GDPR giving you a headache? Well grab a seat and take a break, because in true Cvent style, we’ve done all the legwork for you. With over 300,000 professionals using our platform to organise thousands of events each week, we’ve created a practical step-by-step guide to GDPR-compliance.
For us GDPR is all about trust and transparency – a chance to run the absolute best events we can run. Let’s go!
Are any of your attendees or speakers likely to be EU citizens or residents?
It doesn’t matter where you or your venues are located – if any of your attendees or speakers are EU citizens or residents, their personal data is protected under GDPR at all times. (What’s personal data? See Step 2)
Trust-builder tip
Choose a venue that’s got GDPR-compliance sorted to keep your attendee information safe.
Planner best practice
If you use a good venue-sourcing tool you can customise your RFP template and add any criteria you like, including GDPR-compliance.
Did you know?
And Brexit makes no difference! The UK is leaving the EU in March 2019 but GDPR will continue to apply to UK citizens and residents.
Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK
Trust-builder tip
Choose a venue that’s got GDPR-compliance sorted to keep your attendee information safe.
Planner best practice
If you use a good venue-sourcing tool you can customise your RFP template and add any criteria you like, including GDPR-compliance.
Did you know?
And Brexit makes no difference! The UK is leaving the EU in March 2019 but GDPR will continue to apply to UK citizens and residents.
Will you be sharing personal data (GDPR calls it PII) with any third-party suppliers to help you run your event?
When it comes to your attendees’ PII, you are Data Controller, wherever the PII is in your supply chain. That means you are liable for a data breach anywhere in your supply chain – even if it’s down to someone else’s error or oversight.
Planner best practice
If you are sharing attendee PII with any suppliers such as travel and transport providers, you need to check they are fully GDPR-compliant.
Attendee will say
“I don’t need to worry about all the other companies involved in running this event, they know how to keep my information private.”
PII stands for Personally Identifiable Information and is the kind of data GDPR covers. It includes any information about an individual that can be used to distinguish or trace their identity, such as name, address, passport number, date and place of birth, mother‘s maiden name, or biometric records including photos.
Planner best practice
If you are sharing attendee PII with any suppliers such as travel and transport providers, you need to check they are fully GDPR-compliant.
Attendee will say
“I don’t need to worry about all the other companies involved in running this event, they know how to keep my information private.”
Do you have exhibitors or sponsors for your event?
GDPR disallows any capture, storage or processing of data without explicit consent. Many traditional in-event lead-capture activities such as business-cards-in-a-fishbowl don’t comply with GDPR’s requirements for consent or security.
Trust-builder tip
Manage sponsors’ lead-gen expectations and explain the need for a) explicit, informed and freely given consent along with any delegate data capture and b) data storage and transport that meet GDPR’s security standards.
Planner best practice
If you want to share attendee data with sponsors, you will need to capture consent from attendees for their data to be shared this way.
Attendee will say
“It’ll be great to hear from sponsors I'm interested in, rather than get lots of unwanted emails after the event.”
If you need to capture delegate leads for further marketing purposes, even to market your next event, you’ll need to gain consent.
Trust-builder tip
Manage sponsors’ lead-gen expectations and explain the need for a) explicit, informed and freely given consent along with any delegate data capture and b) data storage and transport that meet GDPR’s security standards.
Planner best practice
If you want to share attendee data with sponsors, you will need to capture consent from attendees for their data to be shared this way.
Attendee will say
“It’ll be great to hear from sponsors I'm interested in, rather than get lots of unwanted emails after the event.”
Are you inviting speakers to contribute content to your events?
Under GDPR, speaker contact details and bios are considered as Personally Identifiable Information. So if your speakers are EU citizens or residents, you’ll no longer be able to store and share their information on spreadsheets without encryption or password protection.
Planner best practice
Using a call-for-papers tool like Cvent’s Abstract Management gives you and your experts a secure hub for collecting and storing bios, headshots and presentations. Professional speaker management builds event quality and reputation, as well as helping you securely maintain your experts’ contact details.
Attendee will say
“This event company always gets a great speaker line-up with relevant well-prepared content. And no annoying last-minute substitutions!”
Do you know what data you want to collect at registration?
You’ll need a legal basis for every point of data you’re asking for at registration. You'll need to:
Trust-builder tip
Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.
Planner best practice
It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.
Attendee will say
“I know exactly what I’m signing up for and I know I can change my mind at any time.”
You’ll need to collect essential contact data that helps you register each attendee but unless you have a good reason for collecting additional data, don’t do it. GDPR doesn’t allow the collection and storage of data without any legal basis, so only ask for the information you actually need.
