Event Planners – Look After Your Attendee Data or Face the Music

As an event planner, you will know how important the new EU General Data Protection Regulation (GDPR) has been in raising the issue of data security.  In fact, a 2018 industry found that more than 75% of event planners believe that the safekeeping of their attendee data will be a much bigger priority for them because of GDPR.  But why should event professionals start taking responsibility for data security and what are the things they need to do to minimise the risks of breach?

What Event Planners Need to Know About GDPR and Data Security

Remember that GDPR is all about protecting the rights of individuals over organisations. It is an important piece of legislation that ensures that organisations dealing with personal information (and the events industry is no exception here!) are doing so in a transparent and secure way – and always in the individual’s best interests.

We’re already starting to see how GDPR is changing the way companies market themselves. After Facebook’s recent data breach scandal with Cambridge Analytica, the social networking giant has run an extensive advertising campaign promoting its security credentials.  We’ve also seen others like Barclays and the NHS using radio ads and billboards to assure customers that the safety of their personal information is a priority for them as an organisation.  This is only the beginning.

Read: Is the Facebook Data Breach Scandal a Wake-Up Call for the Events Industry?

For meetings and events, there are three important reasons why data security is now more important under GDPR:

  • GDPR makes ‘Privacy by Design’ a legal requirement, which means privacy concerns and the security of attendee data should be a consideration from the offset of all your event planning activities – and not just an afterthought.
  • GDPR requires you to take responsibility on how your third-party data processors (hotels, venues, agencies and event tech suppliers) are also looking after your attendee data.
  • GDPR makes it compulsory to notify authorities within 72 hours of discovering a security breach – it is therefore important for event teams to understand what constitutes a breach and what they should do if data is compromised.

eBook: The Event Planner’s Guide to Data Security in a Post-GDPR World

You may think that the whole issue of data security is something that needs to be dealt with by your IT, legal and operations team.  But the reality is that there are many day to day things that you may be doing as an event planner that could easily put your organisation under serious risk of a breach. Things like sharing system passwords and emailing delegate lists.  Not briefing freelances properly, losing devices and using open Wi-Fi networks.   These are just some examples but there are many more.

A new eBook from Eventsforce titled, ‘The Event Planner’s Guide to Data Security in a Post-GDPR World’ investigates some of these common data security vulnerability areas for meetings and events and offers readers some practical advice on what they can do to look after their attendee data. It also provides some useful information on how to identify a data breach and what steps to take if attendee data does end up getting lost, stolen or compromised.

Event planners can also use the two checklists that are included within the eBook. One is for event team leaders and the other for individual team members, to ensure everyone follows the same processes when it comes to data protection and the safety of attendee data.

The eBook follows the publication of the ‘Event Planner’s Guide to GDPR Compliance’ which looked at the impact of the new legislation on things like event marketing, data management and event technology – along with some practical steps on how planners can prepare for the new GDPR requirements.


If there is one thing that GDPR has achieved it is that the ownership and responsibility for data protection and security now rests on everyone.

The volume of personal information we collect in our industry is staggering. And doing things that minimise the chances of this data getting into the wrong hands will give your attendees confidence that you are on the case and looking after them properly.

Doing this all the time will boost your reputation, generate more confidence and ultimately bring you more business.  After all, why would people want to work with organisations who are doing as little as possible to safeguard their personal information?

But it will, however, require a shift in thinking.  Some of the ways in which event planners operated in the past will need to be changed.  But those who embrace this change will be the ones who stand out.  By making data security a priority around their events, they will be able to show attendees that their organisation can be trusted with their most valuable asset – their personal information.

You can download the ‘Event Planner’s Guide to Data Security in a Post-GDPR World’ here.

Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help with data security and support the event planner’s journey to GDPR readiness. Get in touch by contacting one of our team members at gdpr@eventsforce.com.





New Airbnb Tool for Event Planners and 5 Other Tech Stories to Read

In this month’s round-up of top event tech news, we look at Airbnb’s new accommodation tool for event planners, as well as the UK launch of the world’s first real-time venue booking portal. With GDPR in place, we also bring you some expert advice on understanding the kind of new obligations the legislation will create for the events industry – especially when it comes to vetting technology suppliers. Finally, we look at the latest engagement tools from Facebook and Instagram – as well as a new form of audio tone technology that provides a much simpler (and cheaper) alternative to on-site notifications compared to traditional tools like NFC, Bluetooth and iBeacons.

Have a look at the top event tech stories you don’t want to miss:

MeetingsNet: Airbnb Launches Interactive Tool for Event Planners

Airbnb, the online marketplace for short-term lodgings, recently announced a new tool for event planners to offer attendees accommodation in homes brokered by Airbnb. The new offering, called Airbnb for Events, is an interactive map of lodgings available near the site of an event that planners can use to either book directly or embed on registration sites.

It makes sense for Airbnb to be courting event planners and attendees this way – however, it isn’t clear yet whether the new tool will help or hinder conference accommodation plans.  In cities with tight accommodation markets, it could certainly help boost attendance.  If Airbnb is willing to share reservation data with planners, it could also help determine how many attendees are opting out of the room block and why. On the other hand, Airbnb accommodations don’t typically come with guarantees of standards.  So, if it’s something you’re considering for one of your events, the article suggests consulting a legal authority first to check whether or not your organisation would be legally liable if an attendee made a booking through your event registration site but consequently had a bad experience. Read more.

