Editor's Blog

Why Marriott and Cathay are a lesson for all
Wed 2 Jan, 2019 at 12:00 am

Data security is a major issue within the events industry. Recent breaches have been colossal and the negative aftermath is likely to be of immense proportions, over a long period of time. It is time that we stopped paying lip service and took data security seriously. The General Data Protection Regulation (GDPR) has been formulated and finalised by the European Union and seeks immediate and complete compliance, although most people in the meetings industry in Asia are still learning how to comply effectively. However, India and Asia are severely lagging behind, leaving themselves exposed to devastating possibilities. There exists some confusion between interpretation of data security and data privacy. While data security is a technical issue, data privacy is a legal one. The challenge to keeping data safe in Asia is largely a cultural one and our current stakeholders in the industry were brought up in an era where personal data was not an asset. Today it is.

Many organisations find it easier to comply with data security norms when it concerns their staff data but are at their wit’s end when handing client data. Substantial personal data of clients is processed and stored for various events, but the ability to keep them safe and then delete them when no longer immediately required, is starkly wanting. Given the sheer amount of data collected at events, compliance to data protection laws remains a challenge.

Most players in the events industry struggle to access expertise to implement technical and procedural infrastructure comprehensively. Most organisations clearly understand the risk, but the implementation is far behind of what is required. Getting budget approval from business owners for expenditure on data protection remains a challenge as it is still not perceived to be an absolute and urgent necessity.

Data protection and compliance for the database of an event should be a continuous process and commence from the beginning of the event-planning cycle. This has now become an essential requirement in any events company and ultimately requires greater time investment from staff members, such as the database manager, to ensure compliance. A big hurdle is to ensure that there is ample evidence to prove that all data collected at major events was provided with consent of the client and was provided voluntarily.

When data is shared among event management companies, venues and suppliers, a data controller needs to be appointed who is legally responsible. The best way to prevent a breach is to use the data for a certain purpose and time and then delete it.

One test of readiness with data security and data privacy is when a data giver asks a meeting planner for his data statement including who the data has been given to, when it was given, and for what purpose. Companies should be able to respond to such requests within a couple of hours. Getting help from two or three different security agencies that monitor each other could be one way of securing sensitive data.

Update your data privacy policy as soon as possible and appoint someone in the organisation as a Data Protection Officer to develop a cyber breach response plan. In the meantime, organisations can also look into conducting regular employee security awareness training to inculcate good practices, such as using strong passwords and taking precautionary measures when handling sensitive data.

The recent data breaches at Marriott International when hackers stole data of approximately 500 million customers and Cathay Pacific where personal information of 9.4 million passengers was compromised, should set alarm bells ringing in the corridors of the meetings and events industry. This is a continuing menace that can be debilitating for your business if the client feels insecure about sharing their crucial data with you. So investing in data protection and data privacy is actually investing in sustenance of your business for the future.

More Posts