Event Management & Data

How to Ensure Legal Compliance When Gathering Event Participant Data

Victoria Rudi
December 1, 2022

Table of Contents

For any given event, collecting data is integral. It helps you know how successful an event was, giving you a clear idea of the turnout, as well as the earned return on investment; after all, events aren’t free.

Collected data is also a source of valuable insights. You can learn which events work best for your target market, which promotional strategies ensure the best turnouts, and which industry influencers graced your events and were able to bring in an audience.

However, ever since the EU has put the GDPR into effect, data collection has become much more difficult.

What Is the GDPR and Who Does It Affect?

The GDPR stands for General Data Protection Regulation. It is Europe’s solution to data privacy and security issues. The framework imposes stringent rules and regulations on companies, forcing them to be more forthcoming about how they collect data and more diligent about the data they do collect.

Since being put into effect on 25th May 2018, the GDPR has been guarding the data of European citizens and forcing any company dealing with their citizens to comply.

Even though many companies might feel that they are off the hook since their operations take place outside of the EU, it is worth remembering that the internet has turned the entire globe into one small village.

Any site, regardless of where its market is, could end up, say, serving some guy sitting on his couch in the Netherlands. So, it is worth brushing up on the requirements of the GDPR, the effects it has on businesses, and the ways you can make sure that your business is legally compliant with it.

What Are the Requirements of the GDPR?

The GDPR addresses a wide variety of areas. There is a lot of information to cover, but here are the broad strokes you need to know:

Any event organizer must have the consent of the attendee before collecting and storing their data. However, their obligations don’t stop there.

First of all, it should be added that the attendee has to actively opt in to give you permission to use their data. This means that collecting data by default unless the individual opts out is no longer an option.

Additionally, you have to explain to the attendee how you intend to use their data and with whom you plan to share it, so that they know exactly what they are consenting to by opting in.

2. Notifying the Attendees of a Breach

Whenever you are handling sensitive data, you should do your utmost to safeguard it from falling into the wrong hands. However, sometimes security breaches happen despite everyone’s best efforts. What steps should you take then?

In the event of a breach, you must notify data protection authorities as well as the individuals whose data you had collected. Keep in mind that the notifications must be sent within 72 hours of discovering the breach, so that they can take the appropriate steps, such as changing their email passwords, etc.

3. Providing Attendees Access

The GDPR guarantees individuals access to the information they have provided to third parties, as well as its possible removal.

If an attendee asks for a digital copy of the data you’ve collected, you must be able to provide that record to them. You must also be able to tell them where you store their data, along with what you use it for.

Keep in mind that you only have a maximum of 30 days to provide this information, but you also must do it for free.

4. Having the Right to Be Forgotten

Every attendee, particularly if he or she is from the EU, has what is referred to as the “right to be forgotten”. This essentially means that they can ask you to delete all the data you have on them, and you have to comply.

What’s more, you must stop sharing this data with third parties as soon as they ask, even if they gave you their active consent earlier. The third parties must stop processing these individuals’ data, too.

5. Making Sure That the Data Is Portable

As previously mentioned, attendees can request copies of the data you have on them. However, that’s not all. They can also ask you to transfer this data to other parties, even competitors.

Therefore, you need to make sure to provide the data in a common format, one that is readily machine-readable, regardless of whether you are sending the data to the owner of said data or to a third party upon the owner’s request.

6. Prioritizing Data Security Early On

Both the processes and the products of a company need to take data security into account.

This means that event management software and website designers and developers should consider these factors at the very beginning of the design phase. The event organizers have to devise ways to collect data in a way that prevents any security breaches.

The products most affected by this mandate will be the ones that help you collect and store the attendees’ data, as well as any other products where this data may be used, such as CRM.

7. Having Data Protection Officers

Data Protection Officers are experts on data protection law who usually hold an independent position within the organization they serve. Your company must appoint a data protection officer in the following cases:

a. If your company is a public authority

b. If your company carries out large-scale routine tracking of individuals. This includes tracking people online.

c. If your company processes specific types of data, including data that pertains to criminal convictions.

The role of the data protection officer is to ensure that the sensitive data is handled in accordance with the relevant laws and regulations.

So, to recap, any time you gather people’s personal information, you want to do the following:

  • Get active consent. Automatic opt-ins no longer pass muster.
  • Make opting out easy.
  • If you plan to share data with anyone else, notify the attendees ahead of time and let them know who will have access to their data.

These are some elementary measures you can take to make sure your data collecting is in accordance with the GDPR.

How Will the GDPR Impact You as an Event Planner?

It’s important to realize that complying with the GDPR is more than just the duty of the IT department; the entire organization as a whole has to play its part. For instance, an event planner could expose their organization to dilapidating financial risk if they aren’t careful.

It is no longer enough to use pre-ticked boxes to get consent from your attendees. The attendees have to actively consent by ticking those boxes themselves.

The language of your opt-outs and registration forms can no longer be vague or ambiguous. It must be clear and easily understandable to all readers.

Additionally, you are not allowed to share the list of attendees with a third party unless they explicitly agree to it. This means that if you want to notify the venue of who’s coming to your event with a guest list, you first have to let the guests know that you plan to share their information with the venue and acquire their explicit consent.

You must also be vigilant about who has access to the data you collect. In other words, gone are the days when you could just pass this data on to some freelancer or temporary staff member without a second thought.