BizBash: How Audio Tones are Changing Event Communications

In the past few years, new technology solutions such as NFC, iBeacons and Bluetooth have become a lot more common in the events industry – offering a variety of ways to send notifications and offers directly into the hands of attendees. Now another option is gaining traction – Lisnr’s ‘Smart Tones’. The technology which transmits information between devices using sound as a conduit has been successfully used at some major events over the past year, including Budweiser’s Made in America festival, the Grammy awards, and Cleveland Cavaliers home games.

Lisnr’s Smart Tones can be added to existing media—for example music playing during an opening ceremony—or transmitted on their own. It doesn’t require any hardware such as transmitters, wristbands, or scanners as the tones can be played over speaker used at the event. It also means organisers can push content to attendees without having their Bluetooth or location services on – they won’t even need an Internet connection or a mobile service, which is great because we all know how connectivity is a big problem in large audience environments like trade shows and live events. Some of the content examples mentioned in the article include notifications about exhibitor discounts or restrooms with shorter lines, or an exclusive download from an artist or speaker. Read more

EIN: World’s First Real-Time Event Venue Booking Portal Arrives in UK

iVvy, the world’s first real-time booking engine for the events industry will be launching in the UK this month. The platform allows venues to publish live-availability and pricing for their meetings and event spaces, while giving them the tools to market and manage their own function spaces.  For event planners, it is a venue-finding portal that makes it easier for them to search, book and pay for their event space online instantaneously. It offers them a direct connection to venues showing real-time pricing and live availability for function spaces, catering and group accommodation. Read more.

Successful Meetings: 6 Things Meeting Professionals Need to know About GDPR

The General Data Protection Regulation (GDPR) came into effect on May 25th and is set to impact all events that collect data on EU citizens and residents. This article looks at six key takeaways that will help event planners understand the kind of obligations the new legislation will create – especially when it comes to vetting event technology suppliers. As well as getting their own event operations compliant to the new GDPR requirements, event planners also now have the responsibility of ensuring that all the tech vendors that process data on their behalf (ex. Registration systems, event apps, surveys, networking tools) are also fulfilling their own legal obligations.

The article explains how event planners need to find out from their suppliers where their event data is being hosted and how that data is being transferred in a way that is compliant to the new regulations. They need to find out how the data is being used, who has access to it and where they’re based.    For example, if their customer support team is based outside the EU (even if data is hosted within the EU), then they’ll still need to ensure that they’re complying with GDPR standards.  Also, in the case of registration systems, event planners need to find out how their provider allows them to obtain and store consent in registration forms, as well as how the system can help them delete any personal data.    Having the answers to these questions will protect event organisers from any unpleasant surprises in the future.  Read more.

Are your events GDPR compliant? Read the EventTech Talk GDPR Special for expert advice and articles on the new legislation and its impact on event marketing, data management and event technology.

Content Marketing Institute: 7 Instagram Story Ideas to Get More Followers

This is an interesting one if your events have a big Instagram following.  In fact, Instagram Stories are on many brands’ radars today and for good reason too – it seems over 300 million people use it every day with one-third of the most viewed Stories coming from businesses.  So, if you thought that the social network was something that wouldn’t be so relevant for B2B events – it may be time for a change.

The article highlights some fresh new ideas on how you can use Instagram Stories for your marketing activities and help your events stand out.  One example is a Stories takeover – where an influencer of choice takes over the event or brand account for say, a day, to produce exclusive content. Another idea is the use of polls which can be used for audience research and creating better content that resonates with your followers.  You can also use mini videos, questionnaire and quiz templates, all of which can really help you stand out from the crowd and engage better with attendees – great platform for giving your followers some cool freebies too.  Read more.

TechCrunch: Facebook’s Oculus Venues Brings Virtual Reality to Live Events

Although this may only apply to those running big live events – it does give us a good picture of where virtual reality is going to take us in our industry over the coming few years. This month, Facebook’s Oculus VR division has launched the Oculus Venues social VR app that allows thousands of people to watch live events together in VR. The goal of the app is to make VR more of a social experience, introduce communications and interaction between viewers and essentially, give people an event experience ‘from the best seat in the house’.

The new app was recently demonstrated to a group of journalists to watch a VR screening of a basketball game. Participants had to create Oculus avatars first and were then transported directly into a dedicated VR seating section of a sports arena, with direct view of the action. Once the game had begun, viewers could watch the game surrounded by roughly 30-40 avatars and talk to them via voice chat. As in real life, participants could overhear the conversations of people sitting next to them, but unlike a live event you could switch seats to somewhere else in the venue and adjust the audio of the game. Read more.

Enjoyed reading this article? If you would like to get similar monthly round-ups on all things event tech, along with some expert advice on how to make the most out of your technology investments, then please sign up to our weekly EventTech Talk Newsletter here. 

Top 5 Benefits of GDPR for Meetings and Events

With GDPR now in place, event planners have a fantastic opportunity to step back and think about the longer-term possibilities within their reach. EventTech Talk spoke to Arvi Virdee, a GDPR consultant and co-founder of Fileom, to find out more about the benefits of the new legislation and what it really means for the world of meetings and events.

1. Competitive Advantage

This is a sum-of-all-its-parts benefit that relies on data protection being absorbed into your organisation’s DNA. In the wake of the recent Facebook and Cambridge Analytica revelations, we know that privacy is a good thing! Robust data protection procedures and compliance policies will push for greater consumer confidence, which in turn will deliver all sorts of commercial advantages.

