How Events Can Prepare for a Data Breach

Last week, the UK Conservative Party conference app suffered a huge and embarrassing security breach which temporarily exposed the phone numbers and personal details of some of the country’s top politicians who were attending the event.  And though it isn’t yet clear as to who was ultimately responsible for the technical blunder (party officials, the event organisers or the app provider) – it is an important reminder to anyone working in events that incidents like this can happen anytime and it helps to be prepared.

Are you looking after your attendee data? Learn more about the top data security vulnerability areas around meetings and events and what you should do if your event data gets lost or compromised.  Download your eBOOK now: The Event Planner’s Guide to Data Security

The Growing Importance of Data Security in Events

Since GDPR came into place, the whole issue of data security has become a much bigger deal across the events industry.  In fact, a recent survey by Eventsforce assessing the GDPR readiness of more than 120 event professionals found that 81% found data security to be a much bigger priority for their events as a result of GDPR.

Which isn’t surprising – given the consequences.

As an event planner, there are four important things you need to know about GDPR and data security:

  • GDPR makes ‘Privacy by Design’ a legal requirement, which means privacy concerns should be a consideration from the offset of all event planning activities – and not just an afterthought.
  • Keeping your attendee data safe and having the necessary data protection safeguards must also become part of all the technology systems and event management processes you have in place.
  • GDPR requires you to take responsibility on how your third-party data processors (hotels, venues, agencies and event tech suppliers) are also looking after your data. Not doing so can result in heavy fines and lost business.
  • GDPR makes it compulsory to notify affected individuals and data protection authorities within 72 hours of discovering a security breach – it is therefore important to understand exactly what you need to do if your event data is compromised.

Failing to comply to any of the above can result in crippling fines under GDPR – especially in the event of a data breach.  So even though data security may ultimately be the responsibility of your IT and legal departments, there are many things that event teams do that can easily increase the risks of breach – so it makes sense for events teams to have a good understanding of what constitutes a data breach (ex. Losing an iPad with registration lists), as well as what they need to do if one happens.

Read: 8 Bad Data Security Habits Event Planners Should Quit

 What Event Planners Need to Know About Reporting a Data Breach

GDPR requires all organisations to report data breaches to the data protection authorities, if it is likely to result in a risk to the rights and freedom of individuals – including financial loss, discrimination, damage to reputation, loss of confidentiality or any other economic or social disadvantage.  If the breach is likely to result in a high risk of any of these things happening, then you’ll also have to notify those individuals directly too.

Read: How to handle a Big Crisis at Your Event

So – what should you do if your event suffers a data breach?  The checklist below highlights the key steps you should be prepared for, based on advice published by the UK’s Information Commissioner’s Office (ICO):

1. Identify What Data Has Been Compromised

The first thing you need to do is figure out exactly what kind of data has been compromised. Is it sensitive attendee data? Who does it relate to? How many people does it affect? Was it across one of your events or all? What harm might the individuals suffer? These are all questions that need to be answered to satisfy both your own organisation and the investigative body.

2. Decide Who Needs to Be Notified

Make sure you have reported the breach internally within the relevant people across your organisation and decide who else needs to be notified. Does the ICO or another regulatory body require notification? What about the police, customers, insurers, banks or other professional bodies? Consider how serious the breach is. Only you as the event team will know precisely what event data was compromised.

In the case of event management agencies or PCOs who are responsible for processing personal event data on behalf of a client, they will need to let their clients know what has happened as soon as possible. Advise other relevant third-party suppliers too. Equally, you may need to inform the individuals affected, depending on the severity of the breach.

3. Do Not Panic!

Whether it’s the fault of the event team or not – it doesn’t help if you lose focus.  Once the breach has been identified, pass on the details. Get your IT and legal departments involved as soon as possible. Do not delay. The chances are that they will know exactly what to do and can do a lot of the ‘heavy lifting’ in dealing with the breach reporting.

4. Learn from the Breach

Understand what actually caused the data breach.  In the case of the Conservative Party conference, it was a glitch in the app.  So make sure you understand what kind of checks you need to do with your event tech providers when it comes to protecting the personal information of people coming to your events.  A breach can also happen from simple negligence – like leaving confidential attendee information out on display in the organiser’s event office. Always assess what you can you do next time to stop it from happening again.

What Information Will You Need to Provide to Data Protection Authorities?

When reporting a breach, you should give as much detail as possible and be as accurate as you can. The authority will use the information you provide to decide what should happen next. They may use it to take regulatory action, or to identify data security incident trends. Where appropriate, they may share it with law and cybercrime agencies or other regulators.

Data protection authorities like the ICO will ask you questions about:

  • what has happened;
  • when and how you found out about the breach;
  • the people that have been or may be affected by the breach;
  • what you are doing as a result of the breach; and
  • who they should contact if they need more information and who else you have told.

The ICO personal data breach helpline staff can offer you advice about what to do when you have experienced a personal data breach, including how to contain it and how to stop it happening again. They can also offer advice about whether you need to tell the data subjects involved.

Conclusion 

If there is one thing that GDPR has achieved, it is that the ownership and responsibility for data protection now rests with everyone.

Data security can no longer just be passed over to your IT or legal department. Whilst they have a role to play, so too does everyone else when it comes to protecting personal information. That includes event planners, the freelancers and other third parties that all play a part in the creation and delivery of excellent events.

This will require a shift in thinking. Some of the ways in which event planners operated in the past will need to be changed.  Those who embrace this shift in thinking will be the ones who will benefit in the long run.  By making data security a priority around their events, they will be able to show attendees that their organisation can be trusted with their most valuable asset – their personal information. And this will be key in deciding which events people choose to deal with in the future.

If you would like to get regular articles on all things event tech, along with some expert advice on new trends and getting the most out of your technology investments, then join the EventTech Talk community by signing up here!