t ask for birth dates or passport details. Don’t forget, the more personal data you hold, the higher your chances of risk.
2) Assess Security Practices of Suppliers
Just like Facebook should have taken more adequate measures in monitoring what third-parties were doing with users’ personal data – event planners should look into how their event data is being managed by all the third-party suppliers they deal with around their events (tech vendors, staffing agencies, hotels, venues, event management agencies etc). Why? Because if in the course of an investigation, the authorities find that these parties have not been compliant, then the host organisation may also be liable too (even if they themselves were compliant).
Find out how suppliers like your registration software vendor are managing the data they’re processing on your behalf. How are they using the personal information of people coming to your events, who has access to this data and where are they based? How important is data security for them and do they follow best practices? How long do they keep your data for and what procedures do they have in place to delete this data when you ask them to? What about their own suppliers and contractors who also have access to their data? You need to ensure they can clearly explain what contractual and legal safeguards they have in place to look after your data at all times. Having the answers to these questions will protect you from any unpleasant surprises in the future.
3) Prepare for a Data Breach
Failing to report a data breach within 72 hours can result in crippling fines under GDPR – so ensuring that everyone on your events team has a good understanding of what constitutes a data breach (ex. Loss of iPad containing registration lists) and how to follow best practices is key to compliance. You also need to think about what processes you need to put in place once a breach has been identified, including how to report it within the three-day timeframe.
GDPR clearly presents some new challenges for event planners, but it also brings some big opportunities too. By focusing on the rights of individuals over organisations, the new regulation will help events become a lot more responsible in the way they manage the personal information of people coming to their events. Those that can show they’re dealing with personal information in a transparent and secure way and have respect for the privacy of individuals will succeed in building new levels of trust. And given what we’ve seen this week, this will be key in deciding which organisations people choose to deal with in the future.
Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help with data security and support the event planner’s journey to GDPR readiness. Get in touch by contacting one of our team members at firstname.lastname@example.org.