Your 4-step guide to Events Marketing and the GDPR

16 Mar 2018 | by Maria Keenan

The GDPR will force marketers to be more detail orientated than ever. Maria Keenan focuses our attention on what the GDPR means for those who use events marketing as part of their marketing stack.

Squaredot B2B Marketing | Events Marketing and GDPR

The process of running an event is a series of hundreds of carefully considered tiny details. Every so often, something shifts, and all those details change. Sometimes swathes of volunteers fail to show, or the caterer takes your lasagne to the wrong venue (just me?) However, when the GDPR comes into affect in May of this year, attention to detail becomes a legal requirement. 

Squaredot have already talked up what the GDPR will mean for B2B marketers and GDPR marketing consent, but I wanted to add something in for those of you who use events as part of your marketing stack.

There are four main stages of an event (even though it can seem like there are 4,000) and we’re going to look at how each is affected by the GDPR.


In the planning stage of events management, the GDPR will affect how you find people to attend, and how you use their information once you find it:


GDPR is being enacted so that those of us in the EU can rest at ease knowing that our data isn’t being abused by organisations without our consent. At least, that’s the hope.

With that in mind, some of the older-fashioned ways of finding people to speak at and support our events go out the window - no matter how legitimate those tactics instinctively feel. A couple of the most popular ways to get your call-for-proposals out there are affected. Namely:

  • Using mirror audiences on social media to advertise to folks that are like your previous guests
  • Finding email addresses using third-party algorithms

As for mirror audiences, if you’re not familiar, advertisers can use lists of email addresses which are matched to user accounts on social media. This then allows the social media site to match these users to a similar audience based on the interests and demographics of the list of the people that was uploaded.

From now on (or, as of May 25th) those contacts who would be on that kind of list have to be notified and able to decline being included. So, that means that you’ll need to run this by your prior speakers if you want to get a similar set of submissions at your next event.

When it comes to finding email addresses using third-party algorithms, a lot of people use this for finding people to cold-pitch to. One example of how organisers can use these under the status quo is that they can find a list of people’s names from LinkedIn who are professional speakers, they can then take their names and punch them into a service that finds emails based on their full name and their company name.

The organiser can then pitch at those speakers with the hopes of them accepting to present.

However, aside from erring on the side of someone knocking on your front door asking if you’ve heard the good news, this goes against the principles of GDPR and should be avoided going forward.


Having a solid set of terms and conditions is the most powerful thing you can have to prove that you’ve been conscientious in gathering data, should the GDPR mob come a-knockin’.

A key component of the GDPR is that it enables normal individuals to understand and have a degree of control over how and when they’re data is used, and why. When it comes to privacy policies and terms and conditions, the first thing to acknowledge is that they should be easy to read and understand. Essentially, they should be in plain English and you most certainly shouldn’t need a law degree to get it. A good T&C should include:

  • What data is being collected
  • How data is going to be used and what sort of messaging is going to follow its submission and
  • Who is going to use that data and what their GDPR status is.

For further reading, this post by eConsultancy provides insight into UX options and variations for privacy policies. Structuring this alongside legal counsel will set you well on your way to getting transparency around how you’re dealing with your customers and potential customers, making for happier transactions overall.


Please, PLEASE stop selling your attendee’s data to sponsors.

I’ve personally lost respect for few events I once saw as progressive and standard-setting on the tech scene because they’ve done this.

Colleagues and friends have bemoaned the fact that they get messages from event sponsors trying to pitch virtually unrelated products up to a full year after the event has taken place.

Under the GDPR, third-parties who are allowed to use attendee data have to be identified to everyone who’s registering for the event. The person registering has to then be able to consent or decline that their data be used in this way. The good news for the organiser is that this stops irrelevant, intrusive messaging or, worse yet, third-parties of third-parties doing the same thing. Inevitably, the knock-on effect is a less annoyed, happier attendee who’s more likely to give you information again.



This is largely in-keeping with both the information above and good inbound marketing practices, generally. But every email you send has to have an unsubscribe option under GDPR. (Squaredot have discussed how B2B marketers should approach opting in and opting out under the GDPR here.)