The GDPR also challenges organisations to design new, coherent and transparent methods for gathering the personal data of people coming to their events. Those that do will enjoy a competitive differentiation and reap the rewards of cleaner data, stronger engagement and a more valuable relationship with their customers. Expect to see better quality from exhibitors in future, for example, rather than just an opportunity to grab a name card or scan a delegate.

Get the EventTech Talk GDPR Special – expert advice and articles on GDPR and its impact on event marketing, data management and event technology.

2. Attendee Trust

Without trust, the competitive advantage will be non-existent. For event organisations that prepare and adapt effectively, good governance and compliance can be turned into repeat business by transparently showing attendees they can trust you. This new level of transparency, where personal data is protected and people feel more in control over how their information is used, should lead to them trusting brands more and have the confidence they need to share more information.

3. Improved Data Security

The GDPR makes “data protection by design” a legal requirement and ensures security becomes a real priority for event planners. Measures such as encryption, remote wipe and a nightly clear desk policy should all be adopted, along with many others. The renewed focus on security will reduce the risks of fines for non-compliance, brand and reputational damage and attendee churn. “Don’t just shut the door. Lock it. Then check the locks. And be mindful about who you allow to have a key,” recommended Information Commissioner Elizabeth Denham in a recent speech. And definitely no more sharing of passwords to access the delegate list for your next event!

4. Effective Marketing

For event marketers, a big part of GDPR compliance involves cleansing and fine-tuning databases. However, this process should not be feared as it offers opportunities to unlock and future-proof data-driven marketing strategies: the delivery of more appropriate, personalised and timely communications to engage attendees which will result in better outcomes. There’s also the chance to design “consent experiences” that entice users to share granular preferences that firms might not normally get. This means no more sharing of a delegate list with a partner or sponsor, unless the delegate has given clear and demonstrable consent.

Read:  Event Marketing – Consent Vs. Legitimate Interests

5. A ‘Leaner Organisation’

Preparing for the “new normal” of enhanced data protection yields many positive by-products. Stronger collaboration across business units, better decision making, purer data-driven insights, increased alignment with technology, reduced costs and enhanced business relationships to name but a few.


GDPR is here to stay – embrace it as an opportunity to make a positive change. By focusing on the rights of individuals over organisations, the new regulation will help events become a lot more responsible in the way they manage the personal information of people coming to their events. Those that can show they’re dealing with personal information in a transparent and secure way and have respect for the privacy of individuals will succeed in building new levels of trust.  And this will be key in deciding which organisations people choose to deal with in the future.

Is your event technology GDPR compliant? Need help tracking and managing consent on event websites and registration forms?  Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance.

For more info, please click here or get in touch: gdpr@eventsforce.com


How Data Integration Can Help Your Events with GDPR Compliance

Integration between your event registration system and other business solutions like your CRM can bring real value to your events. It can help you save time and boost your team’s productivity.  It can improve the way you share critical event information with key people across your organisation. It can also help with GDPR compliance by reducing the risks of a data breach and giving you the control you need to manage things like attendee consent, data deletion and Subject Access Requests (SARs).

Webinar: The Importance of Data Integration in a Post-GDPR World

What is Event Data Integration?

Event planners deal with so many different systems to capture and manage information around their events – from their event management and registration systems to marketing, sales, finance, membership and so on. Having an ecosystem where all these different solutions automatically talk to each other through the use of APIs (Application Programme Interface) is where data integration comes in.

If you haven’t dealt with APIs, then think of it as a piece of software that functions as a door or window.  It’s that mechanism that allows your event management system to share data with your event app.  Or your registration system to share new attendee details with your CRM. Or your event payment transactions with your finance system and so on.

Over the past few years, we’ve seen event planners doing some great things by integrating their data with check-in systems, social media tools and event apps.  However, what we’re seeing more of now is that same concept of data sharing being applied with big back-end business systems. At Eventsforce, we’ve seen a 40% increase in the number of customers working on integration projects over the past year – and we expect this trend to grow significantly as event planners try to improve the way they manage their data in a post-GDPR world.

Why Is Data Integration Important for Event Planners?

The ability to automatically share information between an event management or registration solution like Eventsforce and other business systems like your CRM, marketing, membership and finance can bring you a host of benefits:

Time Savings: Reduce the endless hours you and your team spend manually replicating event data from one system to another

Increased Productivity: Improve productivity by spending less time on admin tasks and focusing your team’s efforts on other aspects of the event.

Data Accuracy: Automatic updates between systems means you’re always relying on the most up-to-date and accurate data – less errors and inconsistencies.

Better Insight: Key people across your organisation have insight to important event data at all times – which helps in making more informed decisions around your events.

Want to learn more about the benefits of data integration? Find out how you can save time, improve data sharing and reduce the risk of a data breach by downloading your copy of ‘The Event Planner’s Guide to Data Integration’ – includes case studies from Schroders, Haymarket, Royal Statistical Society and the Lib Dems.

How Can Data Integration Help with GDPR Compliance?

The EU’s new General Data Protection Regulation (GDPR) is coming into effect on May 25th 2018 and is set to radically change the way events collect, process and protect the personal information of people coming to their events.  What this essentially means is that event planners need to be a lot more aware on what personal data they collect from attendees, where this data is stored, who has access to it, what the data is used for and more importantly – how this data is kept safe.  They need to have a lot more control in the way this information is shared and managed across their own organisation – and this is exactly where data integration can bring real value:

Better data management: Integration between your event management system and CRM, for example, ensures any personal information you collect from registration forms and make changes to is automatically updated in your CRM too (and vice versa).  It will give everyone who has access to both systems insight into what personal information you hold from people coming to events, what consent you have and how their data is being managed and by whom – all of which are critical to GDPR compliance.

