GDPR for Events: A Complete Guide for Organisers

We gather more data and information than ever before as event professionals, which enables us to interact and connect with our clients and event attendees in ways that were unthinkable ten years ago. But there’s a good reason why more data translates into more compliance regimes. Among these is the General Data Protection Regulation (GDPR), which has important ramifications for the events sector.

In this article, we’re delving deeply into GDPR and discovering how it affects ticketing, event planning, attendee data and overall event data protection. In addition, we’ll examine the steps you must take to comply and find important compliance advice for event planners using EventBookings.

We’ll also address some of the most frequently asked GDPR questions by event planners.

What Is GDPR and How Does It Apply to Events?

The most extensive privacy and security legislation in the world is the General Data Protection Regulation, or GDPR. The European Union (EU) introduced it on May 25, 2018, in an effort to improve individual rights and control over their data while also bringing uniformity to data protection. Although the European Union (EU) drafted and passed it, organisations worldwide are still required to abide by it if they target or gather data about EU citizens. People who break GDPR compliance for events or any related rule will be subject to heavy fines, which can reach tens of millions of euros.

Any event that collects personal data about EU or EEA individuals is subject to the GDPR, whether it is a hybrid event, virtual event, or physical event. This includes gatherings hosted by businesses based outside the EU if they are intended for European citizens. Attendees expect transparency when their data is being collected or shared, and they are more conscious than ever of their privacy rights.

How Event Organisers Collect and Use Attendee Data

Today’s event planners mainly rely on data to provide seamless, customised, and captivating experiences. However, the GDPR consent for events applies whenever you gather information about attendees, whether it be for registration, correspondence, or feedback.

Event registration forms: These forms frequently act as the organisers’ and attendees’ initial point of contact. Here, personal information is gathered, including names, email addresses, and payment details. According to GDPR, you must obtain express consent before processing this data and clearly explain how it will be used, including for future promotions, ticketing, and event updates.
Email marketing campaigns: It’s standard procedure to send promotional emails or event updates. However, before adding people to mailing lists, organisers must get their opt-in consent under GDPR. Attendees must consciously choose to receive communications; there are no pre-checked boxes or automatic subscriptions.
Event check-ins & apps: Mobile event apps and digital check-ins make it simple to share schedules, monitor attendance, and increase participation. However, these tools regularly gather activity logs, device identifiers, and location data. The information being tracked, its purpose, and its safe storage must all be disclosed by the organisers.
Surveys & feedback forms: Surveys conducted after an event offer important information about the success of the event and the satisfaction of attendees. Nonetheless, identifiable information can be gathered from surveys that appear to be anonymous. Provide participants with the choice to stay anonymous if at all possible, and ensure they understand how their answers will be used and stored.

The Golden Rules of GDPR Compliance for Events

Thankfully, adhering to GDPR for event organisers does not imply sacrificing innovation. You can provide individualised, data-driven experiences in a safe and lawful manner with the correct procedures and partners.

Gain Explicit Consent

When sending marketing messages, use unchecked opt-in boxes. Prior to tracking site behaviour, get cookie consent. Additionally, allow guests to change their preferences at any time.

Data Transparency and Access

Make sure your website and registration forms have clear privacy policies. Clearly state what information you are gathering and why. Any third-party data sharing should be disclosed. Furthermore, give users authority over their data. Allow them to change their preferences and refuse cookies, event tracking, or follow-up messages about events.

Store Data Securely

Make use of platforms that provide secure access controls and data encryption. Recognise your data flow between tools and your integrations. Establish internal data deletion and retention guidelines. Provide data security training to employees and vendors.

Limit Data Collection

Only collect the data you need to deliver the experience. Do not request sensitive information unless it is absolutely required. Put access controls in place to protect private data. Audit your fields and forms on a regular basis.

Work With GDPR-Compliant Vendors

Verify that the technology partners you work with provide documentation and tools for compliance. Sign data processing contracts with all outside vendors as well.

