Data security is much in the headlines these days — from major breaches at Facebook, Equifax and Under Armour to new data privacy standards required by the European Union’s General Data Protection Regulation (GDPR). Set to go into effect May 25, GDPR will affect any organization — no matter where it does business or is located — that collects, manages or stores personal or behavioral data of anyone living in the EU. As such, GDPR essentially sets a new global standard of data protection.

To help event organizers deal with today’s fast-changing data landscape, the International Association of Exhibitions and Events (IAEE) has recently released an excellent resource: “Personally Identifiable Information — Data Security, A Guide on the Many Aspects of Data & Digital Security for the Non-Technical Reader.” The 17-page white paper was researched and put together by the IAEE Technologies Committee. Download a free copy here.

“Membership profiles, attendee profiles and transactions, and exhibitor information and transactions are all sensitive and valuable assets that make up a large portion of the business assets for association and independent organizers,” the white paper explains. “What would it mean to an organization if all or a large portion of that data was compromised and exposed to the internet world? How much damage would result to the organization or to customers and members? It could be detrimental.”

The white paper is well organized, explaining the basics and then moving on to more complex topics. Initial sections discuss types of data and how to categorize the data within an organization, as well as how to provide governance over the data and any training an organization may need. There’s also an exposition of the issues around ownership of personally identifiable information (PII). Another section discusses identity access and management of that access, followed by considerations with system integrations. An overview of data in motion (data that is being shared/transmitted) and how that compares to protecting data at rest is followed by a look at internal security controls.

The last section focuses on data security during events. Here are some tips excerpted from this section:

1. Written agreements with vendors should set clear expectations for service delivery levels with regard to the handling of PII and should explain who is responsible for each control that will be put in place to secure data onsite. Ultimately, the organizer is going to be held accountable by members, attendees and exhibitors for the security of their PII. Appropriate steps should be taken to ensure vendors are following the same security practices onsite as the organization would follow to keep the PII secure in the organization’s own systems.

2. Encryption should always be used when transferring PII data through the networks of on-site service providers. Some facilities may offer the option of a private network or virtual LAN (VLAN). However, changes to these networks are being made frequently and configuration errors do occur. Detecting such misconfigured networks can be tricky to impossible even if there is no malicious intent. While a private network on site might be beneficial in terms of network stability or performance, it is insufficient as a security control.

3. Encryption of data at rest should also be employed when PII is stored on site. Theft of computers or laptops on site is always a possibility, but in addition to that risk, these or other devices may be staged in areas that are not completely secure while they are waiting to be deployed, or they can simply be lost in transit somewhere along the way. Encrypting data at rest helps to mitigate the risks associated with such losses.

4. All wireless communications should be encrypted and be transmitted using the Wi-Fi Protected Access II (WPA2) protocol. WPA2 is the most secure wireless protocol that is in common use. Wi-Fi Protected Access (WPA) is older and not as secure. — Regina McGee