The Uncomplicated Guide to GDPR for Event Marketing

Start Reading

Like many regulations, the General Data Protection Regulation (GDPR) can be complex and intimidating.

Even years after its inception, GDPR is still knocking event professionals down with the amount and depth of information out there. But GDPR still significantly impacts events, which is why we’ve brought you this uncomplicated guide to GDPR for event marketing.

Built specifically for event marketers who don’t have enough time in the day to learn the ins and outs of GDPR, this guide will tell what you need to know and the action items you need to take.

01

What is GDPR?

Effective in May 2018, GDPR is a set of strict data protection rules that protect EU citizens. It required many companies to make significant changes to their data protection and privacy practices.

Although GDPR protects EU citizens only, it’s not just for EU-based companies. Any company that operates in the EU or works with EU citizens has to comply with this regulation. For event marketers, this means that an event invitation to even a single EU individual requires GDPR compliance. (Since GDPR went into effect, US-based privacy regulations have also emerged.)

GDPR standardized laws that were already in place across most of the EU. It gives individuals more privacy protections and makes companies more accountable in how they capture, store, and share data.

Organizations have racked up more than $3 billion in fines collectively.

02

An Overview of GDPR for Event Marketing

For event professionals, the idea of GDPR and privacy protections isn’t a wild idea.

We know there are people who register for our events and others who hit the unsubscribe link. We ask for personal information: email address, phone number, job title, and company, to name a few. It’s an event marketer’s responsibility to protect that personal data.

And while your entire organization should care about GDPR, but it’s especially important for event marketers to champion it for several reasons:

  • Every past event impacts compliance and liability. Any EU citizen who registered for a past event — any past event, at any time — is protected by GDPR. It doesn’t just impact future events.
  • Future events are impacted too. If you have an upcoming event that’s already driving registrations, you must be GDPR compliant now.
  • Compliance leads to better engagement and conversion from your events. This is about more than just following the law. These regulations will help improve the impact and success of your marketing.
  • Online events count too. GDPR covers any EU citizen in your database. So if you host online events, but never actually set foot in the EU, those EU citizens who registered are still protected.

Even if GDPR wasn’t in place, many of these requirements are simply good business practice. They provide greater transparency and trust between your organization, your customers, and your prospects.

Some ways complying with GDPR can maximize your marketing efforts include:

  • Seeing higher conversion rates: A more accurate and compliant database means a more engaged database. This increases quality interactions and conversion opportunities.
  • Increasing attendee satisfaction: Attendees who trust their vendors are more likely to engage.
  • Creating more effective post-event marketing: When customers and prospects can access and update their own information, you can personalize post-event nurtures and communications better.

This is a huge opportunity for event marketers to step up their game — not only by supporting their company in compliance, but also by improving engagement, participation, and trust with prospects and customers moving forward.

Ben Hindman
Co-Founder, Splash

03

3 Key Areas of GDPR Compliance

GDPR changes the way you manage events, particularly with invitation lists, registration lists, and post-event marketing. And there are three core areas of GDPR — consent, data management, and oversight — that impact event management.

Consent

Event prospects, registrants, and attendees (who are EU citizens) must proactively agree to ongoing communication with you. If you don’t get their opt-in, you cannot communicate with them in any format (digital or non-digital). This applies to those who participated in your events prior to May 25, 2018.

Since GDPR applies specifically to EU citizens, a common challenge is understanding which members of your database GDPR applies to. There are EU-specific email addresses you can look for, but that won’t catch everyone. This is one reason why we recommend applying GDPR practices to your entire database. Better safe than sorry.

A few other recommendations when considering consent:

Identify a history of past event attendees’ proactive consent. If this doesn’t exist, you will need to get it to be compliant.
Identify a documented history of past event attendees’ engagement with your events. This may exist already in your CRM or marketing automation platform.
Develop a plan for capturing consent moving forward. This can include language in a sign-up form or an additional page as part of the registration process.
If you plan to share attendee lists with partners, ensure they are included in consent language from the start of your event program or campaign.

Centralized Data Management

Under GDPR, EU citizens have the right to know what information you’ve collected on them and how you’re using it. They also have the right to access this data and request it to be updated or deleted.

