eventcore Blog

Creating a Trusted Platform with Transparency

Written by Mark Petry | Jun 30, 2020 5:00:00 PM

After reading Adrien’s January post on the three questions to ask your event service provider about data privacy, I began a conversation with my team about how we can move beyond simply “meeting the requirements” imposed by the new regulatory standards and start to truly differentiate around data privacy and trust. We all agreed on the need to be transparent about how we handle and safeguard the data entrusted to us by our customers and partners.

 

A Two-pronged Approach to Privacy

We built technical privacy into our platform with a bifurcated, or two-pronged, approach. First we ensured we addressed security on the “back end,” the application delivery platform that powers eventcore(r) services; then we addressed the processes for handling the data itself, especially privacy related and payment information entrusted to us by customers and partners.

Security and robustness of the back end is ensured by independent penetration testing as well as compliance with industry standard assessments such as SOC (Service Organization Controls) and ISO 27001.   Both of these are widely respected standards adhered to by world class service providers.  eventcore has just completed a SOC 2 assessment and will be moving into an ISO 27001 gap analysis process, with a planned certification in 2021.

These steps will ensure our service delivery platform is as secure and robust as we can make it.  The next step is turning our attention to how we handle sensitive and confidential info, especially Personally Identifiable Information or PII.  Many current practices in the event planning and hospitality industry simply do not pass muster in today’s world of multiple and possibly overlapping privacy and compliance[3] standards. The industry must adapt its security protocols to stay compliant with GDPR,[4] CCPA[5] and a range of similar standards likely to emerge in the near future, as people and governments become more concerned about indiscriminate handling of privacy related information, particularly credit card numbers, government IDs, etc.

At eventcore, we’ve undertaken an end-to-end review of how we collect, store, manage and ultimately dispose of PII.  First, all privacy related information is stored in an encrypted database and each card number is encrypted with a separate key, which makes a compromise of many card numbers highly unlikely.  Next, when hotel and accommodation partners generate a report, they acknowledge their receipt of this PII and verify their own proper safeguard procedures. Lastly, eventcore’s email system flags any incoming PII that arrives in a message, so we can promptly delete it and inform the sender, insisting that they take corrective action.

 

Looking Further Down the Privacy and Compliance Road Map

For the longer term, we need to think through our approach to complying with this growing array of standards for privacy and security to ensure we are not just chasing the requirements. 

All of the current standards seem to imply our end users must have a way to see and understand where and how the data we’ve collected about them stored and how it has been used or shared, along with an ability for them to request that data is deleted.

This seems to indicate the need for a “customer compliance and privacy portal” of some sort, where a user, via a properly authenticated login and request, can view, audit and delete PII-related payment information for any or all events for which they registered, sorted by the applicable standard.  

This presents several challenges in the event management world.  At eventcore we store, process and manage privacy related information for a wide range of customers and partners, each of which may have their own privacy requirements, authentication methods and other concerns about sharing user data across multiple events.[6]

Given these challenges, truly responsible management of privacy related customer data entails a lot more than a “click-to-acknowledge” dialog box on a web site.  It means every aspect of eventcore’s operations— from our back-end platform to our processes for communicating with customers and partners— is being scrutinized to ensure we are  compliant with all evolving regulatory requirements, whether imposed by industry, government or third party partners. Your data is yours— and we understand you have entrusted eventcore to manage it in a responsible and compliant way.  eventcore will always take that responsibility seriously.

Our Glossary of Terms can be found here.