It's your responsibility to protect attendees from cyber attacks and identity theft.
• With the help of your organization's information-security team, familiarize yourself with measures to mitigate risk.
• Thoroughly vet technology vendors to ensure that their handling of data conforms to your standards.
Event professionals are understandably concerned about the attendee experience when it comes to hotel accommodations, meeting room setup, food and beverage, etc. But relatively few are as thoughtful about participants' personal data. As a former corporate event planner, I'm guilty.
At the time, I assumed securing data wasn't my responsibility, or that my information-security team was diligent, even though I played a role in sourcing new event-management systems and mobile apps. A decade later and with experience at an event-app platform, I understand the stakes and can see how event professionals must have a strategic role in their organizations and adapt to the ever-changing digital landscape.
This checklist, designed to gauge planner proficiency, is adapted from one I prepared for the blog at Social Tables, found here.
QUESTIONS FOR YOUR ORGANIZATION
• What is your internal data-classification system? How do you distinguish between public, internal and confidential data?
• What type of personal data does your organization collect?
• Who are your stakeholders and data subjects? From whom are you collecting data?
• Are your data subjects located in a jurisdiction that requires higher data-privacy commitments than yours? Are your data subjects located in the European Union?
• What is your cloud-vendor vetting process?
QUESTIONS FOR TECH PROVIDERS
• Do you own my data? If so, what do you use it for? (Some technology providers have a legal right to use it, including participant data, for their own marketing purposes. This should be avoided. Be sure to read the fine print on this issue before signing a contract.)
• Where will you physically store my data? Is this something I can control?
• Is data encrypted? How is your data protected at rest and in transit?
• How do you restrict access to the data? What is the authentication and authorization concept and process?
• Can you share results from a third-party penetration test? Does your organization perform SSAE 16 SOC 2 reporting to evaluate security and privacy standards?
• For how long do you store data in your systems, and where is it stored? When do you delete it? Will I receive advance notification before you delete my data?
• Who in your organization has access to my event data, and how is access controlled and revoked? Does temporary staff have access my data? Does your company conduct employee background checks? What happens when someone leaves your organization?
HOW TO STAY INFORMED
• When a new technology is rolling out at your organization, ask to listen in on any security-review discussions. Ask all your questions, and require clarification as needed to be sure you fully understand the data-security protocols.
• Review your organization's information-security standards with a team member who can clearly translate these technical concepts for you.
• Walk through your attendee's touch points pre-event, on-site and post-event to determine where their personal information might be exposed.
• Make a clear distinction between data security, which encompasses processes in place to ensure data is kept confidential, and data privacy, defined as the appropriate use of data.
• Annually evaluate and require evidence from your technology providers to ensure standards are being met.