Event professionals need to strengthen data protection policies and processes to become GDPR and PDPA compliant.
The launch of the General Data Protection Regulations (GDPR) in Europe and stricter rules laid down by the Personal Data Protection Commission this year have raised uncertainties around data protection compliance in the business events industry in Asia.
To mitigate this, the Singapore Association of Convention & Exhibition Organisers & Suppliers (SACEOS) held a knowledge sharing session to help organisations meet their data protection obligations.
The Personal Data Protection Commission (PDPC) announced in August this year that it would be illegal for organisations to collect, use or disclose National Registration Identity Card (NRIC) numbers or make copies of the identity card from 1 September 2019. The updated guidelines under the Personal Data Protection Act (PDPA) address the danger that its misuse could result in crimes like fraud and identity theft.
Organisations that have collected NRIC numbers are encouraged to assess if they need to retain these numbers, and if not, to dispose of them responsibly and in compliance with PDPA’s disposal methods.
Appoint responsible parties
To get started, senior assistant director, publicity & engagement (Data Protection and Innovation Group) of the Info-Communications Media Development Authority (IMDA), Valeriane Toon, advises appointing a dedicated data protection officer (DPO) to safeguard customer information and company resources.
Organisations are free to assess whether the DPO function should be a dedicated responsibility or an additional function within an existing role. Once appointed, the DPO can delegate certain responsibilities to other officers.
“In Singapore, it is mandatory to appoint a DPO, so long as the company manages personal data,” Toon says. “The DPO should foster a data protection culture among employees and communicate personal data protection policies to stakeholders – because there is no use in having policies if there are no processes or people supporting them. Policies set the direction. If people are not trained, they are going to mess up the policies.”
She adds: “All parties handling personal data need to come together to provide information so that the data protection officer can create a framework of governance, making sure that the practices are compliant with PDPA.”
Toon advises that when data is shared among event management companies, venues and suppliers, a data controller needs to be appointed and is legally responsible. “He or she will obtain the customers’ consent, establish a reasonable purpose to collect data, inform customers of all the data processes within the business, and ensure that all parties handling the information will follow the data protection policy,” she says.
GDPR for European delegates
With the implementation of General Data Protection Regulation (GDPR), what are event companies in Singapore liable for and what do they need to be aware of when European delegates come to Singapore?
Ralph Hendrich, SACEOS honorary treasurer and general manager at Koelnmesse, says that templates and forms can be designed to indicate consent in a way that is GDPR and PDPA complaint.
“What becomes complicated is tracking the act of information,” he says. “The EU says that personal data is like a brand. A delegate can give you information for a specific purpose. But you don’t own this data. I have the right, even in 20 years, to ask you to tell me where is this data, who has this data, and who does what with this data.
“The best way to prevent breach is to use it for a certain purpose and time and then delete it. The company needs to make it very obvious that they asked for consent and secure professional support to get you GDPR compliant for as long as you run your business,” says Hendrich.
Cloud computing can streamline data management
The advent of cloud computing has advanced event technology to a state where integrated event data management and mobility can be achieved via a centralised platform, accessible anytime, anywhere. Not only will it improve event marketing decisions and handling of sensitive information, but it will also ensure that all data touch points are accounted for.