The Spirit of GDPR

The GDPR guide to best
practice event planning

GDPR giving you a headache? Well grab a seat and take a break, because in true Cvent style, we’ve done all the legwork for you. With over 300,000 professionals using our platform to organise thousands of events each week, we’ve created a practical step-by-step guide to GDPR-compliance.


For us GDPR is all about trust and transparency – a chance to run the absolute best events we can run. Let’s go!

PRE-EVENT

1

Set your date and find a venue

It doesn’t matter where you or your venues are located – if any of your attendees or speakers are EU citizens or residents, their personal data is protected under GDPR at all times. (What’s personal data? See Step 2)

Trust-builder tip

Choose a venue that’s got GDPR-compliance sorted to keep your attendee information safe.

Planner best practice

If you use a good venue-sourcing tool you can customise your RFP template and add any criteria you like, including GDPR-compliance.

Did you know?

And Brexit makes no difference! The UK is leaving the EU in March 2019 but GDPR will continue to apply to UK citizens and residents. 

EU member states:

Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK

Trust-builder tip

Choose a venue that’s got GDPR-compliance sorted to keep your attendee information safe.

Planner best practice

If you use a good venue-sourcing tool you can customise your RFP template and add any criteria you like, including GDPR-compliance.

Did you know?

And Brexit makes no difference! The UK is leaving the EU in March 2019 but GDPR will continue to apply to UK citizens and residents. 

2

Commission your suppliers

When it comes to your attendees’ PII, you are Data Controller, wherever the PII is in your supply chain. That means you are liable for a data breach anywhere in your supply chain – even if it’s down to someone else’s error or oversight.

Share this:

Planner best practice

If you are sharing attendee PII with any suppliers such as travel and transport providers, you need to check they are fully GDPR-compliant. 

Attendee will say

“I don’t need to worry about all the other companies involved in running this event, they know how to keep my information private.”

PII stands for Personally Identifiable Information and is the kind of data GDPR covers. It includes any information about an individual that can be used to distinguish or trace their identity, such as name, address, passport number, date and place of birth, mother‘s maiden name, or biometric records including photos. 

Planner best practice

If you are sharing attendee PII with any suppliers such as travel and transport providers, you need to check they are fully GDPR-compliant. 

Attendee will say

“I don’t need to worry about all the other companies involved in running this event, they know how to keep my information private.”

3

Agree deliverables with sponsors and exhibitors

GDPR disallows any capture, storage or processing of data without explicit consent. Many traditional in-event lead-capture activities such as business-cards-in-a-fishbowl don’t comply with GDPR’s requirements for consent or security.

Trust-builder tip

Manage sponsors’ lead-gen expectations and explain the need for a) explicit, informed and freely given consent along with any delegate data capture and b) data storage and transport that meet GDPR’s security standards.

Planner best practice

If you want to share attendee data with sponsors, you will need to capture consent from attendees for their data to be shared this way. 

Share this:

Attendee will say

“It’ll be great to hear from sponsors I'm interested in, rather than get lots of unwanted emails after the event.”

If you need to capture delegate leads for further marketing purposes, even to market your next event, you’ll need to gain consent. 

Trust-builder tip

Manage sponsors’ lead-gen expectations and explain the need for a) explicit, informed and freely given consent along with any delegate data capture and b) data storage and transport that meet GDPR’s security standards.

Planner best practice

If you want to share attendee data with sponsors, you will need to capture consent from attendees for their data to be shared this way. 

Share this:

Attendee will say

“It’ll be great to hear from sponsors I'm interested in, rather than get lots of unwanted emails after the event.”

4

Create your agenda & call for speakers

Under GDPR, speaker contact details and bios are considered as Personally Identifiable Information. So if your speakers are EU citizens or residents, you’ll no longer be able to store and share their information on spreadsheets without encryption or password protection. 

Share this:

Planner best practice

Using a call-for-papers tool like Cvent’s Abstract Management gives you and your experts a secure hub for collecting and storing bios, headshots and presentations. Professional speaker management builds event quality and reputation, as well as helping you securely maintain your experts’ contact details. 

Attendee will say

“This event company always gets a great speaker line-up with relevant well-prepared content. And no annoying last-minute substitutions!”

5

Create a website & registration forms

You’ll need a legal basis for every point of data you’re asking for at registration. You'll need to:

  • Explain why you’re asking 
  • Say how you or your sponsors will use the information
  • Gain explicit consent 
  • Provide a Privacy Statement 
  • Remind people of their right to access, move or remove their data

Trust-builder tip

Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.

Share this:

Planner best practice

It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.

Attendee will say

“I know exactly what I’m signing up for and I know I can change my mind at any time.”

You’ll need to collect essential contact data that helps you register each attendee but unless you have a good reason for collecting additional data, don’t do it. GDPR doesn’t allow the collection and storage of data without any legal basis, so only ask for the information you actually need. 

Trust-builder tip

Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.

Share this:

Planner best practice

It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.

