Event organizers must protect guest data, but it’s not just an ethical duty. It’s the law.
Ever since the European Union enacted the General Data Protection Regulation (GDPR), event planners around the world have one more task on their to-do list: comply with GDPR data privacy regulations.
GDPR exists to protect the consumer. That means the burden to comply is on businesses and organizations, including event planning teams that manage sensitive guest data like contact details and payment information. Failure to comply can result in hefty fines or even the shutdown of your organization.
So, what does GDPR compliance for events look like when done right?
Here’s everything you need to know about the GDPR’s data privacy requirements so you can successfully protect your attendees — and business — when organizing events in Europe and beyond.
European Parliament, Strasbourg, France.
What is the General Data Protection Regulation (GDPR), and why must event planners comply?
The General Data Protection Regulation is a security law designed to protect the data privacy of citizens in the European Union (EU).
In effect since May 2018, GDPR requires businesses and organizations to be transparent about how and why they’re collecting data, as well as ensuring the data they collect is secure. They must also allow individuals to access, update, and delete their own data.
GDPR directly impacts event planners and internal teams who obtain, process, and store guest data. Guest data includes:
- Names
- Phone numbers
- Email addresses
- Mailing addresses
- Social media handles
- Payment methods
- Headshots
- Information regarding health and disabilities
You must comply with GDPR every time you collect data from a person in the EU, Switzerland, Norway, Iceland, Liechtenstein, or the United Kingdom. Event planners who don’t comply can face harsh monetary consequences through fines, fees, and penalties.
Image source: Envato.com.
The 4 GDPR requirements every event planner should know
Event planners must meet GDPR compliance requirements in four distinct areas:
- Data protection
- Accountability
- Integrity and confidentiality
- Data storage and accuracy
Here’s what each requirement demands of your team.
Data protection
All personal information and attendee data must be processed fairly. You must inform attendees how and why you’re processing their data and they must give consent, including consent to receive communications for marketing purposes.
EU citizens must opt-in and agree to communications with you. You also must make sure that guests who were in your database before GDPR went into effect have since given consent if they hadn’t before.
Data protection should be by design and by default. To ensure both, establish operational processes that include safeguards to protect data and process it with privacy protections in mind.
Accountability
You must disclose a privacy policy and have security measures in place to protect all data that you collect. It’s also your responsibility to keep records that can show regulators you remain in GDPR compliance.
Any third-party vendors you work with, from ticketing platforms to catering apps, must also be GDPR compliant. The responsibility to verify that falls on your organization. This means having a Data Processing Agreement (DPA) with every vendor that handles attendee information on your behalf.
Always document your processing activities. Under Art. 30 of the GDPR, organizations must maintain records of all processing activities. Keep a log of what data you collect at each event, why you’re collecting the data, who has access to it, and how long you keep it.
Integrity and confidentiality
Data must be encrypted or anonymized to replace personally identifiable information with artificial identifiers that can’t be traced back to specific people.
Only team members who need guest data should have access to it. That means not everyone on your team should have access to registration details or payment info. Upon request, guests must be able to access, alter, and/or delete their personal information.
Under Art. 33, if guest data is ever compromised, your organization has a strict 72-hour deadline to report the breach to your country’s data protection authority (find yours via the European Data Protection Board). It is strongly recommended that before your team organizes any events, you establish an incident response plan for data compromises.
Data storage and accuracy
Under GDPR, all data collection must be necessary. That means you cannot collect data unless your business has a legitimate reason to do so. Collecting guest data “just in case” is not a sufficient reason to do so. If you can achieve your business goals with less data, GDPR expects you to do that.
There are more than a dozen actions a business or organization might take that require GDPR compliance. For event planners collecting data from event attendees, those actions could include:
- Collecting email addresses for marketing campaigns
- Running targeted advertising
- Selling goods or services (including event tickets)
- Storing personal data in a CRM
- Using cloud storage to store personal data
- Data sharing with external agencies
Read: Your guide to event attendance tracking for offline events
Who is responsible for GDPR compliance at your event?
Under GDPR, every organization that touches guest data belongs to one of two categories: data controllers (those who control guest data) and data processors (those who process guest data).