GDPR Compliance Checklist for Event Organisers

Obtain explicit consent before collecting personal data. Make sure you have the attendees’ explicit and informed consent before collecting any of their information. Consent must be freely given, specific, and unambiguous according to GDPR for event organisers.
Use secure event registration platforms like EventBookings. Sensitive data is protected by selecting a reliable ticketing system that places a high priority on event registration and GDPR compliance. Platforms such as EventBookings protect attendee data with secure payment gateways and encryption.
Update your privacy policy and clearly communicate it. What information you gather, why you gather it, and how you store or distribute it should all be covered in your event privacy policy. To ensure that attendees are aware of their rights, make it available during registration and in all correspondence.
Provide an easy opt-out or unsubscribe option. There should be an easy way for participants to revoke their consent in every marketing email or update. This enhances transparency and trust while also meeting GDPR consent requirements for events.
Review contracts with third-party vendors. Make sure the data handling procedures of any outside partners you collaborate with, like marketing firms or app developers, adhere to GDPR event management guidelines. Incorporate provisions pertaining to data protection into your contracts.
Train your event staff on GDPR basics. The responsible handling of personal data should be understood by your team. Frequent training sessions give GDPR event professionals the skills they need to recognise possible risks and stay in compliance.
Delete data after the event if no longer needed. Don’t keep personal information forever. After the event is over and the data is no longer needed, securely destroy it or anonymise it in accordance with the guidelines for GDPR event resources.

Real-World GDPR Mistakes Event Planners Should Avoid

1. Using pre-ticked consent boxes or vague opt-ins.

According to the GDPR, pre-checked boxes do not constitute legitimate forms of consent. Under the GDPR, consent must be freely provided and expressed as a clear affirmative action that expresses the user’s explicit, informed, and unambiguous agreement to the processing of their personal data.

2. Storing attendee data in unsecured spreadsheets.

One of the biggest data risks is storing private information in local files or unprotected spreadsheets. Instead, keep attendee information in encrypted databases or safe GDPR event management systems.

3. Adding contacts to mailing lists without consent.

An individual does not necessarily consent to receive marketing emails just because they registered for an event. Before adding contacts to promotional lists, always get separate, GDPR-compliant consent for events, and make unsubscribing simple.

4. Failing to notify attendees about data usage.

A key component of GDPR is transparency. Always provide an explanation of the purpose of data collection, its intended use, and the recipients of the data. Regularly update your event privacy policy and make sure to include a clear link to it in all correspondence and registration materials.

5. Bonus tip: “Don’t panic — use GDPR as a trust-building opportunity.”

Consider GDPR an opportunity to improve attendee relationships rather than a burden. Participants are more likely to trust your brand and come back to future events when they see that you respect their privacy and handle data responsibly.

The Benefits of GDPR Compliance for Events

GDPR isn’t really a hurdle. In fact, it’s your ticket to long-term success, and these benefits explain why-

Builds attendee trust and brand credibility.

An organisation that complies with GDPR demonstrates a responsible and accountable approach to personal data. It tells data subjects what information is stored and how it is used. Furthermore, there is a legal foundation for data processing under GDPR. All of these help to enhance consumer trust, gain a positive reputation and guarantee the legitimate use of personal data.

Enhanced protection of data

As required by the GDPR, organisations must implement suitable cybersecurity measures. This involves putting multi-factor authentication, access controls, encryption, and other data protection measures into practice. Therefore, responsible management of customer-valued data is a requirement of GDPR compliance.

Turns down the risk of fines and legal issues.

Businesses that comply with GDPR are directly shielded from steep fines, which can reach 20 million euros or 4% of yearly revenue. Implementing GDPR requires an initial investment, but it protects companies from unforeseen litigation expenses, business interruptions, and hefty fines.

Encourages gaining a competitive advantage

According to a Cisco study, 94% of customers prefer businesses that put data privacy first. Therefore, making GDPR compliance a top priority gives you a competitive edge in the market and shows your dedication to privacy. Your privacy-focused strategy can also be an excellent marketing tool that appeals to businesses and consumers who value privacy.

How EventBookings Helps You Stay GDPR-Compliant

Overview of EventBookings’ secure platform features:

a) Encrypted attendee data: EventBookings uses secure methods to protect personal information during registration and storage.

b) Transparent data storage policies: The platform makes it clear where and how attendee data is held and processed.

c) Built-in consent collection options: It enables organisers to include GDPR-compliant consent checkboxes and forms during event registration.

d) Customisable privacy notices: You can add or tailor privacy policy text and notices within the platform to match your event’s needs.

FAQs: Your GDPR questions answered

Can I personalise experiences and still comply with GDPR?

Yes! Privacy and personalisation can coexist as long as you have informed consent and are open and honest about how personalisation operates.

How long can I keep attendee data after the event?

Just as long as is required. Establish a retention period (such as six or twelve months) and, when data is no longer needed, delete or anonymise it.

Do I need a separate privacy policy for each event?

Not always, but event-specific data practices should be explicitly covered by your general privacy policy. For complicated or well-known events, a specific event privacy notice could increase trust and clarity.

