Asia Pacific Updates

Marriott breach: Do you take data protection seriously?

In the wake of colossal data breaches at Marriott International (Chinese hackers stole data from approximately 500 million customers) and Cathay Pacific (personal information of 9.4 million passengers was exposed), we find out whether event professionals in Asia are really serious about data security.

According to Kenny Goh, founder of event technology company, MICE Neurol, confusion lingers around the definition of data security. He says every event company needs to make the distinction between data protection and data privacy.

“Data security and Data privacy are two different compliances,” he says. “Data security is a technical issue and data privacy is a legal issue.”

Goh, who has more than 40 years’ experience in the business events industry, says many professionals in the region are still grappling with new data protection laws such as GDPR and PDPA.

“From my interactions, it is very obvious that the industry is overwhelmed by the new laws,” he says. “I believe many companies are compliant in managing staff personal data, but most event companies still don’t fully realise the extent of the new obligations when handling non-staff personal data.”

He adds: “One key litmus test of compliance is when a data giver asks an event organiser for a copy of his data statement (meaning who his data has been given to, when it was given, and for what purpose). If the organiser can provide within an hour, he is most likely in compliance.

“Many do not realise that in the new laws, the most likely whistle blowers are disgruntled staff, unhappy clients or competitors.”

For Goh, the challenge to keeping data safe in Asia in largely a cultural one: “Our current professionals were brought up in an era where personal data was not an asset. Today it is.”

Given the sheer amount of data collected at exhibitions, compliance to data protection laws remains a challenge

Similarly, Felix Rimbach, director of research and development at corporate training and event technology provider, Globibo, says many event professionals in Asia don’t know how to protect themselves from a data breach.

“I feel that the industry wants to take the matter very seriously but truly struggles to access expertise to implement technical and procedural infrastructure comprehensively,” he says. “Most organisations that we work with do clearly understand the risk, but the implementation is far behind of what is required.”

And further challenges arise when it comes to convincing decision-makers to invest in data protection.

“To implement systems that truly provide data safety requires technologies, development standards and processes that are extremely complex, Rimbach explains. “In the area of software development alone, a majority of developers would not even be aware of the best practices to leverage. Being able to transport those very complex methods and approaches(and required investments) through current decision-making bodies in larger organisations appears to be extremely difficult.”

Given the sheer amount of data collected at international meetings and exhibitions, Rosalind Ng, managing director at events consultancy, Globe International, admits that complying to new data protection laws is challenging.

“Data protection/compliance for the database of an event should be a continuous process, and commence from the beginning of the event-planning cycle. This has now become an essential requirement in any events company; which ultimately requires greater time investment from staff members, such as the database manager, to ensure compliance.”

For Ng, the biggest hurdle is proving that data collected at major events was provided with consent.

“In the case of exhibitions, thousands of data points are processed and it would be a challenge to prove consent if a case were to come up. We now have to check whether other justifications might apply to various data processing activities as consent can often be difficult or impractical to secure.”

So, how can events professionals better protect themselves and their clients from a data breach?

Rimbach advises working with multiple partners. “Get help from two or three different security agencies that monitor each other,” he says. “Similar to construction projects, the technical expertise is too specific to do this in-house and we cannot trust a single contractor with perfect implementation.”

Jie Hao, founder of event app and engagement platform, Micepad, also suggests regular training so that staff are aware of their responsibilities.

“Update your data privacy policy as soon as possible and appoint someone in the organisation as a Data Protection Officer to develop a cyber breach response plan. In the meantime, agencies can also look into conducting regular employee security awareness training to inculcate good practices, such as using strong passwords and taking precautionary measures when handling sensitive data.”