Event organisers have to prevent it being misusedWe live in a busy world and the transient nature of our industry can mean that we are quick to move on to our next event. But before moving on, it’s worth making sure that your policies and procedures include tying up some loose ends.
It can be tempting to keep registration data indefinitely, because you never know when you may need it, but the more data you have stored, the more likely you will be hacked – especially if it is spread over multiple servers.
If you keep data longer than you need it, you will also be in breach of Data Protection Laws, so make sure you have a data deletion policy and make sure you stick to it.
When you do delete data, ensure it is done properly. Last month Blancco Technology Group purchased 200 second-hand hard disk drives from websites (including eBay) and found that over two thirds (67%) contained identifiable personal information and 11% contained sensitive company information, including social security numbers, CVs, company emails, CRM records, spreadsheets containing sales projections and product inventories.
Almost two in five of the drives (36%) did show evidence of an attempt to delete data, either by dragging files to the Recycle Bin or using the delete button – but data can be easily recoverable so this information was still available to see by anyone who had just a smidgen of technical knowledge. Out of the 200 hard drives only 10% had been correctly handled, having been treated with a secure data erasure method.
To avoid this scenario, use a professional data processing company and ask them to confirm in writing that your data has either been deleted or ‘put beyond use.
’Deletion’ must mean that the data genuinely no longer exists. It should not have been dragged to the trash, remain visible behind a URL, or reside on cloud storage as part of the organiser’s archive. The concept of data being ‘put beyond use’ covers situations where, for example, data on physical media has been deleted and overwritten with new data, or paper files are in a secure warehouse awaiting shredding.
‘Put beyond use’ means no one outside the data controller has access to the data, and no one, including the data controller, is actually processing it. If a data processor failed to delete your data as promised, possession of written evidence that you believed in good faith that your data had been deleted or ‘put beyond use’ would afford you some protection.
Back-ups are another issue to think about. Most companies back-up their data – so even if data has been deleted, it may still be available via the company’s back-up system. Data theft from back-ups is always the result of preventable human error.
In 2007 HMRC famously lost two CD-ROMs containing the back-up data of all UK families claiming child benefit. The records contained information on an estimated 25m individuals - nearly half of the UK’s population. The CDs were sent through HMRC’s internal courier service without proper encryption and using only easily broken password protection. While the CDs were never located and the data apparently never compromised, the damage was done. Every family in the UK had to be put on fraud alert.
HMRC’s internal data protection manual, at the time of the 2007 data breach, was restricted to senior civil servants. The junior staff who, as in any organisation, did the actual grunt work, had only been fed with slogans about respecting confidentiality.
So have a data deletion policy and ensure that all of your events staff, including zero-hours contractors and volunteers, have training on your data protection procedures.
For more information and advice on data protection within the events industry, download Reference Technology’s free white paper at: https://www.eventreference.com/promo-www/datasafety/download.php.