What data can your event collect post GDPR?

May, 17 2018

Subscribe and stay up to date

No spam, we promise! You will only 
receive essential emails.
Written By

The General Data Protection Regulation - GDPR to its friends - is a new law that redefines what data organisations are allowed to collect and why, how they’re supposed to store it, and - crucially - their relationship with the data subjects, i.e. the people whose data they’re holding.

GDPR grants EU citizens gain new rights around information, access, rectification, erasure, restricted processing, portability and automation of personal data usage - and the right to object to their personal data being used and held at all.

If you do business with people in the EU, host events in the EU, or want to invite EU citizens to your events elsewhere, you need to comply with GDPR - and the new Data Protection Bill for the UK explicitly brings GDPR into UK law, so compliance on the home front is changing to match.

What does GDPR mean for event organisers?

Well: data collection is essential to the very running of events.

Events and exhibitions don’t function unless lists of attendees can be compiled, contacted and confirmed. Networking depends on contact details changing hands. The smooth running of and the evaluative reporting on events collects yet more data about footfall, time spent, signups and sales. If any of that data can be used to identify individuals, it’s personal data - and falls under the remit of GDPR.

Even if you use a third party company to collect or process your data, you’re responsible for choosing a GDPR-compliant one.

What happens if I don’t catch up and comply with GDPR?

In the UK, data collection is the responsibility of the Information Commissioner’s Office (ICO), which can currently levy fines of up to £500,000 for breaches of data security. Under GDPR, the cap extends to a maximum of £17 million or 4% of global turnover - whichever is higher.

Elizabeth Denham - the Information Commissioner herself - says her office has ‘always preferred the carrot to the stick’ and that talk of maximum fines to make examples of offenders is ‘scaremongering’: after all she has never invoked a maximum fine under the current regulations, with £400,000 as the current record.

So… what am I actually allowed to do with data?

There are six legal bases for processing personal data under GDPR. They all have equal standing, but not all of them provide a basis for processing data to market at or to promote an event.


Consent means that the data subjects have specifically agreed to having their data processed for a specific purpose.

If someone’s agreed to you collecting their email address and contacting them for a follow-up meeting, you’re home and dry - but you don’t have their consent to contact them when you happen to have something else to sell them.


Contract applies if you need to process someone’s data in order to fulfil your contractual obligations.

If you’re offering someone a quote for goods or services, you’ll need pertinent information on which to base that quote.

Legal obligation

You can rely on this legal basis if you need to process the personal data to comply with common law or uphold statutory rights, and can refer to the specific law involved.

Vital interests

If you need to process personal data to protect someone’s life, the vital interest basis applies.

If someone passes out at your exhibition stand, you don’t need their consent to contact the emergency services and their emergency contact on their behalf!

Public tasks

If you need to process personal data in the exercise of official authority, or to perform a specific task in the public interest.

Legitimate interest

If data subjects could reasonably expect their data to be processed in a particular way, you have a legitimate interest in processing it.

Contacting previous attendees to invite them to a future event would be a legitimate interest in using their data.

OK, so… which one of these should I use?

B2C event marketing is heavily based on consent, thanks to earlier legislation called PECR, which sets out the rules for using personal data in direct marketing activities like telephone calls, emails or mailshots. PECR is separate from GDPR, but co-exists with it. PECR defines consent as ‘knowingly and freely given, clear, and specific’, and GDPR requires that consent be unambiguous.

This means options that say things like “untick this box if you don’t want us to not pass your data to our partners or third parties” will no longer be acceptable. Your vocab needs to be direct, clear and to the point - if you wouldn’t read it, your attendees won’t.

B2B event marketing is more likely to use legitimate interest. Legitimate interest is more subjective: it means there is a clear reason why you are contacting a given data subject, and that they can reasonably expect the communication. This means your business can contact people in their capacity as employees of another business to offer them goods or services relevant to their business, without needing their explicit consent to be contacted. (There is a catch, however: self-employed workers and sole traders are still considered individuals rather than businesses, which means contacting them is a B2C communication, and you need their consent.)

Promotion of B2B events - trade shows, for instance - falls under legitimate interest. So does issuing and scanning ID badges at exhibitions. You need to know who’s been to your stand and what they think of it, and when an attendee accepts a smart badge, they can reasonably expect it to be scanned at some stage. If an attendee downloads an app for an event, they can reasonably expect their usage to be monitored in ways that help the app work. If it has an AR component, it’ll need their camera; if it has a navigation component, it’ll need their GPS.

Again: it helps to think about how you’d like to be treated. GDPR is citizen-focused legislation, designed to benefit users, customers and attendees. Think about the kind of asks that make you say “I’m not telling you that” or “why do you need to know that?” - that’s what GDPR is designed to stop.

What do I actually have to do?

Behind the scenes, on the event planning side, you’ll definitely need to carry out a data audit - establish exactly what you’re currently collecting, holding and processing, and making sure you’re handling it safely and securely. Then, you’ll need to update your data policies, making sure they’re clear to attendees, clients and customers - as well as to the ICO. If legitimate interest is your legal basis for marketing your events, you need to complete and record a legitimate interests assessment and ensure your privacy policy explains what your legitimate interests involve.

You’ll need to inform your contacts that your policies are changing - you may need to ask them to opt in to mailing lists (or other event marketing activities) again, and you’ll have to accept that you may lose some.

When it comes to the actual events, the main thing to consider is how up-front you’re being about data collection. If you’re at an exhibition to collect names and details for your mailing list, build an explanation of consent into your pitch, and include an opportunity for visitors to clearly and affirmatively opt in. Build a sign-up screen into your stand so people can give their details and their consent on the spot. Your data protection policy needs to be simple, straightforward and easy to understand at a glance, so attendees shouldn’t bog down while they’re reading it.

The Direct Marketing Association, a body of over 1000 B2B marketing firms and associated bodies, has produced a clear and extensive checklist for GDPR compliance; if you’re looking for specific advice on any stage of this process, that checklist is a good place to start.

View all posts

Subscribe and stay up to date

No spam, we promise! You will only 
receive essential emails.

Subscribe and stay up to date