Even leaving a printed version of the registration list unattended can be grounds for legal liability, especially if unauthorized individuals get their hands on it.

What Are the Penalties for Non-Compliance?

Great question.

Obviously, the answer will never be a one size fits all. The penalty will be affected by several different factors, such as the duration of the infringement, the number of people impacted by it, and its severity.

It is worth pointing out that data controllers and data processors are subject to the GDPR in equal measure. In simpler terms, the organization collecting the data can be held just as liable as the tech company storing the data.

A single act of non-compliance can cost a company 20 million euros or four percent of its global annual revenue, depending on which is higher. In addition, a company has to pay for any personal damages claimed by individuals affected by the infringement.

To get a sense of how hefty these fines could get, let’s look at a couple of examples:

TalkTalk, a mobile operator based in the United Kingdom, had security failings that affected the personal data of 157,000 users, for which the operator was fined 400,000 pounds. However, this was back in 2015, before the GDPR. After the implementation of the GDPR, the penalty would have easily been 59 million pounds.


In a similar vein, when Tesco’s banking business faced a data security breach in 2016, the GDPR wasn’t in full effect yet. However, the potential penalty that would be levied if something similar were to happen today would be around 2 billion pounds.

There are countless ways to ensure compliance, but here are a few ideas to get you started:

Regardless of the type of event you are organizing, you want to make sure that you are on the right side of the law. Getting all of your event attendees to agree to having their data processed can be almost as time-consuming as putting together the event itself.

Naturally, you will want to accelerate the process and make it as effortless as possible.

The best way to do this is to leverage technology. One way to capture the consent for your event quickly and efficiently is through a mobile application. The benefit here is that once you have consent, data collection will be a cinch.

Here, you’ll also need to be vigilant about the development process and ensure that the team or individual developing the app understands the necessary safety requirements such as the latest encryption methods.

With an app, you could also use beacon technology to see who’s attended your event, which hotspots they are frequenting, and how people are behaving in general.

Not only will this provide you with live data that can help you improve your next event, but it can also give you a clear ROI, which is partially what you have been after all along.

2. Double-Check Your Forms

Ensure the privacy notices and consent boxes on your registration forms are updated and in accordance with the standards prescribed by the GDPR.

As mentioned earlier, your forms need to be straightforward, written in a clear language that your users will find easy to understand.

Therefore, comb through your documentation and implement any necessary changes, making especially sure that your forms are free of any ambiguous formulations your users could find misleading.

3. Review Mailing Lists

The GDPR doesn’t just apply to new personal data you collect; it also applies to old data that you might have gathered and stored long before the regulation was in effect.

This means that companies using mailing lists now have to obtain consent from each recipient before sending them any content. In the event of choosing to purchase mailing lists from a third party, you need to make sure that said third party has proof of consent and has been GDPR-compliant.

Furthermore, demand indemnification against any claims from the third party just in case they did infringe in some way.

4. Do a Data Audit

Seeing as the GDPR applies to your old data, as well as the information you’re currently collecting, you need to go through all the personal information you have obtained, and make sure that you have the owner’s active consent to use it. This means that automatic opt-in boxes you used in the past are no longer acceptable.

Unless you have proof of consent, you should treat the data as if its owner still has not given it. So, get in contact with them and ask them to renew it.

5. Study the GDPR

Although we have addressed some of the main requirements of the GDPR here, this post barely scratches the surface.

The Regulation consists of hundreds of pages, so you might need to get the help of legal experts to get through it. However, if your line of work entails frequent handling of sensitive data, it is worthwhile to put in the effort to get acquainted with it.

You would do well to understand the key terms within the regulation. For instance, you need to know what Data Minimization means and how long you are allowed to store someone’s personal data.

6. Be Wary of Third Parties

Since, as previously mentioned, both data controllers and data processors are placed under equal liability according to the GDPR, you need to be careful about who you partner with. You want to make sure that any third party you do business with is as diligent about compliance as you are and doesn’t cut any corners.

It is best to partner with companies who share your commitment to compliance with the GDPR, so consider implementing a vetting process.

Understanding Your Responsibility as an Event Organizer

Events can be powerful tools in a company’s arsenal. They are excellent marketing vehicles, they provide ideal opportunities to test out new products, and boost employee morale.

Event organizers are the ones who make sure that a company gets its money’s worth from each gathering. This means understanding the objective of the event, establishing the right ambiance in the right venue, and gathering attendee data.

However, if an event organizer were to cost their company millions due to non-compliance, then it’s safe to say that it could never justify the costs.

Therefore, be sure to take every precaution to make sure that the way you collect data complies with the rules imposed by the GDPR, using this article as a guide.

Heather Redding is a part-time assistant manager and writer based in Aurora, Illinois. She is also an avid reader and a tech enthusiast. When Heather is not working or writing, she enjoys her Kindle library with a hot cup of coffee. Reach out to her on Twitter.

Discover how Eventtia helps world-leading brands digitize and scale their events

Learn more

Discover how Eventtia helps world-leading brands digitize and scale their events

Victoria Rudi
Senior Content Specialist
With a Master’s degree in Event Management and a keen follower of SaaS technologies, Victoria is an event content master, producing insightful and valuable for Eventtia’s blog and beyond

You might also be interested in