Trust-builder tip
Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.
Planner best practice
It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.
Attendee will say
“I know exactly what I’m signing up for and I know I can change my mind at any time.”
Cookies count as PII under GDPR, so if you use cookies on your event website you need to include a message, explain what they are used for, and ask for consent to add them.
Trust-builder tip
Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.
Planner best practice
It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.
Attendee will say
“I know exactly what I’m signing up for and I know I can change my mind at any time.”
Are you inviting attendees by email?
If you’re renting or buying prospect lists, you’ll be legally obliged to ensure they include explicit, informed and freely given consent. Make sure you do a thorough audit on any list providers for GDPR compliance.
For operational emails such as registration confirmation, joining instructions, thank you or regret, you don’t need separate consent as these emails are required to execute the event and manage their attendance – this gives you a legal basis for sending them.
Planner best practice
You won’t be able to send or receive lists in spreadsheet form without encryption. Using an automated platform like Cvent makes it easier to be GDPR-complaint. Our system integrates seamlessly with 125 separate sales and CRM platforms including Marketo and SalesForce, making it safe to move data around and easy to track consent between your systems.
Attendee will say
“I clearly remember giving my consent to this event company so they can get in touch with relevant content about future events.”
Will you be arranging travel and accommodation for attendees or speakers?
Arranging accommodation involves the collection of sensitive information such as payment, passport, and medical details. Under GDPR, emailing spreadsheets containing this info without encryption or password protection will be illegal. Breaches involving sensitive PII are likely to incur more serious fines.
Trust-builder tip
Use a centralised room block and reservation management system. Cvent Passkey simplifies travel and housing, and keeps attendee data fully protected and GDPR-compliant.
Attendee will say
“I’m happy to hand over my passport, dietary info and travel arrangements to this event organisation.”
Look for event management platforms that include a centralised room block and reservation management tool that hotels can log into directly, avoiding the need to send attendee PII via spreadsheets.
Trust-builder tip
Use a centralised room block and reservation management system. Cvent Passkey simplifies travel and housing, and keeps attendee data fully protected and GDPR-compliant.
Attendee will say
“I’m happy to hand over my passport, dietary info and travel arrangements to this event organisation.”
Will you be taking walk-ins at the event?
Capturing registration information on paper sign-in sheets is not secure and could leave you exposed to a data breach.
Trust-builder tip
Choose an on-site registration solution that allows you to add consent questions and syncs data automatically with an event management platform to achieve GDPR-compliance.
Planner best practice
Cvent’s in-event solution OnArrival runs on iPads to allow self-registration. It’s also possible to add consent-capture questions to this process.
Attendee will say
“Registration was private, easy and professional – and payment was secure.”
There are many on-site tools that allow guests to self-register, pay fees and check in themselves as well as their guests. To help with GDPR, choose one that allows you to add consent questions and syncs data automatically with an event management platform.
Trust-builder tip
Choose an on-site registration solution that allows you to add consent questions and syncs data automatically with an event management platform to achieve GDPR-compliance.
Planner best practice
Cvent’s in-event solution OnArrival runs on iPads to allow self-registration. It’s also possible to add consent-capture questions to this process.
Attendee will say
“Registration was private, easy and professional – and payment was secure.”
Will you be using name badges at the event?
The practice of leaving name badges out for collection constitutes a data breach under GDPR rules (if they include job title or company name). Equally, paper sign-in sheets fail to meet GDPR’s strict privacy requirements.
Trust-builder tip
Get delegates to print badges before arrival or consider tablet-based check-in tools that delegates can use to print their own badges on demand.
Attendee will say
“I printed my own badge when I arrived, that seems more secure than leaving them all out on the table.”
Will you be communicating with your delegates at your event via an event app?
You will need to capture consent for attendee information to be shared with other attendees in the app. Make sure you either get consent at registration, or set the attendee profile to private and require them to make it public themselves through an explicit action.
Trust-builder tip
Make sure your app encourages and allows delegates to set their privacy and contact preferences upon download.
Trust-builder tip
Include consent options for all the ways in which you’ll be using the app to measure engagement.
Attendee will say
“I like being able to decide which updates I get via the app – just enough to keep me informed.”
Mobile event apps are great for offering relevant, engaging and personalised event experiences. Downloading registration lists and uploading them into apps increases your risk of a breach. For GDPR compliance, choose an app that has seamless data flow with the rest of your event management platform.
Trust-builder tip
Make sure your app encourages and allows delegates to set their privacy and contact preferences upon download.
Trust-builder tip
Include consent options for all the ways in which you’ll be using the app to measure engagement.
