by Pippa Naude | 15 Mar 2018

The value of data has been increasing over the years, as innovations and analytics have allowed it to be used in powerful ways. In fact, a company’s data can be one of its most precious assets. So it’s not surprising that, as data has become more valuable, the need to protect it has become greater.

Most SA event organisers need to do more

Gavin Burgess, the MD of Ultimate Data Sciences, admits that some South African event organisers do not have adequate security measures in place; “I have been to events where the onsite registration system is not as well protected as it could be, from being vulnerable to simple hacks or even the risk of someone stealing one of the laptops containing all of the attendees’ personal information.”

This shouldn’t be taken lightly, as there is a lot at stake. Stolen data can be sold to or used by other companies, including your competition. There is also the reputational damage to consider, when your attendees discover that your ineptitude means their personal data has been taken by an unknown person to be used in unknown ways. And you shouldn’t forget the consequences of non-compliance with South Africa’s new Protection of Personal Information (POPI) Act – which includes the obligation to make public any such security breach.

The legal ramifications

POPI places the full responsibility of protecting personal data on the company that is handling it, where personal data includes things such as name, ID number, date of birth, telephone number and email address. Tourism specialist Advocate Louis Nel, also known as LouistheLawyer, says that the penalties for failing to uphold the requirements outlined by the POPI Act are steep, and include fines of up to R10 million or imprisonment for between 12 months and 10 years.

“Companies need to be POPI compliant by the end of 2018,” adds Adv. Nel. “So it is important to start implementing the correct processes and systems now, so you are ready for this eventuality.”

How to make onsite registrations more secure

Onsite registration is an especially high risk period for event organisers, admits Burgess. He says, “Most event organisers do not use an online system for registration, in case of connectivity problems. This would be a disaster for the registration process. Instead they choose to store all information on laptops or a central server. The big risk here is if these devices are accessible on the same network that attendees are using.”

To protect your registration data in this context, Burgess recommends the following three steps:

  1. Use a different network to the one the visitors are using.
  2. Ensure you have the correct software installed on your computers, such as firewalls and anti-viruses.
  3. If your internal network is capable of handling it, you could also add a hardware firewall for an additional layer of security.

Can you store personal data?

Adv. Nel also highlights that under POPI regulation you may not store personal information for longer than required to “achieve the purpose for which it was collected OR subsequently processed” except when any of the following conditions are met:

  • It is required/authorised by law;
  • It is reasonably required to do so for a function or activityof the Responsible Party;
  • It is required to do so in terms of a contract with the Data Subject (the person whose personal information it is);
  • The Data Subject consentedto the retention;
  • It is for “historical, statistical or research purposesbut only if it has “established appropriate safeguards” against abuse.

If none of the above apply to you, explains Adv. Nel, you need to ensure you “destroy or delete” the personal data you collected during the registration process “as soon as reasonably practicable” and in such a manner that “prevents its reconstruction in an intelligible form”.

The right way to do it

However, most event organisers will want to keep all of the personal information gathered through the registration process. What this means is that you need to gain the express permission of your attendees to do so, through a transparent opt-in process.

Other good practices around this process include:

  1. Ensure any contracts or terms and conditions are simply worded and therefore easy to understand.
  2. Educate your event attendees on their rights – including that they can revoke their consent to your keeping their information at any time.
  3. Make your privacy policy freely available. You could, for example, share it with them during the registration process.

While these regulations and security precautions may feel onerous, it is important that you adhere to them in order to maintain your professional reputation. It is a good idea to speak to an expert to assist you in this regard. Once your processes are updated, it will soon be business as usual.

Original Article