Read: How GDPR Will Change the Rights of Your Attendees

Improved data security: It’s important to remember that one of the key things that could get organisations into a lot of trouble under GDPR is a data breach.  Integration between your event management solution and other business systems will greatly improve the security of your event data by eliminating security risks associated with email communications, sending unsecure spreadsheets, manual transfers and having printed documents lying around.

Read: The Event Planner’s Guide to Data Security in a Post-GDPR World

To illustrate this in more detail, let’s take a look at a couple of examples:

Example 1: Integration Between Event Management System and CRM

Most organisations have some type of CRM system like Salesforce that manages all their data on their customers and contacts. Integrating your event management system with your CRM ensures the quick, accurate and seamless flow of data between the two systems where updates in one system are automatically reflected in the other.

  • When an attendee makes a change to their profile in your registration system or decides to withdraws marketing consent, the change is automatically updated in your CRM. This ensures your marketing department doesn’t continue sending them emails just because you forgot to inform them of the change.
  • New registrations can automatically be created as leads in your CRM if an attendee has given the right kind of consent – your marketing and sales team are always up to date on how this data can be used.
  • If an attendee asks you to delete all the personal information you hold on them, then any changes in the event system will also be reflected in the CRM (or vice-versa).
  • Data integration between the two system also reduces the risk of a data breach by eliminating the need for exporting registration data to an excel sheet and manually uploading attendee information into your CRM.

Example 2: Integration Between Event Management System and Membership

Most membership organisations, such as associations, use some form of membership system which helps them capture and manage all the data around their members. Integration between your event registration and membership systems means that any changes to records in one system is automatically updated in the other.

  • When a member makes a change to their profile in your registration system or withdraws consent in how you can use their information, the change is also automatically updated in your membership system (and vice versa).
  • Similarly, any renewals or new membership sign-ups are automatically recognised and updated in your registration system. If a non-member attendee becomes a member – then this could potentially change the legal basis for processing their personal information and the events marketing team need to be aware.
  • Membership teams can have real-time insight into the event attendance history of each member – also helps in managing Continual Professional Development (CPD) processes a lot more effectively.
  • If a member asks the membership team to delete their personal information or wants to know what information you hold on them, then all the relevant event-related information is already in your membership system. You also don’t need to export registration data to an excel sheet and manually upload attendee information into your membership data – less chance of data getting into the wrong hands!

Top Considerations for Successful Event Data Integration

If you feel that dealing with APIs and integration models may be somewhat technically challenging – don’t be discouraged.  Yes, your IT guys may be the ones who have to implement the technical aspects of an integration project. However, data integration is a business issue, not a technical one – with business objectives and consequences (like GDPR compliance) that can directly impact your events.

Whatever data integration project you decide to go with, you need to make sure it works for you and your events.  We would recommend you follow these guidelines that identify some of the most common challenges of data integration and outlines the key steps event planners specifically need to take to make sure their integration projects are a success. It includes things like getting all your stakeholders involved, thinking carefully about how you’d like to share event data between different systems, setting time and budgets, testing and so on.  Thinking about all these points will ensure that the whole process will be smoother and a lot more flexible for any changes you want to make in the future.


If you’re not sure where to start, then talk to your event tech provider. Ask them how they can support you on an integration project and how it can help in meeting GDPR requirements.  While many of them provide APIs for their software, many like Eventsforce also have established partnerships and API integration capabilities with tried and tested software solutions. This is helpful as you’ll be able to get things up and running without investing the time and money into any coding work that allows data to be shared between two systems. And if these API relationships don’t exist, it’s not a big deal. Just make sure they understand what it is you want to achieve and that they’re able to support you with the necessary recommendations and workflows that will make your integration projects a success.

Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance – from audit trails and consent management to anonymisation of personal information and data security.

For more info, please click here or get in touch: gdpr@eventsforce.com

For more information about Eventsforce and its data integration services, please click here.




Event Marketing Under GDPR: Consent Vs. Legitimate Interests

With just under a month to go until the May 25th deadline, it seems that one of the biggest issues event marketers are currently facing around GDPR is figuring out which legal basis to use when contacting people on mailing lists. ‘Consent’ is the obvious choice but ‘Legitimate Interests’ (LI) can also be considered as a viable legal basis – especially in the context of B2B event marketing.

However, before making that all important decision, event planners need to understand what LI actually means under GDPR, how they can decide whether or not they can use it as a legal basis and what added risks they need to take into consideration to avoid unpleasant surprises in the future.

What Event Marketers Need to Know About Consent

One of the major changes for event planners with regards to GDPR compliance are the new conditions of consent.  For one, pre-ticked boxes are no longer indications of valid consent.  You also need to make it easier for people to exercise their right to withdraw that consent. The need for clear and plain language is also a key requirement so that individuals can understand exactly how their data is going to be used. They should also be given the choice to consent separately for different types of processing whenever possible.

But consent under GDPR can also be quite confusing in the context of marketing. Firstly, it is only one of six equally-valid legal bases which can be used for the purpose of processing personal data.  Secondly, if you decide, for example, to use consent as a legal basis for sending prospects marketing communications around your events, it will be difficult to swap to a different one after.  The ICO’s advice here states that even if a different basis could have been applied from the start, retrospectively switching lawful basis is likely to be unfair to the individual and lead to breaches of GDPR’s accountability and transparency requirements.

Are you ready for GDPR? Get your eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps to take to get ready for the May 2018 deadline.