Your compliance obligations depend on which one you are. In many cases, event planning organizations count as both. Below, we explore both roles and how you can designate a member of your team to manage it all.
Who qualifies as a data controller, and what are their responsibilities?
The GDPR defines a data controller as any person or organization that decides why and how personal data is collected and processed.
For event organizers, this typically means your organization, its internal planning teams, and anyone else responsible for determining what guest data to collect, why it’s being collected, and how it will be used.
It is the responsibility of data controllers to decide the lawful basis for collecting data, obtain consent where required, and guarantee that only necessary personal data is requested.
Who qualifies as a data processor, and what are their responsibilities?
The GDPR defines a data processor as any third party that handles personal data on behalf of a data controller.
In the event planning world, that includes platforms and vendors like CRM systems, email marketing tools, and event management software like zkipster that process guest personal data at your direction.
As a data processor, zkipster takes specific measures to maintain GDPR compliance:
- All staff who are authorized to handle sensitive data are bound by confidentiality commitments.
- In the unlikely event of a security breach, reporting obligations are met within GDPR timeframes.
- Requests to access, correct, or delete personal data are handled promptly.
zkipster only acts on instructions from the data controller, which means your organization retains full control over how guest data is used at all times. Furthermore, users can permanently delete guest data from zkipster at any time. This supports your own obligations around storage limitation and the right to erasure under GDPR.
When choosing event management software, look for one that is built for GDPR compliance, even if you’re located in a non-EU location like the United States. GDPR applies to people in the EU, not events in the EU. For example, if you’re inviting anyone from the EU to an event in the US, you’ll need to comply with EU GDPR. If you’re inviting UK residents, the UK’s own version — UK GDPR — applies, but its legal requirements are practically identical.
Designating a DPO and other tips for hosting GDPR-compliant events
Event planners can take several additional steps to improve their data practices. One is to appoint a data protection officer (DPO) to oversee GDPR compliance.
A DPO’s role is to take the lead on confirming your organization has obtained consent from all parties for all types of communications, including marketing emails and post-event follow-up surveys.
A DPO can also ensure that:
- Consent is reflected in your CRM, event management platform, and marketing platform.
- All event registration forms and communications state clear consent requirements.
- All vendors, venues, and partners have security measures in place to remain GDPR compliant.
Navigating AI and data privacy
The AI tools you use also matter, and using AI to work with personal data requires its own compliance strategy. The ICO’s guidance on AI and data protection makes clear that AI systems can exacerbate existing security risks and make them harder to manage, and that the data minimization principle is even more challenging to uphold in AI contexts.
For event planners, this creates additional obligations:
- You may only process the personal data you actually need for the AI system - it must be “adequate, relevant, and limited” to the purpose at hand.
- If you procure the AI system from a third party, your contract with that party must include relevant due diligence and data security obligations.
- You must be aware that personal data used in AI systems can sometimes be inadvertently revealed through the system’s own outputs - a risk that makes it a sensible precaution to anonymize guest data before it enters any AI tool.
Paid-for enterprise models typically offer stronger data privacy controls, but you must verify that your data is not being used to train the model. Adopting AI applications may also require you to reassess your existing governance and risk management practices, as AI can exacerbate existing risks or introduce new ones. Any sensitive personal data should be completely anonymized before it’s processed by an AI tool.
Top event planners around the globe rely on zkipster to send event communications, collect online RSVPs and consent forms, and turn guest data into actionable insights, all while remaining GDPR compliant. Our platform is built with privacy, data protection, and security in mind, with the option to include an unsubscribe button in every zkipster email communication, so that registrants can opt out of future communications.
Read about: How to make sure your email invitations don’t go to spam
How GDPR compliance can help your events in more ways than one
Prioritizing event data security and complying with GDPR keeps you in good standing with the law. But there are other benefits, too.
Once you’ve obtained the necessary consents and waivers that GDPR requires, you can master guest relationships and nurture your event contacts with zkipster Audience. It keeps your data practices compliant with GDPR’s data minimization and integrity requirements by allowing you to store all guest data in one secure, central location. You can adjust access and permissions at any time to ensure only authorized team members can view sensitive guest information.
