Stricter rules on personal data protection are coming into place, requiring event companies to make necessary changes in operations to be compliant
Personal data protection has become a hot topic in Singaporeâ€™s events industry with those in-the-know saying the matter has to be taken seriously, and policy guidelines and practices to safeguard the collection, retention, use and disposal of personal data have to be put in place under the law.
â€śIt is not enough to play by ear,â€ť commented Ralph Hendrich, general manager, Koelnmesse and honorary treasurer, Singapore Association of Convention Exhibition Organisers and Suppliers.
Stricter rules on Singaporeâ€™s Personal Data Protection Act (PDPA) will come into play in September 2019, and the EUâ€™s General Data Protection Regulation (GDPR), which came into effect in May 2018, will also impact the industry.
In 2016, Hendrich took on the responsibility as Koelnmesseâ€™s data protection officer (DPO), a role that every events company must create.
Hendrich explained that Koelnmesse mounted a â€śstructured exerciseâ€ť, lasting around three months, to educate staff and third-party suppliers, on following the strict protocol under PDPA.
To reassure companies still grappling to be PDPA compliant, Hendrich commented that the exercise will not cost businesses tens of thousands of dollars and â€śis definitely affordableâ€ť. He added the DPO role â€ścannot simply be dumped on the human resource or administration managerâ€ť.
As one of the bigger international players in the region, Koelnmesse received legal and logistics support from its German head office in this aspect.
He advised SMEs to outsource the data management and use a cloud-based solution.
â€śIt is a business investment and part of the business model capability as data protection compliance is increasingly required in RFPs,â€ť he said.
â€śIt is the natural process of digitalisation as businesses move into cloud-based e-invoicing, social media presence, the integration of customer relationship management and 24-hour connectivity.â€ť
Meanwhile, the managing director of a PCO, which organises regional events and is starting its personal data protection exercise, suggested the industry look into introducing professional insurance, like medical insurance for doctors, to protect industry members.
â€śWe will have to be prepared to incur additional business costs if we are expected to be personal data protection compliant,â€ť the PCO director said. â€śI do not know yet if insurance costs will increase, and how much additional cost the mandatory DPO role will also incur.
â€śThere is nothing much we can do for events we have bid for, but clients need to know they have to incur more cost,â€ť she added.
Kenny Goh, founder of event technology company MICE Neurol, said personal data protection involves technical and legal issues, and he has observed a â€śgap between the legal world and industry practiceâ€ť.
â€śLawyers may not be the best option, as there are no lawyers that specialise in MICE,â€ť he said.
Goh suggested events organisers and owners use â€śdata controllersâ€ť who can prove that everything has been done to be compliant.
â€śWhat is needed is a centralised system for tracking data and the data controller is accountable for the data,â€ť Goh added. â€śIn order to control and map the data, the data controller has to be a professional data proxy.
â€śAnd if data collection, tracking and distribution is not an event companyâ€™s core competency, then it is best the role be outsourced, because a processing platform and software has to be in place and tailor-made for different events to be in compliance.â€ť
The challenge facing some companies, Goh noted, is that clients often want a one-stop solution and event players end up having to offer every kind of service.