Event Tech
Walking a fine line
The huge fines handed to British Airways and Marriott by the British Government
are making an example of bad data practice – and the events industry should be
paying attention, says Simon Clayton, Chief Ideas Officer, RefTech
“Every exhibition
organiser should
be looking at
these fines and
treating them as
a wake up call –
data protection
is a serious
matter”.
ast month, the UK Information
Commissioner’s Office (ICO)
announced its intention to
fine British Airways £183m
(US$229m) and Marriott nearly £100m for
data breaches reported since GDPR came into
effect in May 2018.
The fact that the ICO started talking about
these two large fines in the same week leads
me to wonder if it is making an example of
these two businesses, and setting a precedent
to shock companies into realising that data
security is a serious matter.
The proposed fines are pretty huge, but
they are only that size due to the sheer
negligence demonstrated by both companies,
and the amount of data that was lost. The BA
fine only actually equates to around 1.5% of
their turnover for 2017, and the ICO could
have gone up to 4% of global turnover if they
deemed it necessary.
Marriott reported that 500 million
customer records were lost (although that
number has since been reduced - probably
due to them holding duplicate records)
and BA’s breach meant that half a million
w w w.exhibitionworld.co.uk
customers had their personal and payment
data harvested. It’s worth us remembering
that only rarely does an exhibition’s database
ever reach that size, and the vast majority are
much smaller and don’t collect particularly
sensitive data. It’s also worth remembering
that the ICO has always preferred the
carrot to the stick: they will only dish out
huge fines if a company was negligent. BA
was negligent, while Marriott was warned
about the database they took on when they
acquired the Starwood hotel chain, and the
breach occurred over a four-year period.
The world has changed, and GDPR has
been introduced to ensure organisations step
up to that change.
GDPR has quite rightly given the ICO the
power to force companies to do better. This
is not an area that could be self-regulated:
GDPR was a necessary introduction, and I’m
glad that the ICO is now exerting its power.
Every exhibition organiser should be looking
at these fines and treating them as a wake up
call; data protection is a serious matter.
So go now and ask your organising team:
“Are we collecting data that we really don’t
need?” Also ask your IT team: “Can we do
anything else to protect the personal data we
hold? Are we doing everything possible to
prevent a data breach?”
Listen to their answers, and put sufficient
talent and budget in place to ensure that their
suggestions are implemented. Losing 4% of
your company’s turnover can make a big
dent in your profits, and an even bigger dent
in your reputation.
If we as an industry learn anything from
this, it should be that we can’t be cavalier
with other people’s personal data. If you still
don’t understand GDPR, there are a lot of
useful guides on the ICO website, and even
a guide specifically written for the events
industry on our website.
Or, come and find me at one of the
industry shows – I’m always happy to help
organisers who are taking data security
seriously and want to get it right.
*The GDPR, or General Data Protection
Regulation, is a series of data laws which
came into effect in May 2018, spanning all
countries in the European Union.
Issue 4 2019
41