Attendee will say
“I like being able to decide which updates I get via the app – just enough to keep me informed.”
Will you be tracking entry to your sessions or other parts of your event?
If you track people by scanning their badge or using remote tracking such as RFID, you will need to tell them and ask for consent to do this during registration or when they arrive on-site.
Planner best practice
Most event attendees will be happy to be scanned, but make sure they know they can say no if they don’t want to.
Planner best practice
If your attendees say they don’t want to be scanned or tracked, you can make their tracking code anonymous, so you still track where they went but can’t identify who it was. They keep their privacy and you get the metrics you need.
Attendee will say
“I like that they give me the choice of being tracked or not, shows they really care about my privacy.”
Do you have exhibitors at your event who want to track leads from the people they speak with?
If your exhibitors scan badges of people they meet at your event – and you will share the data of those attendees with them – you need to make the attendees aware of this in advance. They can then choose if they want to be scanned or not and give consent. Make sure your exhibitors are briefed on this process, so they understand why some attendees may choose not to be scanned.
Planner best practice
Most people attending an exhibition want to share their information with the exhibitors they speak to. Making it clear to them that they have a choice in doing so, shows that you’re taking care of their privacy.
Attendee will say
“I like being able to decide if I want to share my information with an exhibitor or not, this event makes me feel comfortable saying no.”
Don’t forget, if you have event sponsors who want to get attendee information as part of their sponsorship package, you will have to get consent from attendees for their data to be shared this way.
Planner best practice
Most people attending an exhibition want to share their information with the exhibitors they speak to. Making it clear to them that they have a choice in doing so, shows that you’re taking care of their privacy.
Attendee will say
“I like being able to decide if I want to share my information with an exhibitor or not, this event makes me feel comfortable saying no.”
Will you be analysing event data after your event?
If you’re using post-event feedback for research or other purposes, you need consent from your respondents.
Planner best practice
For most event analysis and reporting you can use anonymised/pseudonymised data so no PII is involved.
Planner best practice
If you’re using an event management platform see if they have options for executive dashboards or automated reports that use anonymised data.
Attendee will say
“My data isn’t being used for lots of things that don’t benefit me.”
Precise measurement and a deep understanding of key metrics and trends will allow you to make informed decisions about how to improve your events. But you’ll need consent to capture, store and export any event feedback linked to individuals.
Planner best practice
For most event analysis and reporting you can use anonymised/pseudonymised data so no PII is involved.
Planner best practice
If you’re using an event management platform see if they have options for executive dashboards or automated reports that use anonymised data.
Attendee will say
“My data isn’t being used for lots of things that don’t benefit me.”
One of your attendees asks to see all the information you hold on them. Do you know how to fulfill this request?
Under GDPR, individuals have the right to request access to all the personal data you hold on them and you have to provide it within one month.
Consider all the places and systems in which you hold data about your event attendees. You will need to ensure you can get hold of this quickly and compile into a file to send to them in time.
Planner best practice
If you use an integrated event management platform, you can simply ask your solution provider to give you a single file with all the information you have on any attendee. If you use several different systems across your event this will be trickier to compile and may take longer.
One of your attendees asks you to delete all the information you hold on them. Do you know what to do?
Under GDPR, individuals have the right to ask you to delete all the information you hold on them. You have to do this and confirm that you have done it within a month of the request. Not all information has to be deleted though. You can hold onto some financial or transactional details for legal reasons. Make sure you can delete the personal information but still keep the record that someone attended, to keep your event metrics correct.
Planner best practice
When data is spread over many different systems it’s hard for planners to respond to these attendee requests. Integrated end-to-end event management platforms like Cvent make GDPR compliance much easier. Planners using Cvent can simply ask us for a single file with all the information they have on any attendee.
Planner best practice
Use event management systems that allow you to remove an attendee’s personal details but not lose the count on your reports.
Did you know that removing a contact record from your event could mess up your metrics and reporting? Make sure you can delete the personal information but still keep the record that someone attended, to keep your event metrics correct.
Planner best practice
When data is spread over many different systems it’s hard for planners to respond to these attendee requests. Integrated end-to-end event management platforms like Cvent make GDPR compliance much easier. Planners using Cvent can simply ask us for a single file with all the information they have on any attendee.
Planner best practice
Use event management systems that allow you to remove an attendee’s personal details but not lose the count on your reports.
These tips aren’t an exhaustive list of things you need to consider but these are the key areas. Talk to colleagues and suppliers about other GDPR measures you can take.
And if keeping in line with GDPR seems like hard work, remember you’re a planner, you can handle it! Especially when you know it’s all about building attendee trust, running quality campaigns and best practice event planning.