Resources
Blog
Insights on events, technology, and the future of gathering
Latest articles
Insights on events, technology, and the future of gathering
Every event collects personal data. Names, email addresses, job titles, dietary requirements, accessibility needs, payment details -- the list grows with every registration form field you add. Under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, that data collection comes with legal obligations that apply regardless of your organisation's size.
Many organisers assume GDPR is primarily a concern for technology companies or large enterprises. In practice, anyone who collects personal data from individuals in the UK or EU is subject to its requirements. If your event registration page collects an email address from someone in Berlin, Dublin, or London, GDPR applies to that data.
This guide is not legal advice -- consult a qualified data protection professional for your specific circumstances. What follows is a practical overview of the areas where GDPR most commonly affects event operations.
GDPR requires that every instance of personal data processing has a lawful basis. For event organisers, two bases are most commonly relevant:
Contract: When someone registers for your event, you need their data to fulfil that registration -- sending confirmation emails, providing access credentials, managing check-in. Processing for these purposes is covered under contractual necessity.
Legitimate interest: Some processing serves your legitimate business interests without overriding the individual's rights. Sending post-event surveys, analysing attendance patterns for planning purposes, or sharing attendee data with speakers for session preparation may fall under this basis -- provided you have conducted a legitimate interest assessment.
Consent is often assumed to be the default lawful basis, but it carries specific requirements that make it harder to rely on than many organisers realise. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Bundled consent (where agreeing to one thing requires agreeing to another) does not count. And consent can be withdrawn at any time, which means you need a mechanism to honour that withdrawal.
The practical implication: use contractual necessity for data processing that is essential to delivering the event. Use legitimate interest (with a documented assessment) for operational analysis. Reserve consent for genuinely optional activities like marketing communications.
Your registration form is the primary point of data collection. GDPR's data minimisation principle requires that you collect only the data you actually need. Every field on your form should have a clear purpose. If you are collecting job titles, company names, and phone numbers, you should be able to articulate why each field is necessary for delivering the event or fulfilling a legitimate interest.
Key requirements for registration data collection:
Privacy notice: At the point of data collection, attendees must be told who is collecting their data, why, how long it will be retained, and their rights regarding that data. A link to your privacy policy is the minimum; a concise summary at the registration point is better.
Purpose limitation: Data collected for event registration should be used for event registration. Using it for unrelated marketing campaigns without a separate lawful basis is a compliance risk.
Special category data: Dietary requirements, accessibility needs, and health information (such as allergy details) may constitute special category data under GDPR, which requires explicit consent and additional safeguards. Handle this data with extra care.
This is where many events run into trouble. Sharing attendee data with sponsors, exhibitors, or partner organisations is common practice -- and it is the area most likely to generate complaints and regulatory scrutiny.
Under GDPR, sharing personal data with third parties requires either explicit consent from the individual or a legitimate interest that has been properly assessed and documented. Attendees must know, before they register, that their data may be shared, with whom, and for what purpose.
Practical steps for compliant third-party sharing:
List all third parties who will receive attendee data in your privacy notice.
Use separate, specific consent mechanisms for sponsor data sharing -- not bundled with event registration consent.
Ensure data processing agreements are in place with every third party who receives attendee data.
Give attendees the option to opt out of sponsor communications without affecting their event registration.
Consider badge scanning at sponsor stands as a form of data sharing -- attendees should understand what happens when their badge is scanned.
GDPR requires that personal data is not kept for longer than necessary. For event data, "necessary" typically means the duration needed to deliver the event, handle any post-event queries, and fulfil financial or legal obligations (such as invoice retention for tax purposes).
A reasonable retention policy for event data might look like this:
Registration data: Retained for the duration of the event plus a defined post-event period (commonly 6 to 12 months) for follow-up communications and dispute resolution.
Payment data: Retained as required by tax and financial regulations (typically 6 to 7 years in the UK).
Marketing data: Retained only while consent is active. When consent is withdrawn, data must be deleted or anonymised promptly.
Special category data: Deleted as soon as the purpose is fulfilled -- typically at the end of the event or shortly afterwards.
Document your retention periods and enforce them consistently. Having a policy is meaningless if data lingers in spreadsheets and email threads indefinitely.
Attendees have the right to request that their personal data be deleted. In the event context, this means an attendee can ask you to remove their registration data, dietary information, and any other personal information you hold about them.
There are exceptions -- you may retain data required for legal or financial obligations -- but the default position is that erasure requests should be honoured within 30 days. Your event platform should make it straightforward to locate and delete an individual's data across all systems where it is stored.
Event websites and registration pages typically use cookies for analytics, session management, and marketing pixels. Under GDPR and the Privacy and Electronic Communications Regulations (PECR), non-essential cookies require informed consent before they are placed on the user's device.
A compliant cookie consent mechanism should offer genuine choice -- not just a "got it" button that implies consent. Users must be able to accept or reject non-essential cookies, and the page must function without those cookies if the user declines. This applies to event registration pages, landing pages, and any web content associated with your event.
Achieving GDPR compliance for events is not about perfection on day one. It is about building good practices into your event operations:
Audit your data flows: Map every piece of personal data you collect, where it is stored, who has access, and how long it is retained.
Review your registration forms: Remove fields you do not need. Add a clear privacy notice at the point of collection.
Separate your consents: Do not bundle marketing consent with event registration. Use distinct, specific opt-ins.
Document your lawful basis: For each type of data processing, record which lawful basis applies and why.
Implement data processing agreements: Every third party that handles attendee data on your behalf needs a formal agreement in place.
Set retention schedules: Define how long each category of data is kept and automate deletion where possible.
Choose compliant tools: Your event platform is a data processor on your behalf. Ensure it meets appropriate security standards and can support your GDPR obligations.
Canapii takes data protection seriously. The platform is ISO 27001 certified, demonstrating a systematic approach to managing information security. Attendee data is hosted in secure environments, and the platform is compliant with the UK Data Protection Act 2018.
For organisers, this means the technology layer of your data protection obligations is handled by a platform built with compliance in mind. Registration data, check-in records, attendee communications, and analytics all operate within a framework designed to support your GDPR requirements -- from consent management to data retention and erasure.
Compliance is ultimately the organiser's responsibility, but choosing a platform that is built for it makes that responsibility considerably easier to fulfil.
ISO 27001 certified, UK DPA compliant, and built with data protection at the core. Learn how Canapii keeps your event data secure.