The importance of ISO certification in the events industry
Audiences are more engaged when they participate in personalised experiences that are customised to match their interests. As a result, when attending an event, individuals are often happy to part with personal information in return for a bespoke experience. But how does the events industry ensure that a bespoke customer experience remains respectful of that data?
From the moment they sign up to a conference, event or meeting, attendees consent to share their names, contact details, employment specifics and even their credit card particulars. How we treat this information is governed by laws that may differ slightly from country to country. The European Union’s General Data Protection Regulation came into effect in 2018. Since then, legislators around the world have introduced around 150 different privacy regulations.
In this age of cyber-attacks and data theft, all businesses need to think about information security, not least those operating in the meetings, conferences and events industry. The world’s best-known standards that demonstrate to stakeholders and customers that an organisation is committed to data protection are ISO 27001:2017 Information Security Management System and ISO 27701:2019 Privacy Information Management System.
ISO 27001 is an international standard that defines the requirements of an Information Security Management System (ISMS). This system is a set of policies that manage potential information risks, such as data theft or cyber-attacks. The scope of the ISO/IEC 27001:2017 certification covers the delivery of the information technology transverse solutions and services to mci customers and group entities. (This includes information technology and infrastructure, information security and management, network and connectivity, business solutions support, end user support, performance.)
ISO 27701 is a framework for data privacy that builds on ISO 27001. The scope of the ISO/IEC 27701:2019 certification covers the protection of personally identifiable information (PII) that MCI Suisse SA processes for itself, its customers and mci group entities.
What data protection strategies should organisers have in place for an event?
Data strategies should be formulated well in advance to ensure that only essential personal information is collected to provide a more personalised experience. As per the GDPR data minimisation principle; personal data collection should be limited to what is relevant and necessary to accomplish a specified purpose. This is a broad, technical topic, and it is best to ensure that the event management company and the platforms you choose for your event have the relevant checks and balances in place.
At the very least:
● Ensure that you are conversant with local regulations, such as the European Union’s GDPR. Be aware that in some countries, the law may differ from province/state to province/state. For example, California has its own Consumer Privacy Act.
● Offer opt-in consent before using the information (for example, to customise the user experience, or to communicate with attendees via email).
● Implement appropriate technical, contractual, administrative, physical and organisational measures to protect personal data from loss, destruction, unauthorised access, accidental or unlawful disclosure or manipulation. Encrypt the data collected. If using a third party for this purpose, insist that they encrypt the stored data.
● Use a secure payment platform.
● Don’t forget to destroy the data in accordance with the applicable local privacy laws and data controller’s requirements.
● Remember that photographs fall under the definition of personal data. Be open about whether photographs will be taken and if facial recognition will be used, especially if children will be present at your event.
What is ISO?
The International Organization for Standardization is an independent body that gathers experts together to develop “voluntary, consensus-based, market-relevant International Standards”.
It is the world’s most highly regarded quality-management system. Certification helps businesses prove that their products and/or services consistently meet applicable global standards and legal requirements.
These standards are referred to as ISO certification, from the Greek “isos”, meaning “equal”. To achieve certification, organisations are required to be audited by an independent ISO certification organisation.
What data protection does MCI offer?
MCI Suisse SA has been assessed and found to meet the requirements of ISO 27001 and ISO 27701 on Information Security and Data Privacy to enhance information protection for its clients.
These certifications prove that mci group provides the highest international data privacy and security standards and has an effective security strategy protecting sensitive and critical information for customers. It is another step in strengthening the company’s commitment to data privacy, security, and compliance.
With the increased number of projects organised in hybrid and online formats, reassurance and transparency regarding the data that organisations collect, and process are essential. The rigorous qualifications and intensive processes undertaken to achieve ISO 27001 + ISO 27701 accreditation prove that data security and privacy are paramount to the mci group and reinforce the group’s commitment to customers and data subjects.
A structured approach to information security management can help our company reduce the likelihood of cybersecurity and data privacy incidents, optimise our information security controls, effectively respond to an evolving threat landscape. As a people business, we always put data security first as no physical, digital or hybrid project is possible without data protection. I am very proud of this achievement, and I would really thank everyone involved in it.