GDPR Checklist for an Event Planner

The way people collect, process, and store the personal data of EU citizens is going to change very soon. Find out how GDPR enforcement is going to revolutionize the world of event planning and which measures event marketers should take right now to comply with this new legal framework.

What event managers should know about GDPR

From the Yahoo data breach scandal back in 2013 to the recent data misuse by Facebook, businesses across the world have long demonstrated the need for a strict data protection policy. The GDPR is the EU’s new data protection regulation coming into effect on May 28, 2018. The ultimate goal of adopting this new legislation is building a transparent business environment in which companies will be able to manage data based on data subjects’ consent.

Event marketing under GDPR

The fundamental concept that event marketers have to keep in mind is explicit and unambiguous consent. Whether it’s email blasting or online registration, there’s no way you can conduct event marketing activities without first getting a preliminary affirmation from a data subject. Here is the short event checklist that conforms to the new GDPR rules that event marketers should follow:

  • Obtain op-in in case you’re using cookies/pixels.
  • Provide the list of organisations with which you intend to share private data at the online registration stage.
  • Don’t use your existing mailing list if you don’t have the unambiguous consent of data subjects.
  • Before purchasing mailing lists, ensure that the organisation selling these lists has obtained the required consent.

Event GDPR checklist: What should event planners do to comply?

Event GDPR checklist

Building a compliance checklist for an events organization will be a lifesaver for event professionals the moment the GDPR armageddon starts. We’ve designed a short roadmap that is by no means legal advice but offers the key compliance data in an easily digestible format:

  1. Build a focus group. Don’t hope that a DPO can carry this burden alone. Creating GDPR-driven mindsets within your organization is the only way you can generate a healthy data protection ecosystem. Set up a meeting with your team to assign compliance responsibilities to the focus group.
  2. Create awareness. The GDPR is a game changer in terms of how personal data is collected and processed. Make the rules of compliance, the key penalties, and the data management tactics crystal clear for everyone.
  3. Organize an information audit. Start with the data you already have. Ensure you work with an efficient SIEM. Document all the contacts your database already includes, and then check where they came from, how you process this data, and whether it’s shared with any external entities or organisations.
  4. Review registration forms. By the GDPR deadline, you should have prepared registration forms that comply with the new regulation. Review privacy notices and add the required information that a data subject should have access to (the purpose of data collection, the processing procedure, the name of a data processor and collector, etc.). Last, ensure your forms include no pre-ticked consent boxes. The data subject is the one that decides whether to give consent or not.
  5. Double-check individuals’ rights. Your procedures should comply with the rights of data subjects, which include the right to access, erasure, data portability, and more.
  6. Hone a mechanism for processing access requests. With the GDPR, data subjects have the power to request any information about their private data anywhere and at any time. How do you survive the stress of 1000+ messages in your inbox, each of which is tied to a specific deadline? First, establish an automated system that allows individuals access to their private data without needing to send a request. Next, train your staff to respond to requests in a timely and efficient manner.
  7. Get a parent’s or guardian’s consent if you process children’s data. Under the GDPR, the personal data of children has exceptional protection. Therefore, if your organization works with children’s contact information, you have to request consent from their parent or guardian.
  8. Develop procedures for data breach management. You need to put a mechanism in place for data breach detection. According to the GDPR, an organization must report a data breach within 72 hours. In this context, the timely implementation of appropriate data breach procedures is crucial.
  9. Designate a DPO. Last, appoint a person who takes responsibility for GDPR implementation and compliance.

Questions to ask event tech suppliers about the GDPR


To ensure your event vendor fulfills their legal responsibilities and is 100% compliant, there are several questions you can ask your event tech company before starting the cooperation:

Have you developed a mechanism for compliance?

Whether it’s the GDPR, PDPA, or any other regulation, having a system for compliance in place is fundamental. Ask your event tech company if it appoints a DPO who is responsible for the protection of clients’ data, if there is a dedicated security team, if it has specific consent rules it follows, etc.

Where do you host data?

The hosting location is an aspect you should definitely clarify with a vendor. While hosting data within the EU usually doesn’t raise any questions concerning GDPR compliance, event tech companies hosting data outside the EU should prove they are GDPR compliant despite the server’s location. Also, make inquiries concerning how the company deals with data transfers and what the physical locations of the company departments are who have access to event data.

What’s your strategy for obtaining consent and processing data?

You need to have complete knowledge of how and when a company requests consent from data subjects, how it communicates the purposes of data processing, and what tools are used.

How do you delete data?

Whenever a data subject requests data deletion, you have to comply. Ask your event tech company how they delete data, how long the process lasts, and if they confirm data deletion in writing.

Do you have your data protection strategy documented?

A well-documented data protection strategy is good proof your event tech company takes the GDPR seriously. Feel free to ask about a documented compliance checklist to see the whole picture.


A comprehensive GDPR checklist for an event professional can help you secure your clients’ data from any external breaches. Ensure that both your organisation and your event tech partner have a working system for GDPR compliance in place to avoid any pitfalls.