The meetings, incentives, conferences and exhibitions (MICE) sector has been challenged with massive change over the past year: not only has the Covid-19 pandemic forced most meetings and events online for safety, but now the deadline for compliance with the Protection of Personal Information Act (PoPIA) raises questions about data protection within this new virtual environment.
With PoPIA taking effect 1 July 2021, the organisers of virtual meetings and events have to be cognisant of these changes, which will have an impact similar to that experienced by the MICE sector elsewhere in the world when complying with protection of personal information regulations.
Addressing both situations at once can seem like a balancing act, but fortunately PoPIA, like other privacy legislation such as GDPR, is quite clear about the steps to be taken to remain compliant. To strive for compliance, key areas for focus in the MICE sector should include:
Appoint a data protection officer. This team member will serve as the bridge between business, IT and other stakeholders and be made accountable for compliance. Collaboration between business units is the key to success.
Review your technology vendors. As processors of the personal information gathered or stored by a MICE company, technology vendors should be properly certified and compliant, should encrypt all data and hold the necessary ISO certification.
Strengthen your organisation’s cybersecurity posture. A key measure to protect sensitive information is to ensure the systems and data are properly protected from theft, accidental exposure, or hardware and software damage.
Check your policies and procedures. With the deadline for PoPIA compliance upon us, all organisations should already have their policies and procedures in place. However, compliance is not a destination but a journey. To strive for compliance, organisations should maintain a robust information security programme, regularly test vulnerabilities and run ongoing staff training and awareness programmes. To ensure that only authorised staff and stakeholders access personal information, implement a Privileged Access Management (PAM) solution.
Review all documentation. All event registration forms and sponsor/exhibitor booking forms and all the processes for capturing and storing them should be reviewed to ensure they are PoPIA compliant.
Review your third-parties. Third-party suppliers and service providers who have access to event data must similarly be compliant with the act. MICE organisations need to verify that every company they work with currently and in future is PoPIA compliant.
Know your data. Whether a company is staging virtual or real-life events, their mailing lists, contact databases, supplier and sponsor directories and staff files must be properly secured, processed and managed only within the parameters of the act. Going forward, specific permission must be sought to gather personal information and the reasons it is being gathered must be specified. For most MICE companies, contact lists are re-used time and again for various events. Going forward, clear permission will have to be sought to retain contacts’ information and approach them for relevant events in future. Organisers must also make it easy for people to withdraw consent to use their information.
Some rules of thumb include collecting only the data you need. Periodically review the data, deleting anything you don’t need.
Consider how to approach the sales leads issue. A major reason many organisations sponsor events is to secure qualified sales leads. PoPIA compliance could impact this benefit. When registering attendees for an event, organisers will now have to give them the option to grant or deny permission for sponsors to contact them. However, the challenge of delivering value to sponsors could be overcome by changing the event model and ensuring that sponsors have greater opportunities to pitch their products during the event itself, for example.
Secure your virtual platforms. Online events early in the Covid-19 pandemic exposed a number of potential personal information risks, including the ability for outsiders to access private meetings and malicious players to scrape a wealth of personal information about participants. Virtual events should be staged only on reputable platforms, in which events can be locked to the general public and all participants accept that the event is being recorded. Event organisers should also ensure that their video conferencing equipment, software and connections are secure and patched. Protect the administrative accounts with appropriate passwords or a PAM solution.
The measures to be taken may seem onerous at first, but once the right tools, policies and procedures are in place, data protection practices can be instilled into the company culture and become second nature for safe and secure events.
© Technews Publishing (Pty) Ltd | All Rights Reserved