Common Misconceptions about GDPR in Event Planning

If you’re in the events industry, you’ve likely heard many myths and facts surrounding one of the buzziest data protection regulations, GDPR. When the news about GDPR shook the world in 2016, most businesses were in the dark about how to handle it. This gave birth to a huge variety of misconceptions about GDPR compliance in the events industry. Today, with GDPR enforcement knocking at everyone’s door, we’ve decided to clear things up.

The top 5 misconceptions about GDPR in event planning

We’ve compiled a list of the top five misconceptions that you as an event planner should be able to dispel:

25 May is the deadline for GDPR enforcement

GDPR enforcement

Especially for the world of events where meetings and conferences are organised in advance, GDPR doesn’t actually start on 25 May 2018. If event registration or any other aspects of your upcoming event touch upon the personal data of EU citizens, you must comply with the principles of GDPR even before the official date of enforcement. Also, it has to be clear that the regulations you find under GDPR today won’t be modified after 25 May, since this new data protection framework became law in 2016.

Example: an event agency based in Singapore organises a conference that will take place on 16 September in India. Some of event invitees are EU citizens. Although registration opened in March 2018, event organisers should start obtaining unambiguous consents and follow the other GDPR regulations from day one, because the event will take place after enforcement.

Consequently, 25 May can be viewed only as a formal deadline. From this day forward, your business can be fined for non-compliance. However, if you’re in the events industry, it’s critical to develop the mechanisms for GDPR compliance in advance.

The data processor and data controller can be the same entity

To determine the level of responsibility for a customer’s data, a data processor and a data controller should always complement each other’s work, but they can’t be represented by the same organisation/person. The principal difference between these two roles is that a controller establishes the direction and purposes, while a processor performs the action. In fact, to clarify data controller and data processor jobs, you can compare them to supervisor-subordinate relationships. Here are the major responsibilities of each of them:

Data controller:

  • Develop technical and organisational measures to comply with the data processing regulations.
  • Consider the risks and severity of the rights of the data subjects.
  • Allocate the responsibilities for data protection, if necessary.

Data processor:

  • Provide guarantees for the implementation of technical and organisational measures in a way that meets the regulations.
  • Execute data collection and processing based on the mechanisms developed by the data controller.

Example: You are organising an event in partnership with an event tech vendor. Who is who in this cooperation? You are the data controller because you own the data and decide how it’s going to be used. In most cases, a data controller is represented by a company or an organisation. GEVME or any other tech vendor with which you will cooperate can be called a data processor. A data processor can also be constituted by the whole software ecosystem that an organisation employs to process the data.

Event companies located outside the EU aren’t obliged to comply

Event companies

Yes, they are. Whether you decide to go crazy and relocate your business to Cuba or own a US-based company, GDPR compliance is the law you have to comply with if you process the data of even one EU citizen.

Example: If you plan to throw an epic party in the summer of 2018 and want to invite attendees from the Netherlands, you’d better start learning more about GDPR right now. With GDPR, the cost of a mistake may be high, which makes compliance a number one priority.

In event planning, there’s one side responsible for GDPR compliance

In fact, be it an event marketer, an organiser, or a technology partner, there are mechanisms that each of these subjects should put in place to ensure full-scale GDPR compliance.

Example: When organising an event, you partner with an event marketer that is responsible for advertising, as well as with an event technology vendor that facilitates registration and onsite check-in processes at your event. Here are the major tasks each of you should accomplish within this cooperation:

Event planner:

  • Check the compliance of the technology vendor with GDPR.
  • Track how the concept of “consent” is used at each stage of an event lifecycle.
  • Check registration forms (privacy policy, disclaimer, opt-in).

Event marketer:

  • Exclude European email addresses from your contact base that are not based on explicit and unambiguous consent.
  • Don’t use automatic opt-ins and pre-ticked boxes in communication with event invitees.
  • Ensure no personal data can be processed by third parties or is accessible through any external organisations.

Event technology vendor:

  • Conduct a transparent audit.
  • Record any changes automatically through an open API.
  • Help clients edit or delete their private data at any time.

The principle of “legitimate interest” allows event marketers to process users’ data without obtaining consent

The principle of “legitimate interest”

In fact, the “legitimate interest” provision actually identifies the possibility to use personal data without obtaining unambiguous consent. However, in contrast to the previous data protection law, GDPR describes the conditions under which the legitimate interest rule can be applied very clearly. These include the need to protect someone’s rights, using data that was under court order, or completing a missing data field after a data processing act has already been completed.

Example: If a data subject agrees to receive some marketing materials from you, it doesn’t mean you can utilise his/her data under the “legitimate interest” regulation.


Dispelling event planning GDPR misconceptions is not something you need to do if you’re already familiar with all the regulations of the new data protection law. However, this can be a useful practice for you in terms of not falling into a trap of ambiguity and taking the right steps to compliance.