Due data diligence

Stricter rules on personal data protection are coming into place, requiring event companies to make necessary changes in operations to be compliant

Personal data protection has become a hot topic in Singapore’s events industry with those in-the-know saying the matter has to be taken seriously, and policy guidelines and practices to safeguard the collection, retention, use and disposal of personal data have to be put in place under the law.

“It is not enough to play by ear,” commented Ralph Hendrich, general manager, Koelnmesse and honorary treasurer, Singapore Association of Convention Exhibition Organisers and Suppliers.

Stricter rules on Singapore’s Personal Data Protection Act (PDPA) will come into play in September 2019, and the EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018, will also impact the industry.

In 2016, Hendrich took on the responsibility as Koelnmesse’s data protection officer (DPO), a role that every events company must create.

Hendrich explained that Koelnmesse mounted a “structured exercise”, lasting around three months, to educate staff and third-party suppliers, on following the strict protocol under PDPA.

To reassure companies still grappling to be PDPA compliant, Hendrich commented that the exercise will not cost businesses tens of thousands of dollars and “is definitely affordable”. He added the DPO role “cannot simply be dumped on the human resource or administration manager”.

As one of the bigger international players in the region, Koelnmesse received legal and logistics support from its German head office in this aspect.

He advised SMEs to outsource the data management and use a cloud-based solution.
“It is a business investment and part of the business model capability as data protection compliance is increasingly required in RFPs,” he said.

“It is the natural process of digitalisation as businesses move into cloud-based e-invoicing, social media presence, the integration of customer relationship management and 24-hour connectivity.”

Meanwhile, the managing director of a PCO, which organises regional events and is starting its personal data protection exercise, suggested the industry look into introducing professional insurance, like medical insurance for doctors, to protect industry members.

“We will have to be prepared to incur additional business costs if we are expected to be personal data protection compliant,” the PCO director said. “I do not know yet if insurance costs will increase, and how much additional cost the mandatory DPO role will also incur.
“There is nothing much we can do for events we have bid for, but clients need to know they have to incur more cost,” she added.

Kenny Goh, founder of event technology company MICE Neurol, said personal data protection involves technical and legal issues, and he has observed a “gap between the legal world and industry practice”.

“Lawyers may not be the best option, as there are no lawyers that specialise in MICE,” he said.

Goh suggested events organisers and owners use “data controllers” who can prove that everything has been done to be compliant.

“What is needed is a centralised system for tracking data and the data controller is accountable for the data,” Goh added. “In order to control and map the data, the data controller has to be a professional data proxy.

“And if data collection, tracking and distribution is not an event company’s core competency, then it is best the role be outsourced, because a processing platform and software has to be in place and tailor-made for different events to be in compliance.”

The challenge facing some companies, Goh noted, is that clients often want a one-stop solution and event players end up having to offer every kind of service.

Sponsored Post