It's been over five years since the EU passed GDPR to standardize consumer data security laws. Since consent, communication, and data erasure form the core of GDPR, event planners had to adapt to several new practices.
Like any new regulation initially, GDPR was met with skepticism, fear, and uncertainty. How does GDPR affect badge scanning? How does it affect sponsorships and sharing lists? How do you track opt-outs when we have to comply under “the right to be forgotten”?
Five years later, the biggest challenge so far hasn't been implementation — the misinformation still confuses people. Now that the dust has settled, Splash has more clarity on GDPR, how to comply and avoid fines, and ways to host successful events despite the changes.
To help you navigate this GDPR era, we’ve gathered the most common GDPR questions we’ve received from our customers.
For a more in-depth look into how GDPR affects event marketers, download our free guide, The Uncomplicated Guide to GDPR and Event Marketing.
The General Data Protection Regulation (GDPR) is a set of strict data protection checkpoints for organizations that operate in the EU or target EU citizens. It came into effect in May 2018 and has collected more than $3 billion in fines.
GDPR, as a concept, is not unique since most EU member states already have some form of consumer data privacy laws in effect. GDPR standardized these laws across Europe and made data processing more transparent for everyone.
For event professionals, it's not a radically new idea. When we plan events, we know who's engaged in our programs — those who RSVP are those who show up. And we know who isn't engaged or who's asking to be unsubscribed.
We also ask for personal information from our event attendees, like email addresses, phone numbers, job titles, and company names. It’s our job as event marketers to protect our attendees' personal data to prevent identity theft and sensitive data exposure at all costs.
So, in that way, GDPR is nothing new for us. We're always going to do our best to keep customer information and only communicate with those who truly want to be invited.
GDPR brings new perspectives and practices to event planning in many ways. I've broken it down into two areas:
Sponsors often use the attendee list for marketing, which is not something you'd want to share under GDPR. It prohibits companies from sharing user’s private data with partners without explicit consent from customers. First, you must explain the purpose to the users and respect their choice.
When you're capturing leads at a booth, scanning someone's badge, collecting their business card, and adding them to your nurture lists. The entire process has to be transparent for attendees, and you have to explain under no uncertain terms how, why, and when you will use the event data. You should also add questions regarding privacy notices and event terms to help them make informed decisions.
Next, on-site registration. Similar to lead capture, it's important to be very clear on what information you're capturing during the registration process at any event. Only hand out badges to verified attendees.
Ask yourself these questions: Are you only adding people who want to be part of the list? How can they unsubscribe or see their information?
Part of the reason why companies end up paying fines for GDPR violations is because they don't understand the fundamentals. Here are the key GDPR terms you should always remember:
GDPR consent must be "freely given, specific, informed, and unambiguous.” Users must actively interact with the screen by typing their email address or ticking a checkbox. You cannot use a pre-checked opt-in box to ask for consent or combine consent requests with other details, such as a terms and conditions checkbox or a brochure download.
From event registration to ticketing, you must secure express consent to possess delegate data. Express consent is straightforward, but where things get murkier is “legitimate interest.” GDPR leaves much room to interpret it subjectively, but failing to adhere to the laws will still attract heavy fines.
In a nutshell, legitimate interest applies whenever a company uses customer data that are not outlined in express consent but used reasonably without impeding the subject's privacy. If you share a guest list for fraud prevention or for direct marketing, it may become part of legitimate interest. In such cases, you must justify your actions by being relevant and precise.
Check out UK ICO’s three-part test to gauge whether your action can be considered a legitimate interest.
Legitimate interests in data processing open up new conversations regarding accountability. As event organizers, you're the data controller responsible for the subject's data, how it's processed and shared, and with whom. Since you're in charge of a huge amount of data footprints, it's important to use DSAR software to promptly respond to data requests.
“Am I responsible for attendee data if I'm not managing it?” We have come across this question several times. As a data controller, you shoulder the burden of compliance. Technology providers that process data on your behalf are called data processors. Data processors are not legally entangled as much as data controllers, which is why you have to audit, document, and control how data is processed by vendors.