Because these are key parts of GDPR, it’s helpful for marketers to have a single source of truth for attendee data. It makes taking any requested action much quicker and easier.

Let’s look a little deeper on this topic.

Privacy: Any EU citizen in your database can ask you to stop using or delete their data at any time. This is also known as giving users the right to be forgotten. Legal and financial obligations are exceptions to this requirement. They may also ask you to simply stop sharing their data with third parties. These requests should be documented centrally.

Ask your legal team for samples of your existing privacy policies. It’s also helpful to understand how they are addressing privacy language around GDPR — you can likely use this in your marketing fine print (like linking to your privacy policy from registration forms).
Security: GDPR’s fine print requires you to be able to demonstrate tight controls on how and where you collect EU citizens' information. If audited, you may need to provide documentation of security measures. Ask your IT team what they have around this.

Any known security breaches must be reported and addressed within three days.
  • Provide EU citizens (past, present, and future attendees) with free access to their data in a digital format (letting them see what data you have stored about them).
  • Provide a written statement for how you are currently using their data.
  • Provide a written plan for how you intend to use their data in the future.
Double check with your CRM and/or marketing automation managers about how they are complying with these requirements.

The hidden implication in this section is related to sharing your attendee lists. In the past, sharing lists with sponsors and partners has been reasonably common. Under GDPR, you must have a clear plan outlined upfront for contact-sharing so that EU citizens can consent to that specifically.

Designated Oversight

It’s helpful to appoint someone in your organization as the Data Protection Officer. For many companies, this is likely someone in IT or marketing operations.

Your Data Protection Officer’s job is to ensure a common understanding across the organization about GDPR, maintain compliance, document policies, and be a point of contact for external parties.

Find out if your company has appointed a Data Protection Officer and make sure your practices for event compliance are documented with them.

04

GDPR for Event Marketing: An Example

Presenting things like GDPR and other regulations in a theoretical context is confusing. That’s why we’re sharing a case study of how GDPR might look like in practice for your event programs.

Before the Event

Identify a history of past event attendees’ proactive consent. If this doesn’t exist, you will need to get it to be compliant.
Ensure their consent is reflected across customer data platforms (your CRM, marketing automation, and event marketing platform).
Identify data integration points across other tools and partners who might be involved. This could include on-site activity registrations, jointly sponsored party registration lists, etc.
Develop all registration forms to comply with clear consent requirements.
Ensure participating vendors and partners can offer similar security levels with their customer data.

During the Event

Ensure any event apps you’re using comply with the same security and consent requirement.
Ensure any information you collected offline from attendees has a plan to be imported into the same centrally available database after the event.
Think through the implications of any badge scanners or similar technologies used on-site by your organization or partners/sponsors.

After the Event

Ensure any transfers of data (from on-site machines or to partners, for example) comply with GDPR security requirements.
Ensure any augmentations or changes in data collected comply with access and consent requirements.
Think through the implications of any badge scanners or similar technologies used on-site by your organization or partners/sponsors.
05

A GDPR Checklist for Your Events

If you’re just getting started with GDPR or are updating your processes, here’s a quick-hit checklist of action items:

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Take inventory of your EU database. How many people are in your database and what percentage have already given proactive consent for communication?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Make a list of external organizations that may have (or had) access to your EU database. Learn how they handle GDPR compliance.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Talk to your IT and marketing operations teams to learn how customer and prospect data is shared and updated across platforms.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Share this guide with your marketing team to ensure they understand the impact of GDPR beyond events.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Update your privacy policy to reflect GDPR requirements.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Update all event registration and engagement landing pages to collect proactive communication consent moving forward.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Draft a process and policy with your marketing operations team for handling correction or deletion of contact records requests.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Identify and designate your Data Protection Officer.
Legal Disclaimer

One Clipboard, Inc. d/b/a Splash provides this guide for informational purposes only and not as legal advice. Splash cannot determine whether or not the European Union’s General Data Protection Regulation (“GDPR”) applies to you or your organization, and following the compliance steps contained in this guide does not guarantee compliance with the GDPR. Splash is not a law firm, and the information in this guide is not a substitute for the advice of an attorney.

See Splash in action. Get started today.

Book a Demo