With data breaches becoming increasingly common — even large hotel chains have been proven to not be immune — it’s not enough for meeting and event professionals to just review their supplier data privacy policies carefully. And now, with the recent implementation of the European General Data Protection Regulation (GDPR) and California’s new data privacy act that goes into effect in January, every organization that holds meetings should develop its own data privacy and cybersecurity policy, said Joshua Grimes, a meetings industry attorney with Grimes Law Offices in Philadelphia.

Why? First, most policies of the companies you work with severely limit any recourse to any other organization should a breach occur, he said. In addition, especially in the case of large hotel companies, most say they reserve the right to change their policy at any time. “So I question whether they offer any real protection to an organization hosting a meeting,” Grimes added. “This makes it important for every organization holding a meeting to develop its own data privacy and protection policy and insist on incorporating it into the contract.”

Some key aspects to cover:

• What kind of data will suppliers be given?

• What are the limitations on their right to distribute it? Can they distribute your meeting-related data to their own suppliers or to their marketing partners? Or should it only be distributed on a need-to-know basis for the purposes of the meeting?

• What level of compliance with GDPR do you require?

• What cybersecurity measures do you require your vendors to take? For example, Grimes said, you may want to include in the contract that vendors run antivirus programs at regular intervals, and again just before the event.

• For technology vendors, will they give you a warranty that there won’t be any pirate networks set up in the venue? What measures must they take to detect and prevent pirate networks from being set up? “If you can’t get sufficient warranties and protections, you should insist on bringing in your own tech company,” he said. While not everyone will need that level of protection, it’s something to consider.

One basic and simple way to protect your attendees is to ensure that the network you use for your meeting or event is password-protected and that your attendees are made aware of the official name of the authorized network.

Some hotels may push back on planner demands to incorporate cybersecurity provisions in the contract, saying that they have no authority to change the individual hotel’s or hotel company’s data privacy policy — that it is what it is — and they have no authority to negotiate. “My position is, fine, we’re not asking you to change anything on your policy, but we do need these additional clauses to protect the group.”

After all, even if those policies were created with the customer in mind, “they haven’t prevented the company from having a massive breach in the past few years, which almost all of them have,” he said. Grimes, who has had clients refuse to sign a contract over just this issue, added that once the hotel realized the planner was prepared to walk away over the issue, it suddenly found it could be a bit more flexible after all. — Sue Pelletier