There is also the issue of the Privacy and Electronics Communications Regulations (PECR), how it works alongside GDPR and the differences in requirements between B2C vs B2B event marketing.  This is a big subject on its own, but according to this article on the Direct Marketing Association, there are some key things you need to know:

  • GDPR is primarily concerned with how personal data is captured, processed and managed. Direct marketing activities though phone, email and SMS are actually covered by a separate piece of legislation – the PECR – which is currently law and will remain in place once GDPR takes effect in May 2018.
  • PECR requires you to have GDPR-compliant consent for any B2C marketing activities (ex. music festivals), as well as B2B marketing that target sole traders and some partnerships.
  • Under PECR, however, B2B marketing to staff members of limited companies, public limited companies, incorporated partnerships, trusts and foundations, local authority and government institutions can use ‘Legitimate Interests’ as a legal basis for processing personal data.
  • PECR will be replaced in the future by the ePrivacy Regulation, which as it’s currently worded, would require B2B marketing to use ‘consent’ as a legal ground for electronic channels, just like B2C at the moment (though much lobbying is being done to prevent this from happening).
  • Until the ePrivacy Regulation is agreed, PECR will remain in place – it is unlikely any decision will be made on the final requirements until late 2018 or early 2019.

You can get more detailed guidance from the ICO on the rules around B2B marketing, the GDPR and PECR here.

What Event Marketers Need to Know About Legitimate Interests

The ICO states that ‘consent’ is appropriate if you can offer people real choice over how to use their data and want to build their trust and engagement.  However, if you can’t offer a genuine choice, consent may sometimes not be appropriate.  The authority also states that the processing of personal data for the purpose of direct marketing may be regarded as carried out for a legitimate interest:

“As long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest. However, this does not automatically mean that all processing for marketing purposes is lawful on this basis.  You still need to show that your processing passes the necessity and balancing tests.”

So, let’s explore what this actually means and how it can be applied.

What is Legitimate Interest (LI) Under GDPR?

LI is different to the other lawful bases as it is not centred around a particular purpose (ex. Performing a contract with the individual) and it is not processing that the individual has specifically agreed to (consent). Legitimate Interests is more flexible and could in principle apply to any type of processing for any reasonable purpose.

When it comes to direct marketing, LI is not something new as many organisations will have used it as a legal means to process people’s information under the regulations of the Data Protection Act 1998. However, there are two key differences between the DPA and the GDPR that event marketers need to be aware of when considering LI as a legal basis for their direct marketing activities:

More Information on How Data is Used: This is a key requirement – the attendee you’re collecting personal information on must understand what data you hold and what you’re planning to do with it.  They need to understand why you process it and what your ‘legitimate interest’ is for doing so.  This need to be outlined in your privacy policy, which should be written in a clear and concise language.

Clear Opt-Outs: This was a requirement under the DPA – however you now need to make sure your opt-outs are clear and prominently displayed, away from other types of information.

Important Considerations About LI

One of the most important things to know before deciding on whether or not to use LI is that it is a subjective legal option – and it comes with added responsibilities. Event marketers must weight up their right as a business to market to someone against their right to privacy. The ICO will ask themselves ‘what is in the reasonable expectations of the consumer’ and so as an event planner, you must ask yourself the same question.

Would attendees from your last annual summit expect you to use their information to send them email communications about the next one?  If yes, then they are more likely to anticipate that their personal information will be processed.  While if it is entirely unexpected, then it may not be justified because the impact on the individual is greater.

You can get a list of questions the ICO recommends you ask when figuring out whether people on your lists will reasonably expect you to use their data for marketing purposes here.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

The other thing with LI, is that you must be confident that you can rely on it – and show your reasoning behind it.  So, inviting a delegate who attended your last event, may be a reasonable example of using Legitimate Interests as a legal basis. But targeting random marketing lists with people who haven’t engaged with your organisation for a while (ex. They don’t open your emails, they attended one of your events years ago) – then LI is not going to be as reliable as it will be more difficult to prove.

So before making that important decision on whether or not you can use LI, you MUST cleanse your data so you can figure out exactly what personal information you hold on people, when they last engaged with your event or organisation, what is the nature of their relationship with your organisation, what kind of consent they gave you in the past and so on.

The GDPR includes many built-in checks and balances you need to be aware of to make sure that if you are relying on Legitimate Interests, you should properly consider what your legitimate interests are and how you might be impacting each individual concerned.  These ‘Legitimate Interests Assessments’ will also require documentation to prove that you’ve done them, otherwise you risk GDPR non-compliance and fines – there is no standard form for this but you can download a sample template from the ICO website here.

You need to be able to prove that you carried out this ‘balancing’ test every time your use of personal data changes (inviting them to events vs. general marketing emails). This is really important, because without consistent documentation proving that your organisation has been consistently carrying out these balancing tests, you can’t rely on Legitimate Interests.


Using Legitimate Interests as a way of contacting people is fine as long as your reasons are truly legitimate – otherwise you are likely to have many discussions with the ICO arguing your case. We would advise that if you’re not really sure about using LI as an argument, then don’t do it.  It is the most flexible but also the weakest of the other legal reasons for processing.  Either way, whether you decide to rely on consent or LI for your event marketing communications, then you need to do similar things to make sure you are GDPR compliant:

  • Be clear with people why you need their data at the point of collection – so update your privacy notices and consent boxes on event websites, registration forms etc.
  • Use clear and concise language – make sure you identify your organisation and any other third parties who will be processing their personal information
  • Give individuals control over their data – they should be able to decide whether they want to share their personal data with you or not. Make it easy for them to opt-out every time you communicate with them.
  • Be in a position where you can demonstrate you are compliant. This includes recording the legal grounds for processing an individual’s personal data.

