Event App Security: Access & Data Privacy Best Practices

If there’s one phrase that causes event planners to lose the most sleep—besides “The speaker dropped out!”—it’s probably “data protection”, especially when it comes to event app security.

Due to heightened sensitivity around data breaches and privacy, event planners are having to pay special attention to how their technology vendors—like event app providers such as EventMobi—are using and storing their event data.

This blog post will shed light on the top event app security features, best practices for data protection, and important technical questions that you should be asking your event app providers so that you only partner with the most secure vendors (and can sleep more soundly at night!).

The Top Event App Security & Access Features

Whether you feel you have confidential information housed in your event app or not, it’s important to ensure that all personal data about your event participants is only accessible by authorized parties.

Here are some important features an event app provider should offer for event app access and security:

• Require passwords for all participant accounts. Passwords help your attendees’ protect access to their personal accounts and the information stored within them. Without passwords, anyone who can guess your participants’ email addresses could potentially access your event app and the data within it, such as profiles or private messages.  
• Provide passcodes for private events. Requiring participants have a passcode to log into an event app allows planners to limit access to only those people they share the passcode with, such as a list of registrants. Passcodes help limit public access to information in the event app—such as location, agenda, or a speaker list. They’re an effective deterrent to unauthorized access by people who could stumble upon the event app via a directory (like an app store), or those who guess the event app link.
• Restricted access by email (the highest level of event app access). Restricting app access to registered participants only (based on their email address) ensures the greatest control over event details and participant listings by locking out anyone not registered to attend.

Best Practices for Event App Data Protection

Any person or organization collecting information about event participants is considered a “Data Controller” under privacy legislation like GDPR. Data Controllers have a great deal of responsibility for the information they collect—including how that data is gathered, stored, and used across various technologies.

To help you meet basic data protection best-practices, look some of the following features:

• The ability to publish your own Privacy Policy. This should be published on the registration or event app login screen so that event participants can be made aware of what is happening to their data before they decide to complete registration and/or sign up. It should also be displayed within the event app at all times for reference.
• The ability to have participants agree to your Terms of Use. This feature should force attendees to agree to overall event rules before they can enter the event app. However, the Terms of Use should also cover how participants are expected to use or share data they have access to in the event app. It should also be displayed within the event app at all times for reference.
• The ability to “hide” certain participant’s profiles and/or customize what data is displayed within participant profiles. It may be helpful to have the ability to hide participant profiles within the event app if they request it. However, hiding profiles often means those participants cannot use parts of the event app, such as 1:1 messaging, gamification, and forum or activity feed posting. This is because those functions require the identity of the poster to be displayed. It’s important to note that the inability to participate in key parts of the event app may reduce their adoption and engagement rates. Your Privacy Policy should communicate what personal data will be published within the event app so this isn’t an issue after participants sign up. Having the ability to determine which participant profile fields will be visible to others within the event app is also important so sensitive information isn’t shared publicly within the event app.

Other requests to make of your event technology vendors around data protection and privacy include:

• • A data processing addendum (DPA) that addresses both your and their obligations around data protection (note: this is only required if the information is not already explicitly outlined in your most recent contract).
  • A list of sub-processors the event technology provider may use to collect and store information.
  • Information about how data access requests (DAR), or requests for data destruction or anonymization will be handled. They should be able to tell you how long data will be stored for, where it will be stored, and who has access to it should you need to respond to a DAR from your event participants.
  • A sample Terms of Use and/or Privacy Policy that outlines typical usage of their platform that you can modify for your events’ specific needs. These will need to be edited to reflect where you store and use event participant data. For instance, if you share emails collected with sponsors, that will need to be outlined since a provider usually won’t be responsible for that mechanism.

Internally, it’s also important to understand who in your organization or team will be accessing data, and having them properly trained in the handling of your event participants’ data.

For more details about GDPR compliance and event planning, read our guide: The Event Marketer’s Guide to GDPR.

Other Event App Security Considerations

While you may need an infosec or IT pro to dive into all of the technical security requirements of your event technology, here are a few high-level areas event planners should familiarize themselves with to understand what is important when selecting event technology vendors:

• What kind of data encryption methods does the provider use (both in transit and at rest)?  (ex: Is HTTPS encryption used?)
• Where is the data the provider collects hosted? (And is that provider secure and reputable?)
• Are the provider’s security policies based on accepted standards in the industry?
• What are their processes for communication of security breaches to customers?
• Are all security features included in basic pricing? Or is extra payment required for enhanced security?

Learn more about EventMobi’s commitment to event app security and data protection. We offer secure event app access and GDPR compliance features that make it easy to deliver an incredible and safe event.

Internal & External Considerations for Event App Security

Aside from ensuring your event app provider is security-conscious, it’s important to consider implementing processes that mitigate risk around how other vendors and/or your employees access or use event participant data. For example:

• What type of WiFi security does your venue provide?
• Who in your organization has access to your event data? Are you granting everyone administrative access to the management system of your technology vendor? Are the employees who have access properly trained in how to handle and store attendee data?
• Do you have a corporate mobile device policy to ensure access to your event app is limited, even in the case where an unauthorized 3rd-party accesses your employees’ mobile device?  
• If you are using custom fields to integrate your event app with an external data source (ERP, HR, CRM), have you made sure that only the required information is being synced (and not more private data than is necessary)?
• If you are sharing attendee information with your speakers or sponsors, have you collected consent from your attendees during your registration process?

For more event app security-related content, check out Event Security: How Technology Can Help Event Professionals Plan Smarter and Manage Risk