Attendee will say

“I know exactly what I’m signing up for and I know I can change my mind at any time.”

Cookies count as PII under GDPR, so if you use cookies on your event website you need to include a message, explain what they are used for, and ask for consent to add them. 

Share this:

Trust-builder tip

Use an end-to-end event management platform to get a fully traceable consent history for individuals. Cvent makes it easy to customize registration forms and add consent fields.

Share this:

Planner best practice

It’s a good idea to capture consent at this stage for things like badge scanning and transferring attendee data into any in-event app you’ll be using. Cvent’s CrowdCompass app can be automatically populated with attendees’ information so all they need to do is download it and log in.

Attendee will say

“I know exactly what I’m signing up for and I know I can change my mind at any time.”

6

Email marketing & event emails

If you’re renting or buying prospect lists, you’ll be legally obliged to ensure they include explicit, informed and freely given consent. Make sure you do a thorough audit on any list providers for GDPR compliance.


For operational emails such as registration confirmation, joining instructions, thank you or regret, you don’t need separate consent as these emails are required to execute the event and manage their attendance – this gives you a legal basis for sending them.

Planner best practice

You won’t be able to send or receive lists in spreadsheet form without encryption. Using an automated platform like Cvent makes it easier to be GDPR-complaint. Our system integrates seamlessly with 125 separate sales and CRM platforms including Marketo and SalesForce, making it safe to move data around and easy to track consent between your systems.

Attendee will say

“I clearly remember giving my consent to this event company so they can get in touch with relevant content about future events.”

7

Offer travel & housing to attendees

Arranging accommodation involves the collection of sensitive information such as payment, passport, and medical details. Under GDPR, emailing spreadsheets containing this info without encryption or password protection will be illegal. Breaches involving sensitive PII are likely to incur more serious fines.

Trust-builder tip

Use a centralised room block and reservation management system. Cvent Passkey simplifies travel and housing, and keeps attendee data fully protected and GDPR-compliant.

Attendee will say

“I’m happy to hand over my passport, dietary info and travel arrangements to this event organisation.”

Look for event management platforms that include a centralised room block and reservation management tool that hotels can log into directly, avoiding the need to send attendee PII via spreadsheets.

Share this:

Trust-builder tip

Use a centralised room block and reservation management system. Cvent Passkey simplifies travel and housing, and keeps attendee data fully protected and GDPR-compliant.

Attendee will say

“I’m happy to hand over my passport, dietary info and travel arrangements to this event organisation.”

IN-EVENT

8

Register walk-ins

Capturing registration information on paper sign-in sheets is not secure and could leave you exposed to a data breach. 

Trust-builder tip

Choose an on-site registration solution that allows you to add consent questions and syncs data automatically with an event management platform to achieve GDPR-compliance. 

Share this:

Planner best practice

Cvent’s in-event solution OnArrival runs on iPads to allow self-registration. It’s also possible to add consent-capture questions to this process. 

Attendee will say

“Registration was private, easy and professional – and payment was secure.”

There are many on-site tools that allow guests to self-register, pay fees and check in themselves as well as their guests. To help with GDPR, choose one that allows you to add consent questions and syncs data automatically with an event management platform.

Trust-builder tip

Choose an on-site registration solution that allows you to add consent questions and syncs data automatically with an event management platform to achieve GDPR-compliance. 

Share this:

Planner best practice

Cvent’s in-event solution OnArrival runs on iPads to allow self-registration. It’s also possible to add consent-capture questions to this process. 

Attendee will say

“Registration was private, easy and professional – and payment was secure.”

9

Print badges

The practice of leaving name badges out for collection constitutes a data breach under GDPR rules (if they include job title or company name). Equally, paper sign-in sheets fail to meet GDPR’s strict privacy requirements.

Share this:

Trust-builder tip

Get delegates to print badges before arrival or consider tablet-based check-in tools that delegates can use to print their own badges on demand. 

Attendee will say

“I printed my own badge when I arrived, that seems more secure than leaving them all out on the table.”

10

Engage attendees with a mobile app

You will need to capture consent for attendee information to be shared with other attendees in the app. Make sure you either get consent at registration, or set the attendee profile to private and require them to make it public themselves through an explicit action.

Trust-builder tip

Make sure your app encourages and allows delegates to set their privacy and contact preferences upon download. 

Trust-builder tip

Include consent options for all the ways in which you’ll be using the app to measure engagement.

Attendee will say

“I like being able to decide which updates I get via the app – just enough to keep me informed.”

Mobile event apps are great for offering relevant, engaging and personalised event experiences. Downloading registration lists and uploading them into apps increases your risk of a breach. For GDPR compliance, choose an app that has seamless data flow with the rest of your event management platform.

Share this:

Trust-builder tip

Make sure your app encourages and allows delegates to set their privacy and contact preferences upon download. 

Trust-builder tip

Include consent options for all the ways in which you’ll be using the app to measure engagement.