Recommended Next Steps:

  • If you haven’t already, audit your marketing mailing lists. Figure out what you hold and what you use it for.
  • If you can’t rely on GDPR compliant consent, decide if the way you use personal data would be reasonably expected by people on your lists to assess if you can use LI.
  • Update your privacy notices in line with the ICO’s guidelines and the points we made above. Include details of what your purpose for processing personal data is, that you are relying on LI and summarise what the relevant legitimate interests are.
  • Get in touch with people on your database before the May 25th deadline, informing them of your update privacy policy with clear information on how you’re going to be using their data. Give them the opportunity to opt-out. And most importantly, keep a record of what you send and when.

Need help tracking and managing consent on event websites and registration forms?  Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance.

For more info, please click here or get in touch: gdpr@eventsforce.com

Top 10 GDPR Red Flags for Meetings and Events

GDPR is a big issue for event planners right now as many come to grips with the changes the regulation will bring to the way they collect, store and manage the personal information of people coming to their events. The understanding of all the requirements is also no mean feat. In fact, a recent survey on ‘GDPR readiness’ across meetings and events found that nearly 50% of event planners are unsure if the steps they’re taking are sufficient in meeting GDPR requirements – despite 60% holding responsibility for compliance.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

Responsibility for GDPR compliance is something that goes through the entire event supply chain – from the organisation that is hosting the event and their event management team, all the way through to the third-party vendors that process data on their behalf.  So even though your IT and legal team may be the ones dealing with implementation and processes, there are many important aspects of the new data protection regulation that event planners need to be aware of so they don’t put their organisations at risk.

Based on conversations we’ve had with clients and other event professionals across a number of industries, we have identified below the most frequent red flags around GDPR.

In no particular order, here are our current top ten:

1) Legacy Lists

The question is; how good are your lists and will they stand up to being audited? Your mailing lists are a good example when it comes to legacy lists. For years you may have been e-mailing people without their full approval. Maybe you didn’t realise you were doing so. After all, you may have inherited a database that had been built over time. If, however, you are not confident that your list meets the GDPR test then you would be better off deleting them.

One well known pub chain decided that they didn’t know their legacy lists well enough and decided to stop using them. That may sound extreme but for them it was the right decision. What is your decision?

Connected to legacy lists is the thorny issue of what legal basis you will use for processing personal data. Consent is one basis. If you meet the requirements of consent that is great. Alternatively, you could decide to use Legitimate Interests as your legal basis and if that is the case then you have to be sure that you meet the correct guidelines to comply or else you will be told to stop processing. Using Legitimate Interests as a way of contacting people is fine as long as your reasons are truly legitimate. If not, then you are likely to be having many discussions with the Supervisory Authority to argue your case. Our thoughts if you are not really sure about using Legitimate Interests as an argument, don’t do it.  It is the weakest of the other legal reasons for processing.

2) Consent

Consent is quite confusing to many people. Firstly, it is only one of the methods that can be used to process personal data. One of the other methods is through contract. For example, if an event planner contracts a speaker, they do not then need to use consent as a means of staying in touch with the speaker in the lead up to the event. It’s clear that the speaker and event planner are working together and that is covered under the contract. If, however, the event planner wanted to market their event to speakers and didn’t have their consent to do so, then that would be a different matter.

When you do need consent make sure that there is no ambiguity in your message. Remember you cannot use any pre-ticked boxes anywhere regardless of whether they are on paper or in a device.

Need help tracking and managing consent on event websites and registration forms?  Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance – from audit trails and consent management to anonymisation of personal information and data security. For more info, please click here or get in touch: gdpr@eventsforce.com

3) Processors Vs. Controllers

Are you a data controller or are you a processor or are you a mix of both? In the events space, it is easy for a number of organisations to be a mix and not even realise it. One example of being a mix of both applies to the Professional Conference Organiser (PCO).  How much does it really matter anyway? After all the goal is to keep personal data secure. For clarification however, it is important to understand which hat you are wearing as that is especially important in the case of reporting data breaches.

In simple terms, if you are an event planner and you have a list of delegates that you are directly in contact with, then you are the controller. If for your event you provide that list to a registration company for name badges etc. then you have passed them to a processor. If you do everything in house then you are wearing both hats. The rule of thumb Is always to spell out in a Contract to a processor exactly what you need them to do. Then there is no ambiguity plus you have an auditable record that you can show the Supervisory Authority.

4) Business Size

This is again a red flag for us because there are some businesses that believe GDPR doesn’t apply to them because of their size. That argument is incorrect. Even if you are a business owner operator you will still need to have your own Data Protection policies and processes in place. Coaches, speakers and sole traders of all types are currently writing and updating their policies to ensure compliance.

Connected to this is a tangential flag which is about supplying services or products on a B2B or B2C basis. Again, it doesn’t matter. Both are affected.

5) Data Breach Deadlines

Data breaches have to be reported within 72 hours of discovering the incident. This might sound like a long time but it is pretty short. If you are a processor you need to notify the data controller. And of course, the Supervisory Authority needs to be notified.  Think of what you can be doing to secure personal data to prevent a breach. In the world of busy event professionals using multiple devices on the road, the potential for a breach becomes heightened.

Read: Look after your attendee data or face the music!