Compiling accurate attendee data is essential for event planners who want to better understand guests and foster long-lasting relationships, and building an accurate, GDPR-compliant database of guest information will help build trust with your event attendees. This can boost RSVP responses and other critical engagement metrics like open rates and conversion rates, improving your event ROI.
It also helps your marketing efforts. GDPR compliance includes giving guests access to their personal information upon request. When guests review and update their own data, such as communication preferences or dietary requirements, it’s easier to maintain an accurate, up-to-date database. As a result, you can send better-targeted event invitations and expect higher open rates.
Learn more about how zkipster Audience can provide your team with centralized insights about guests.
You might also like: How to measure event success
What happens if an event organizer doesn’t comply?
Event planning organizations can’t afford to ignore GDPR requirements. From losing trust with guests to enduring regulatory investigations, you face many risks if you fail to comply.
Risks of GDPR non-compliance include:
- Losing trust: A data breach can cause serious damage to your business by causing guests, clients, sponsors, and other stakeholders to lose trust in your services.
- Fines and penalties: GDPR is law. If you don’t comply, you can face significant fines and penalties.
- Operational disruptions: In addition to fines, penalties for failure to comply can include a temporary ban on data processing, which can be detrimental to your business operations.
- Legal issues: Non-compliance may result in lawsuits that cause you to incur expensive legal-defense fees or harm to your business’s reputation.
- Regulatory investigations and audits: GDPR audits and investigations are time consuming and disruptive. They can also be expensive to prepare for and defend.
Complying with GDPR is easier when you have the right tools and processes. Start by auditing your data practices, then establish DPAs with your vendors and add consent language to your registration forms.
Finally, designate a DPO to oversee your organization’s regulatory compliance processes. Assigning a dedicated team member will prevent things from falling through the cracks.
FAQs: GDPR compliance for events
Do all event organizers need to comply with GDPR?
No, not all event organizers are necessarily subject to GDPR, which is only a protection for citizens of the EU, UK, Switzerland, Norway, Iceland, and Liechtenstein. However, professionals hosting events outside the EU must still comply if they’re inviting and collecting data from citizens of GDPR countries.
In practice, the safest approach is to treat all guest data as if it’s subject to GDPR, regardless of where attendees are from. This prevents you from accidentally failing to comply while helping your organization meet a higher standard of data stewardship, something guests increasingly expect.
Does GDPR apply to events outside the EU?
Yes, GDPR applies to events outside the EU. The regulation protects both residents and citizens of the EU, UK, Switzerland, Norway, Iceland, and Liechtenstein regardless of where an event takes place. That means if you are collecting personal data from them at an event in the US, Asia, or anywhere else in the world, you must comply.
This includes events held in the United States with EU-based guests and attendees. Event professionals in the US should note that while the US does not have a federal law equivalent to GDPR, the states of California, Colorado, and Virginia have their own consumer privacy laws in place.
What counts as personal data?
Personal data includes any information that can identify an individual, such as their name, email address, phone number, mailing address, and payment details. It also includes social media handles, headshots, and any information disclosed about a person’s health or accessibility needs.
How does GDPR affect event marketers?
GDPR requires explicit opt-in consent before sending any marketing communication to EU contacts. This includes promotional emails, post-event surveys, and follow-up campaigns. You must also honor opt-out requests promptly and keep consent records up to date in your CRM and marketing platforms.
What are the penalties for not complying with GDPR?
There are two tiers of non-compliance fines under GDPR. “Less severe” fines are up to €10 million or 2% of annual global turnover. “More severe” fines are up to €20 million or 4% of annual global turnover.
Is zkipster GDPR compliant?
Yes, zkipster is a GDPR-compliant event management software platform. Data is hosted in Europe, and the platform features built-in tools for managing guest consent and data protection. zkipster is also ISO/IEC 27001:2022 certified, so clients can feel confident that the platform meets the highest standards of international information security management.
Staying GDPR compliant is straightforward when you have the right processes and event management software in place.
Supporting event planners in more than 100 countries, zkipster is built with regulatory compliance and data security in mind, so your team can focus on what it does best: planning memorable events and elevating the guest experience.
