The majority of event marketers will tell you that keeping attendees physically safe is at the top of their priority list, but when it comes to protecting attendees’ personal data, the industry has some work to do. There’s an inherent risk in collecting personal information from consumers, and while data security is on most event organizers’ radar, it’s not often a top concern. Not to mention the fact that the European Union is leagues ahead of the U.S. on federal data security regulations.
It’s a complex landscape that continues to shift—and event marketers should be advancing right along with it. To make the subject easier to swallow, we asked Scott Sheppard, president and cto at technology partner MoZeus, and Ahmad al-As’ad, svp-marketing technology at The Marketing Arm, to break it all down.
1. Understand the Definition of Personal Data.
The definition of personal data has expanded considerably in recent years, so understanding its parameters and staying up to date is critical.
“Personal data is commonly confused with personally identifiable information (PII),” says al-As’ad. “So, if personal data is the category, PII is a subset; it’s one type of that category. There’s also protected health information, which usually falls under HIPAA, which is also a subset of the personal data category. And there are others.”
2. Push Regulations Down the Chain of Command.
Having data security policies and procedures in place is a great start, but if those measures aren’t employed by everyone who touches your event, they won’t be effective.
“There are too many players that are part of the conversation, from the brand to the agency to the technology company,” says Sheppard. “We run into so many brands that have some sort of data governance or information security management system, but those properties aren’t enforced by the agency, so the agencies aren’t forcing that onto the technology providers… It’s like a circle where no one in the circle is talking to each other.”
3. Know the Difference Between the U.S. and EU Regulations.
In May, General Data Protection Regulation (GDPR) will go into effect in the European Union, effectively unifying the different privacy policies upheld by European Union states into a single set of (very stringent) rules on storing and accessing data on EU citizens. Meanwhile, the U.S. has no federal regulations in place. Rather, each state maintains its own data security legislation. That doesn’t mean, however, that U.S. brands are off the hook when it comes to European data security measures—American companies that invite EU citizens to their events must adhere to the GDPR in regards to those individuals. The same goes for attendees who have dual citizenship in the U.S. and EU. In other words, under GDPR, “the consumer has the power,” says Sheppard. “The EU is substantially ahead of us when it comes to granting rights of citizens.”
al-As’ad adds, “The majority of the country is run by small businesses and they do a lot of promotional exercises that fall under event marketing. And they’re not aware of these [differences]. Those are the ones that could get hit the hardest. There’s a very severe penalty calculated as four percent of your yearly revenue, or 20 million euros—whichever is higher.”
“There is no such thing as unimportant data because the landscape in terms of consumer opinion nowadays is one and done.”
4. Familiarize Yourself With Technology Standards.
Familiarizing yourself with how various tech regulations apply to data security is critical to developing an effective strategy. For instance, getting acquainted with information security management systems (ISMS), a set of policies and procedures for systematically managing sensitive data, is fundamental.
“ISMS is a standard that says what [security] topics are covered,” says Sheppard. “Then you’ve got certain standards inside of those ISM systems, and based on what industry you’re in, you can look at which one gives you the most credibility and makes sure you’re in compliance based on the types of data you collect and the industry you’re in.
“Then you’ve got other standards, like SOC 2, which kind of says ‘We understand that financial data is important, but is that really a risk if you’re not collecting financial information?’ It kind of takes the requirements down a notch so that you can focus in more on the technology side.”
5. Treat All Data Equally.
In this day and age, there’s no such thing as insignificant data. Every piece of information you collect on attendees has the possibility of being hacked and misused. Say you collect consumer emails from a photo activation. You now have a list of personal email addresses. Lists provide hackers with data and a starting point—all they need to do next is guess passwords using sophisticated hacking tools available on the black market.
“BlueCross BlueShield had a data breach and their entire corporate philosophy has changed,” Sheppard says. “There is no such thing as unimportant data because the landscape in terms of consumer opinion nowadays is one and done. It’s so much effort to change your reputation once something bad has happened. Not paying attention to it up front and only focusing on the experience is naïve.”
6. Don’t Rely on Encryption Alone.
A number of vendors in the event industry have come to equate data security with data encryption, which entails translating data into what appears to be random code. But the fact is, encryption is just one piece of the puzzle, and an organization’s policies and procedures can be just as important.
Say your technology partner is collecting data for an experiential agency on a computer dashboard that displays consumer data. What are the policies surrounding how that data can be used or shared?
“Can I just export an Excel file and send that to you over email?” says Sheppard. “Do I need to encrypt it first? How do I even encrypt it? Is it OK to tell the brand you can’t have the data unless the consumer has signed a waiver saying they’re willing to share certain things? So, the encryption part is super important, but you have to make sure you’re obtaining data the right way.”
7. Motivate Your Colleagues.
While some industries, like banking and finance, have had reliable data security measures in place for years, event marketers are lagging behind. Indeed, all it takes is one data breach, and the entire experiential industry could come crashing down after it.
“The last thing that we want is for Coca-Cola to say that we’re only going to use one vendor or not do anything on the experiential side for the next two years because there was a data breach and now they’re reevaluating their processes and taking all of the technology internal,” says Sheppard. “So ‘one and done’ affects the whole industry.”
Data security might not be the most “fun” piece of the process for experiential marketers, but it’s something everyone in the industry should understand and revisit—repeatedly.
“It’s a never-ending process,” says Sheppard. “It’s not like once you’ve got a [data] security policy in place you can wash your hands of it and everything is good. There are always new employees. There are always new standards.”