Can I share any attendee data with sponsors or exhibitors?

Only if the participant has given their express consent. Also, avoid combining consent with other terms and make this opt-in explicit during registration (for example, “I agree to share my details with selected sponsors”).

What is a Data Processing Agreement (DPA), and do I need one with suppliers?

Yes. A DPA describes how your vendors manage your personal information. You must have these agreements with all third-party processors in accordance with GDPR.

Do I actually need to appoint a Data Protection Officer (DPO)?

Not all the time. A DPO is only necessary if your company routinely handles substantial amounts of sensitive data or keeps extensive records of people. Nonetheless, it is best practice to designate a data privacy lead.

What should I do if an attendee requests to be “forgotten”?

People are entitled to erasure under GDPR. You have to act quickly, confirm the action, validate their identity, and remove their personal information if necessary.

What is the requirement for a data controller subject to GDPR in the event of a personal data breach?

If there is a breach of personal data, the controller must notify the supervisory authority responsible under Article 55 as soon as possible and, if possible, no later than 72 hours after learning of the breach.

Make GDPR part of your event strategy.

Not only is GDPR compliance required by law, but it also serves as a basis for establishing credibility and trust with your guests. You can create safer, more transparent experiences by incorporating data protection into every step of your event planning process. Make compliance a long-term competitive advantage by incorporating GDPR into your strategy.

Country/Region	Local Cards	Premium Cards	UK/EU Cards	International Cards
AU	1.7% + A$0.30	N/A	N/A	3.5% + A$0.30
US	2.9% + $0.30	N/A	N/A	4.4% + $0.30
UK	1.5% + £0.20	1.9% + £0.20	2.5% + £0.20	3.25% + £0.20
NZ	2.7% + NZ$0.30	N/A	N/A	3.7% + NZ$0.30
CA	2.9% + C$0.30	N/A	N/A	3.7% + C$0.30
Eurozone	1.5% + €0.25	1.9% + €0.25	2.5% + €0.25	3.25% + €0.25
RO	1.5% + 1.00lei	1.9% + 1.00lei	2.5% + 1.00lei	3.25% + 1.00lei
BR	3.99% + R$0.39	N/A	N/A	5.99% + R$0.39
NO	2.4% + 2.00kr	N/A	3.25% + 2.00kr	3.25% + 2.00kr
HU	1.5% + 85.00Ft	1.9% + 85.00Ft	2.5% + 85.00Ft	3.25% + 85.00Ft
UAE	2.9% + AED1.00	N/A	N/A	3.9% + AED1.00
SG	3.4% + S$0.50	N/A	N/A	3.9% + S$0.50
MY	3% + RM1.00	N/A	N/A	4% + RM1.00
MX	3.6% + MXN$3.00	N/A	N/A	4.1% + MXN$3.00
JP	3.6%	N/A	N/A	N/A
BG	1.5% + BGN0.50	1.9% + BGN0.50	2.5% + BGN0.50	3.25% + BGN0.50
CZ	1.5% + 6.50Kč	1.9% + 6.50Kč	2.5% + 6.50Kč	3.25% + 6.50Kč

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-108351430-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.
c72887300d	session	This cookie is used in relation to our Zoho Campaigns
nidhia-_zldp	2 years	No description
nidhia-_zldt	1 day	No description
tl_15876_15881_41	1 month	Set by Thrive Leads
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld241801000000008029state	5 minutes	No description

Cookie	Duration	Description
_gd1661494186843	session	No description
_gd1661494186901	session	No description
0d269e8747	session	No description available.
663a60c55d	session	This is a sales analytics cookie set by Zoho
AnalyticsSyncHistory	1 month	No description
cl4769n4rwxxl1_eidsTracked	1 year	No description
cl4769n4rwxxl1_gid	1 year	No description
cl4769n4rwxxl1_session_ends	session	No description
cl4769n4rwxxl1_session_starts	session	No description
cl4769n4rwxxl1_sid	1 year	No description
cl4769n4rwxxl1_source	session	No description
cl4769n4rwxxl1_uid	1 year	No description
cl4769n4rwxxl1_utmParams	session	No description
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
li_gc	5 months 27 days	No description
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
ps_payloadSeqId	2 hours	No description available.
uesign	1 month	No description
zabHMBucket	1 year	No description available.
zabUserId	1 year	No description available.
zfccn	session	Zoho sets this cookie for website security when a request is sent to campaigns.
zft-sdc	8 hours	No description
zps-tgr-dts	1 year	No description