Attendee will say

“I like being able to decide which updates I get via the app – just enough to keep me informed.”

11

Track session attendance

If you track people by scanning their badge or using remote tracking such as RFID, you will need to tell them and ask for consent to do this during registration or when they arrive on-site. 

Planner best practice

Most event attendees will be happy to be scanned, but make sure they know they can say no if they don’t want to.

Planner best practice

If your attendees say they don’t want to be scanned or tracked, you can make their tracking code anonymous, so you still track where they went but can’t identify who it was. They keep their privacy and you get the metrics you need.

Share this:

Attendee will say

“I like that they give me the choice of being tracked or not, shows they really care about my privacy.”

12

Scan leads at exhibition

If your exhibitors scan badges of people they meet at your event – and you will share the data of those attendees with them – you need to make the attendees aware of this in advance. They can then choose if they want to be scanned or not and give consent. Make sure your exhibitors are briefed on this process, so they understand why some attendees may choose not to be scanned.

Planner best practice

Most people attending an exhibition want to share their information with the exhibitors they speak to. Making it clear to them that they have a choice in doing so, shows that you’re taking care of their privacy. 

Attendee will say

“I like being able to decide if I want to share my information with an exhibitor or not, this event makes me feel comfortable saying no.”

Don’t forget, if you have event sponsors who want to get attendee information as part of their sponsorship package, you will have to get consent from attendees for their data to be shared this way.

Planner best practice

Most people attending an exhibition want to share their information with the exhibitors they speak to. Making it clear to them that they have a choice in doing so, shows that you’re taking care of their privacy. 

Attendee will say

“I like being able to decide if I want to share my information with an exhibitor or not, this event makes me feel comfortable saying no.”

POST-EVENT

13

Collate event feedback, analytics and ROI

If you’re using post-event feedback for research or other purposes, you need consent from your respondents.

Planner best practice

For most event analysis and reporting you can use anonymised/pseudonymised data so no PII is involved.

Planner best practice

If you’re using an event management platform see if they have options for executive dashboards or automated reports that use anonymised data. 

Attendee will say

“My data isn’t being used for lots of things that don’t benefit me.”

Precise measurement and a deep understanding of key metrics and trends will allow you to make informed decisions about how to improve your events. But you’ll need consent to capture, store and export any event feedback linked to individuals.

Planner best practice

For most event analysis and reporting you can use anonymised/pseudonymised data so no PII is involved.

Planner best practice

If you’re using an event management platform see if they have options for executive dashboards or automated reports that use anonymised data. 

Attendee will say

“My data isn’t being used for lots of things that don’t benefit me.”

14

Respond to an access request

Under GDPR, individuals have the right to request access to all the personal data you hold on them and you have to provide it within one month.
 

Consider all the places and systems in which you hold data about your event attendees. You will need to ensure you can get hold of this quickly and compile into a file to send to them in time.

Share this:

Planner best practice

If you use an integrated event management platform, you can simply ask your solution provider to give you a single file with all the information you have on any attendee. If you use several different systems across your event this will be trickier to compile and may take longer.

15

Respond to a request to erase

Under GDPR, individuals have the right to ask you to delete all the information you hold on them. You have to do this and confirm that you have done it within a month of the request. Not all information has to be deleted though. You can hold onto some financial or transactional details for legal reasons. Make sure you can delete the personal information but still keep the record that someone attended, to keep your event metrics correct.

Share this:

Planner best practice

When data is spread over many different systems it’s hard for planners to respond to these attendee requests. Integrated end-to-end event management platforms like Cvent make GDPR compliance much easier. Planners using Cvent can simply ask us for a single file with all the information they have on any attendee. 

Planner best practice

Use event management systems that allow you to remove an attendee’s personal details but not lose the count on your reports.

Share this:

Did you know that removing a contact record from your event could mess up your metrics and reporting? Make sure you can delete the personal information but still keep the record that someone attended, to keep your event metrics correct.

Share this: 

Planner best practice

When data is spread over many different systems it’s hard for planners to respond to these attendee requests. Integrated end-to-end event management platforms like Cvent make GDPR compliance much easier. Planners using Cvent can simply ask us for a single file with all the information they have on any attendee. 

Planner best practice

Use event management systems that allow you to remove an attendee’s personal details but not lose the count on your reports.

Share this: 
So that’s it, you’ve completed another great event, and you’ve made every effort to be GDPR compliant!

These tips aren’t an exhaustive list of things you need to consider but these are the key areas. Talk to colleagues and suppliers about other GDPR measures you can take.


And if keeping in line with GDPR seems like hard work, remember you’re a planner, you can handle it! Especially when you know it’s all about building attendee trust, running quality campaigns and best practice event planning.

Contact Cvent

Ask us how our event management platform can drive your GDPR compliance.

Contact
Download the PDF

Get your own copy of the GDPR Guide to best practice event planning.

Download
Share

Share the GDPR Guide to Trust and Transparency with your network.