6) Subject Access Requests (SARs)

The rights of individuals as mentioned earlier is at the very heart of GDPR. Individuals are entitled to find out what information is held on them. It’s the same position today so that doesn’t change. What does change in the UK is that the deadline for providing the information is 30 days and not 40 days. And you can no longer charge for the information. Of course, the 30-day deadline starts once you have verified that the person asking for the information is actually who they say they are. Therefore, you need proof of identity processes in place to deal with the SAR requests.

Read: Will GDPR Change the rights of Your Attendees?

7) Focus on Fines

Many speakers, consultants and blogs start with talking about the level of fines and penalties if breaches occur. It’s good. It grabs attention quickly. It scares people. However, the scarier issue which is often not mentioned is that the Supervisory Authority has the power to tell your business to stop work. Think of that. Stop your business. It’s time to get away from calculating whether your organisation will be in business because of a fine but what you will do when people are told to stop working.

Get your copy of ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.

8) Data Transfer Shortcuts

It is always busy working in the events space. There are many things to be done and time is always a challenge. That in itself can easily breed short cuts to get the job done. Unsecured spreadsheets with personal information are whizzed away to all sorts of venues, hotels, speakers and others. That will have to change. Securing documents with passwords, using encryption and other methods to keep data secure will need to be used. Remember, that the Supervisory Authority can come and audit your organisation which means your processes for sharing data will have to be recorded.

9) Geographical Location

“We will not be affected by your GDPR” is a phrase that continues to resound in our ears from organisations that are based outside of the European Union. It is a fair comment to a degree after all it is European Regulation. But, that is when you have to look deeper and realise that it applies for the benefit of European citizens and residents. Applying this to events then. Let’s take an example by way of European delegates coming to your event in Australia or New Zealand.  You will be bound then by GDPR even though you are at least 10,000 miles away from the UK.

Our advice, it’s best to think of GDPR as borderless.

10) Inadequate Training of Staff

Accountability is a key principle of GDPR. Everyone in an organisation has responsibility for personal data. It is not down to HR. It’s not down to IT. It’s not down to the Board. It is down to everyone. What does this mean for you? Well it means that for any temporary staff or interns or volunteers that you use, they need to be made aware of your Data Protection practices and processes. Everyone is accountable. If you keep that as your mantra you will not go far wrong even in the very busy event periods.


The 10 flags above just touch the tip of the iceberg. They are provided to provoke thinking about what your organisation needs to do. In no way should this blog post be construed as legal advice.

You can expect the intensity on privacy rights to be top of mind for many people following the recent ‘Facebook’ news. One thing is certain, GDPR is only going to continue to evolve. It is best to make sure it’s included fully in all your event planning activities and if you do find that you need to make some changes to your organisational policies, then now is the time.

Good luck!

Enjoyed reading this article?  Sign up to our EventTech Talk newsletter for similar insights and weekly updates and advice on the latest technology trends, discussions and debates shaping the events industry today.

Is Facebook Data Breach a Wake-Up Call for Events Industry?

The Facebook data scandal that’s unravelled this week is an important reminder to everyone in the events industry as to why GDPR is happening. The incident has shaken up people’s trust in the way organisations manage their personal information and highlighted the need for more tighter regulations around data protection.

Event planners should use this opportunity to learn from the mistakes made by both Facebook and Cambridge Analytica and think very carefully about how they’re going to look after the personal information of attendees in a post-GDPR world.

Download eBook: The Event Planner’s Guide to GDPR Compliance 

Why is Facebook in Trouble?

In 2014, Facebook invited users to find out their personality type via a quiz developed by a Cambridge University researcher. About 270,000 users’ data was collected, but the app also collected some public data from users’ friends. Facebook has since changed the amount of data developers can gather in this way, but a whistle-blower says the data of about 50 million people was harvested for political consultancy firm, Cambridge Analytica. He claims the firm used the data to psychologically profile people and influence voters on behalf of clients – including Donald Trump’s presidential campaign. Facebook says users’ data was obtained legitimately but Cambridge Analytica failed to delete it when told to do so. Meanwhile, Cambridge Analytica denies any wrongdoing – saying it did delete the data when told to by Facebook.

The repercussions of this incident so far?  Facebook has lost around $50 billion in its market value over two days and we’re now seeing the #DeleteFacebook campaign which is rapidly sweeping across the Internet, as people leave the site in protest again its use of data harvesting and manipulation. Advertisers are also now telling Facebook ‘enough is enough’ with news on the BBC emerging that the ISBA, a trade body which represents major UK advertisers, will meet Facebook this week saying if the company fails to provide assurances about the security of users’ data, advertisers may spend money elsewhere.

How is it Related to GDPR?

According to Reuters, privacy experts have said the data breach is a prime example of the kind of practices that GDPR is supposed to prevent or punish: “Had the Cambridge Analytica incident happened after GDPR becomes law on May 25, it would cost Facebook 4% of their global revenue,” said Austrian privacy campaigner and Facebook critic Max Schrems. Because a UK company was involved and because at least some of the people whose data was misused were almost certainly European, GDPR would have applied.

The maximum GDPR fine would come into play in an incident like this because of the number of users affected and what appears to have been inadequate monitoring of third-party data practices: “The fact of the matter is that Facebook lost control of the data and wasn’t adequately monitoring what third-parties were doing,” said Scott Vernick, partner and expert in privacy and data security at law firm, Fox Rothschild.

The article goes further to say that the firestorm has prompted a furious response from lawmakers on both sides of the Atlantic, raising the prospect of expanding GDPR’s approach to privacy protection regulations to other countries. Again, a warning for organisations of what may lay ahead once the new legislation comes into force.

