15 August 2011 - www.grassroots-events.co.uk

Data protection – are you missing the obvious?

15th August, 2011

An open letter, by Warren Hillier, Director, Commercial, Risk and Measurement at Grass Roots

Recent high profile data breaches including 100m Sony Games users' data being hacked and the Gloucester pre-school fined for posting parent information publicly has highlighted the risk of inadequate data protection.

Customer data is precious, employee data too – yet how much rigor are brands applying to its protection? True event experts consider the risk of selecting certain destinations, carrying out health & safety and environmental assessments and compiling contingency plans, but are they missing the obvious?

Later this year, updated data protection laws will incorporate stricter guidelines on the provision of data through a supply chain. This will cover the severity of the breach, taking into account the impact on the life of the person whose data was not protected. The Data Protection Act covers everything from protection of data in systems, to the passing of data between suppliers, such as an agency to a hotel property. This also includes the simple mistake of leaving details on registration desks.

With the penalty for negligence half a million pounds – a sum that the Information Commissioner can apply at his discretion to each party involved, can anyone afford not to be responsible?

Some sectors are better than others at prioritising data protection, but work needs to be done by all in the events space. Our specialist Delegate Management Services division located in Fleet has a formal security committee that seeks to bridge the gap that is left where others' negligence is evident – knowing that security of data is only as strong as the weakest link.

Clients should look hard into whether their supplier is independently audited and holds a Privacy Assurance Certificate. RFIs should request disclosure of how the supplier has invested in the protection of data (systems, process, training and so on) and how they manage supply chain data provision in the light of updated legislation. Where delegate payment is undertaken, only agencies with PCIDSS (Payment Card Industry Data Security Standards) compliance should be considered suitable partners, unless you want to be wide open to large fines. I know I don't.