Matt Smith, director and co-founder of Black Tomato Group and Alana Buchanan, business development manager at Black Tomato Agency, reveal how you and your company can stay ahead of the curve in time for GDPR 2018
What is GDPR?
The General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 (DPA) and applies in the UK from May 25, 2018. The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Following these measures suggested below should minimise the risk of breaches and uphold the protection of personal data while being able to maintain focus on running your events seamlessly.
What this means for you?
Being responsible for a varying range of company-wide events, you can harbour a lot of detailed information about your workforce including personal details about your boss(es). With new regulations coming into play early next year, your 2018 task list could become extensive when trying to launch new processes to prevent data protection breaches. Everything from dietary requirements and medical notes to co-worker’s birthdays is now under inspection.
Localised data
First and foremost, remove any data that is stored locally on laptops, desktops, phones or tablets. Any information you have on individuals or teams within your company must be encrypted. A good solution is to save documents to a password-protected cloud service such as Google Drive, Dropbox for Business or Microsoft Office 365.
Dietary requirements for the board end of year luncheon that you have had on your desktop since last March should be deleted and requested only when required for the next event. If you’re in charge of bringing in Colin the Caterpillar for an office birthday – check with the team individually whether they are happy for the office to be made aware and make sure this information is locked up online.
When booking global travel for your team, you’ll no doubt have passport details and DOBs sent to you via email. Email is not classed as secure by the ICO, so make sure that all communication of this nature is carried out using password-protected systems. Photocopies of driving licenses, passports and any personal data should be shredded.
With new regulations coming into play early next year, your 2018 task list could become extensive when trying to launch new processes to prevent data protection breaches.
Over disclosure
Be careful when filling out medical information on behalf of your boss for a business trip or executive travel. If you have been made aware of the fact that the CEO is going through a divorce and taken leave of absence with a stress related illness – this information does not and should not be available to anyone seeking medical history. A simple way to avoid over disclosure is to state the medical information is ‘unavailable’ under the example given, the condition suffered could be stated as ‘personal circumstances’. You only need to give the minimum amount of detail, be honest but be vague and you should not disclose this information if your director does not wish for you to.
Privacy policies
When booking events, whether that be the office Christmas party venue or foreign conference or incentive trip, make sure that you have checked the privacy policy documents from the hotel, venue or agency that you are working with. None of the information that you share with the business should make you susceptible to third-party advertising or marketing campaigns.
Every events management company and agency should be able to assure you that none of the information you provide (dietary requirements, full names, address, credit card details etc), will be shared. If you’re booking your sales team into a hotel, even their precise room requirements should not be available; if a member of staff requires a prayer room, hypo-allergenic bedding, a disabled access room, a minibar without alcohol – it is advisable to agree with the hotel in advance that this information is stored in a locked cabinet and shredded upon check-out.
VIPs
Quite often when working as a PA in a high-pressured environment, you are answerable to almost everyone in the company and can be pulled in every direction. When your team are out and about keeping track of them is a task in itself. You may have experienced the odd occasion when a fellow team member, usually someone senior, has called the office sounding slightly panicked and in a hurry to speak to another member of the executive team. It might not just be that Neil sounds like he has a cold or Nora sounds a little hoarse, this could genuinely be someone committing identity fraud in order to retrieve private information on a member of staff.
Switchboards and reception desk teams should have a system in place that all executive and financial teams follow to prevent account details or sensitive information getting into the wrong hands. When working with events agencies and luxury travel providers, ensure they have these systems also. You don’t want your boss’s sales trip itinerary or personal holiday spend being publicised. A simple code or a mutually agreed verbal password can be used to establish the caller’s identity.
If you’re dealing with an events agency, establish a lead contact from the beginning who will be your direct liaison and port of call. This is an easy way to prevent intrusion. It can also avoid a fellow staff member accidentally upsetting the channels of communication by going direct to the events agency; giving their dress size in preparation for the Nepalese gala dinner costume fitting or changing the table plan around for the safari champagne brunch for example… here at Black Tomato Agency, we’ve had it all.
When booking events, whether that be the office Christmas party venue or foreign conference or incentive trip, make sure that you have checked the privacy policy documents from the hotel, venue or agency that you are working with.
Subject access requests
At any point in time, a member of staff can apply to a previously used hotel or flight partner for what’s known as a subject access request, enabling the requestee to obtain all internal notes discussing them and their company. For your own business, make sure that anything discussed over email, Slack, Skype for Business and all other local intranet services is business related only.
As a client of an events company, you have the right to get a copy of the information that is held about you. Remember when briefing an events company, not to be too overt when discussing members of staff and their requirements – keep unnecessary detail to a minimum and state just the specifics. General company background is great for a travel provider to have and will enhance the experience you have as a team, but personal information must not be shared.
Holster the advice from above and you’ll happily tackle any event requirement and continue to protect your company with ease and confidence.