As well as the availability of an unsubscribe option, when individuals are submitting their emails on your site (e.g. if they’re downloading a floorplan of the venue, or registering their interest before ticket purchase) there are a few things to remember when collecting this type of data. 

No pre-checked boxes: If they will be getting updates or further correspondence, you’ll need to set up an open, not pre-checked checkbox on the form. This should be where that person freely clicks to imply their consent to you reaching out to them.

Remove their details at their request: You should include a return email address which is actively monitored so that you can amend or delete information at the request of the person whose data you have collected. Data minimisation is the GDPR way.


Knowing where the information you collect is held is your responsibility as a data controller. If your volunteers or team are going to be coming into contact with attendee details during check-in or for any other purpose, you need to make sure that a stranger can’t access those details.

The tech of choice is usually a check-in tablet and/or smartphone, so ensure that the lists of details are password protected. And, preferably with a stronger password than “eventstuff1.”

One piece of software that mitigates the risk of a) forgetting passwords for multiple systems and b) your systems being easily hacked is 1Password, which I personally use every day. And it’s not that expensive, thankfully.




DPA is an acronym we’re all going to have to get a little more familiar with before summer. DPA stands for “data processing agreement” and it’s a declaration of the ways that data is processed (unsurprisingly) at any given company.

In order to establish and prove that you are working with vendors that are GDPR-compliant, you’ll have to put in a request for one of these from each company whose services you use that touch your attendee data.

Securing a copy of each of these not only lets you see what systems you may have to switch out due to the company not being aboard the GDPR train, but so too does having copies of them give you something to prove your journey towards GDPR compliance during any inspections by your local Data Protection Commissioner.



One of the types of personally identifiable information that organisers know to be sensitive is the humble photo. For years, people have had the option to consent to the use of their image in the promotion or review of an event.

While this is something that organisers previously did out of goodwill, it’ll be mandatory under GDPR.

To keep this under control, and so you don’t have to personally interview everyone whose photo gets taken at your event, use colour-coded lanyards or name tags. At previous events, I’ve seen this used super effectively to speed up vegetarians being identified and fed.

Nowadays having, say, a purple lanyard so that photographers and editors know who to blur or not is an efficient way to cut some legal-compliance corners, and to keep those who are camera-shy out of harm’s way.



Back in the day, we had 40 days to report data breaches. That's axed by 10 days - to 30 days - under the GDPR.

In order to prevent the need to report breaches and to stop yourself from getting into hot water, it’s important to keep the individual records of personal information you store up-to-date.

Under the GDPR, individuals have the right to ask that their information be deleted or updated upon their request, so keeping abreast with those changes is one way to make sure that you’re not stuck in the mud with incorrect records.


While it may seem that, after all the effort we’ve discussed above, you wouldn’t need to worry about analysing the information afterwards.

Unfortunately, that’s a rather big “nope.”

If you use segmentation, modelling or any kind of predictive analytics to assess how well or badly your event went, and that type of research uses personally identifiable information, then you’ll have to also get consent for this.

To do this, it’s actually pretty simple. All you need to do is include a clause in your terms and conditions (as we discussed above) to let individuals know that you’re going to be doing that.

It’s important to evaluate what data samples you have and how you work with them so that you can identify how you need to inform people before GDPR hits.


For best results, consult your lawyer before you do anything about GDPR. People’s circumstances vary so much that it makes it hard to be fully comprehensive in a blog post, but hopefully this sets you on your way to understanding GDPR in the context of event marketing.

P.S. I’m not liable for how you act on these details, and if they’re suitable for you specifically, but we did consult a lawyer to give his two cents and verification on the above, just so you know.


Maria_Keenan_PhotoMaria is the Marketing Manager for Tito, an event software organisation based in Dublin, Ireland. They recently wrote the book on GDPR for conference organisers to help them get prepared for the May deadline. Squaredot's Managing Director, Ian Blake, talked about the importance of events to B2B marketing in this marketing events blog from earlier in the year. 

Back to all insights

More B2B marketing insights you might like