Facebook founder, Mark Zuckerberg, has admitted that the social network ‘made mistakes’, apologising for the incident and admitting that a huge ‘breach of trust’ has occurred – but needless to say, damage is done.  People have lost confidence in Facebook and the way it manages their personal information.  And this is key when you look at why GDPR is happening in the first place.

GDPR is all about the protecting the rights of individuals over organisations.  And it’s happening because current legislations no longer meet the privacy needs of the connected world we live in today. We’re giving away our personal information freely to organisations without much thought into how they’re using it and how they’re keeping it safe from both theft and manipulation.  And this is exactly what GDPR wants to address: that organisations dealing with personal data (the events industry is no exception here) are doing so in a transparent and secure way – and always in the individuals best interests.

Ironically, Zuckerberg’s response to the incident reiterates the same thing: “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.”

The Importance of Data Security in Events

GDPR will certainly change attitudes to individual rights when it comes to data protection – especially in events. It will also change the mindset of event planners when it comes to deciding what data they should collect from attendees, how they use that data for things like marketing campaigns and personalisation, and what they need to do to keep that data safe.

Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.

In fact, the issue of data security in a post-GDPR world is hugely important for the events industry.  A survey by Eventsforce last month assessing the GDPR readiness of more than 120 event professionals found that 81% believe data security will be a bigger priority for their events after the May 2018 deadline. And yet surprisingly, only 30% have taken steps to update their data security practices or prepare for a data breach (both of which are key to compliance requirements).

Data security is also an important issue when assessing the GDPR readiness of technology providers that process personal data on behalf of events (ex. registration systems, mobile apps, surveys, networking tools). The survey, however, found that only 41% of event planners were confident that their systems met the new requirements.

As an event professional, you may think that the whole issue of data security is something that needs to be dealt with by your IT, legal and operations teams – but the reality is that there are many things event planners do today that can put their organisations at a serious risk of a data breach and non-compliance to the new GDPR requirements:

  • Emailing unsecure spreadsheets that contain personal attendee data
  • Not paying attention to the data freelancers and temp staff have access to
  • Leaving printed registration lists unattended on-site
  • Not reporting theft or loss of laptops and devices that contain personal information
  • Not changing system passwords often enough/sharing passwords with others

It is therefore more important than ever for event planners to understand what they should and shouldn’t do when it comes to collecting, processing and securing the personal information of attendees under GDPR.

What Should Event Planners Do?

Most event planners will follow their organisation’s own set of data security and protection policies when it comes to storing and sharing event data – from communication procedures to firewalls, encryption and anti-virus software.  However, it is important to take some additional steps that will help your events meet GDPR requirements and minimise the chances of data getting into the wrong hands:

1) Keep Your Data Safe

GDPR makes ‘Privacy by Design’ a legal requirement, which put simply means that privacy concerns should be a consideration from the offset in any event planning campaign – and not simply an afterthought. Data protection and processing safeguards must become part of the DNA of all the systems and processes you have in place. This will be a major shift in thinking for event planners and something they need to think about now, not later.

You need to think about risk factors and see how you can minimise them. For example, find out who has access to your event data, whether they need to have that access and what happens to that access when the event is over? You should also assess the kind of personal information you’re collecting in registration forms, apps and surveys around your events.  Do you need to ask your attendees all the demographic information you currently do? If you’re never going to use their phone numbers, then don’t ask the question. If you only need to verify they’re over 18, don’t ask for birth dates or passport details.  Don’t forget, the more personal data you hold, the higher your chances of risk.

Read: Infographic – How to Keep Your Event Data Safe

2) Assess Security Practices of Suppliers

Just like Facebook should have taken more adequate measures in monitoring what third-parties were doing with users’ personal data – event planners should look into how their event data is being managed by all the third-party suppliers they deal with around their events (tech vendors, staffing agencies, hotels, venues, event management agencies etc). Why? Because if in the course of an investigation, the authorities find that these parties have not been compliant, then the host organisation may also be liable too (even if they themselves were compliant).

Find out how suppliers like your registration software vendor are managing the data they’re processing on your behalf.  How are they using the personal information of people coming to your events, who has access to this data and where are they based?  How important is data security for them and do they follow best practices?  How long do they keep your data for and what procedures do they have in place to delete this data when you ask them to? What about their own suppliers and contractors who also have access to their data?  You need to ensure they can clearly explain what contractual and legal safeguards they have in place to look after your data at all times. Having the answers to these questions will protect you from any unpleasant surprises in the future.

Read: 5 questions to ask your event tech providers about GDPR compliance

3) Prepare for a Data Breach

Failing to report a data breach within 72 hours can result in crippling fines under GDPR – so ensuring that everyone on your events team has a good understanding of what constitutes a data breach (ex. Loss of iPad containing registration lists) and how to follow best practices is key to compliance. You also need to think about what processes you need to put in place once a breach has been identified, including how to report it within the three-day timeframe.


GDPR clearly presents some new challenges for event planners, but it also brings some big opportunities too. By focusing on the rights of individuals over organisations, the new regulation will help events become a lot more responsible in the way they manage the personal information of people coming to their events. Those that can show they’re dealing with personal information in a transparent and secure way and have respect for the privacy of individuals will succeed in building new levels of trust.  And given what we’ve seen this week, this will be key in deciding which organisations people choose to deal with in the future.

Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help with data security and support the event planner’s journey to GDPR readiness. Get in touch by contacting one of our team members at gdpr@eventsforce.com.