So long as you're not sharing attendee data with external parties without their consent, it's easy to think you have more leeway internally.
Event planners often say, "Hey, send me that RSVP list." Under GDPR, you should only do this if you're sure about legitimate interest.
If someone gets added to something they don't want to be part of and unsubscribe, they've just unsubscribed from your event list and your demand gen marketing list. So you must protect your groups and ensure you're not opting anyone into anything without their consent.
A few recommendations:
You do not need consent to send your customers invoices and other transactional emails if they are directly related to the service/product they opted in for. But make sure you don't start using transactional alerts to push marketing campaigns.
A permission pass is a one-time double opt-in email campaign. It’s sent to all the contacts in your database who haven’t officially confirmed their subscriptions. It has always been a good practice to gain consent to verify attendees — and now, it's more important than ever.
If you have not received a GDPR-compliant consent, you will have to collect it before the event — and that's where permission passes help you.
First, the event host must be GDPR compliant regarding data usage and consent, and they must obtain the same for other event partners who will receive attendee data, including you. Those EU attendees must proactively agree (with a checkbox on the registration form) that they want to receive emails from sponsors or partners. Also, make sure to check with the host to verify they have obtained consent and communicated legitimate interests with attendees.
Having said that, you’re still responsible for your own database. You must follow up with an email to the leads explaining the purpose and usage of their data in transparent and simple language. You don’t necessarily need to ask them to opt in again, but it's important to comply if someone wants to withdraw consent at any point.
GDPR defines personal data as any information related to an individual or “data subject” in the EU that can be used to directly or indirectly identify the individual. So, if your attendee resides in the EU, but their data is processed and stored outside the EU, you still need to obtain consent. You should proactively obtain consent on all your registration forms to be safe.
In retargeting, cookies or device IDs are still considered “personal data” under GDPR. Cookies can have legitimate goals under GDPR, but the subject must be clearly informed about them and be able to opt out of them.
To gain consent, you should include language in your privacy policy outlining personal data use for retargeting purposes and/or an interactive banner indicating the site collects cookies. Link the updated cookies policy and allow people to opt in/out of it.
You don’t necessarily have to obtain consent for direct marketing purposes like badge scans or business card exchanges. Still, it's a good practice to tell the person how you collect data and use that information (sales follow-up, add to mailing list, etc.). Under legitimate interest, you can contact prospects, but you must provide the person with notice that you have their data and explain the purpose and usage of their data (within the first 30 days of reaching out).
If they ask to be deleted, they are evoking their right to be forgotten. But you also may want to use event analytics to personalize the event experience. In such cases, you must anonymize the subject's personally identifiable information (PII) instead of deleting it. This helps in data minimization and helps individuals mask their identity. In 2019, Copenhagen-based ride-hailing service Taxa 4x35 was fined €160,000 for only anonymizing customer names and not other PII and storing data far longer than needed.
Of course, if you anonymize the person, it will still be difficult to track who asked to be deleted — but you can at least retain the measurable data you want to keep intact. This way, the person’s identity will not technically “exist” in your database if you are ever audited. At the end of the day, GDPR data collection and event management become a balancing act.
Consent needs to be opt-in. You shouldn’t have a consent box pre-checked; it should be a check to opt-in to show an active intent.
When individuals submit a DSAR for data transfer or erasure, controllers should be transparent about what will happen to the backups. You should also react promptly as delaying or failing to delete data can attract fines.
We all make mistakes. Though it is unlikely that accidental non-compliance would result in the maximum fine, the best way to avoid penalties is to be proactive and vigilant about GDPR compliance.
If your event list or customer data gets leaked, you must inform the data protection authority of your member state within 72 hours of being aware of it. The breach notification should clearly define the data breach, the contact information of the data protection officer (DPO), the consequences to individuals, and measures taken to mitigate it. Data processors should notify data controllers immediately and data controllers must notify the subjects if the data breach poses a high risk to their personal information, such as identity theft.