GDPR compliance tips for event planners


On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect, making it now the primary law regulating how companies from around the world protect the personal data and privacy of citizens and visitors of European Union. The GDPR’s legal framework aims to give EU citizens and residents more control over their personal data, particularly at a time when scandals have recently plagued many major global brands, such as Facebook’s recent issues with Cambridge Analytica.


And the GDPR is likely to revolutionize the way event marketers, event planners and DMCs deal with the data from attendees hailing from the EU.

Geneviève Gagné, a seasoned lawyer with the Jolicoeur Lacasse legal firm, has extensive experience in international affairs and arbitration. Over the years, she has developed a unique expertise regarding the GDPR. We sat down with her to get her perspective on what the GDPR means for event planners and DMCs.

What is the GDPR?

“The GDPR has replaced the former EU Directive 95/46; it is more detailed and addresses issues arising from a rapidly evolving digital world,” said Ms. Gagné. “In today’s digital era and due to the sheer volume being generated, data has a great economic value. Governments, advocacy groups and, in particular, individuals, are becoming increasingly concerned about data privacy. The GDPR was designed to strike a balance between companies’ need to obtain data to conduct business and the safeguarding of people’s personal data and privacy.”

Ms. Gagné explained that with more and more business and marketing conducted over the web, the need for the GDPR is extremely important. “Gone are the days where you could simply draw up a simple privacy policy, acquire attendee data and carry on with your event marketing,” explained Ms. Gagné. Now, event planners and DMCs must document and instill the proper measures that prove that attendee data is not at risk. For example:

  • EU attendees (and delegates from any country for that matter,) must explicitly consent to provide data to the event organization.
  • The event can only legally collect data that it absolutely needs to conduct business. For example, an event cannot collect the gender of attendees unless it is required to organize the event—not just for statistical purposes.
  • The event must also oversee the GDPR compliance of all sub-contractors and third parties, such as venues, F&B suppliers, audio visual partners, sponsors, ad agencies etc.; in other words, sub-contractors must adhere to the same high levels of GDPR standards as the events themselves.

Ms. Gagné did add that “Despite the stiff rules, the GDPR governing body understands that it is an ongoing, evolving journey. Being able to demonstrate a willingness to respect the law is already a huge step forward in the right direction.”

At the end of the day, respecting GDPR rules can be a distinct competitive advantage for event planners and DMCs looking to organize conferences and conventions with delegates from the EU. As the new adage goes, ‘No privacy, no trust. No trust, no business’.

How to conform to the GDPR

There are many ways to get up to speed on GDPR:

  • Educate the entire event management team, suppliers, partners and sponsors on the importance of GDPR and their compliance.
  • Conduct an internal audit to determine what data you currently have on attendees, speakers, sponsors, etc. who live in the EU. Pinpoint where your data collection or processing methods need to be improved. If required, work with a legal and IT professional to ensure that whatever improvements you make, they adhere to the law.
  • Update all your registration forms, consent boxes and privacy policy to cover attendees’ rights, such as the right to ask for data to be deleted, access their data etc. Again, make sure you only collect data that is useful for a specific task. For example, for a newsletter registration form, all you really need is a full name and email address. Forms should specifically state the reasons you need to collect certain data.
  • Set up the appropriate IT infrastructure to more effectively manage and protect EU attendee data, including antiviruses, firewalls, etc.
  • Develop a data breach notification processes (under 72 hours) and determine a process to take the right corrective course of action.

Ms. Gagné also mentions that event planners and DMCs should not cut and paste GDPR measures from other companies or event planning businesses. The measures have to be applicable and make sense for your event planning organization. She recommends talking to experts in international and digital law who have the necessary GDPR expertise to accompany event organizations on the road to GDPR compliance.

“At the end of the day, respecting GDPR rules can be a distinct competitive advantage for event planners and DMCs looking to organize conferences and conventions with delegates from the EU. As the new adage goes, No privacy, no trust. No trust, no business.

You'll also like

  • SportAccord Convention 2012, Québec City Convention Centre
    How to choose your event’s perfect destination
  • Hilton Québec - Panorama - Hilton exterior
    Why convention-goers should extend their stays beyond their conferences in Québec City
  • QDa-quebec-soir-ete-lumiere-1400x900
    Québec City named best destination in Canada
  • VilleDeQuebec-panorama-03.jpg
    Reasons why event planners love Québec City
  • QDa-touristes-OTQ-1400x900
    Fun French facts about Québec City
  • Cover page of the new Québec City Business Destination magazine
    Québec City Business Destination presents the 2nd edition of its magazine
  • Le Grand Marché de Québec
    Best gift ideas and stores in Québec City for events
  • Québec City's Plains of Abraham and St. Lawrence River from the sky in Summer.
    Sustainable Event Checklist