General Data Protection Regulation (GDPR) and the Events Industry

Event management professionals do it all. From producing large-scale festivals, galas, product launches, and conferences, to planning smaller high-touch dinners, advisory boards, and roadshow meetings, the industry runs a wide gamut of event types. However all of these events have one thing in common – they all can touch-sensitive attendee data, and therefore we must all be aware of the General Data Protection Regulation (GDPR), the effective date for which is in just a few short weeks. FIRST is aware of what is required and is working with clients and suppliers to ensure full preparedness. Events professionals, whether located in the European Union (EU) or not, need to be aware of what it means for the personal data of citizens residing in Europe.

Have you collected personal information for registration or event apps? If so, this applies to you.
Have you asked attendees for their dietary requirements for a dinner? If so, this applies to you.
Have you collected EU citizens’ names for badges (or have the information stored in your records)? If so, this applies to you.

It is crucial that event professionals are aware of, and comply with, the updated laws to avoid major fines and penalties. FIRST is working with all necessary parties to ensure this is the case on behalf of our clients.

So, what is GDPR?

In April 2016, the European Parliament adopted GDPR as a replacement for the outdated data protection directive from 1995. It carries provisions and requirements of data privacy and security for European citizens and is consistent across all 28 member states. Simply put, it’s to protect individuals from privacy and data breaches when their personal info is handled by others. The new GDPR privacy laws will be enforced on May 25, 2018, and the regulations apply to organizations in all sectors. 

What are the requirements?

It is crucial to consider the following rights, which have been instituted on behalf of all EU citizens with respect to their personal data:

  1. Breach Notification – notifying customers and controllers within 72 hours of any potential breach in which their data may have been put at risk
  2. Right to Access – individuals whose data is being processed must be aware of how/where/why their data is being collected/used/stored – copies of this data must also be available to be provided to the stakeholders in a common format at no cost
  3. Right to Be Forgotten – allows stakeholders to have their personal data erased not only by request, but also at the earliest point when the data is no longer relevant to its original purposes
  4. Data Probability – similar to their right to access, personal data must be readily available to be delivered back to the individual or to another data processor

So what does the events industry need to know?

As data is the foundation of many successful events, it is important to understand how the regulation impacts event professionals, not just your IT and senior management teams. To ensure adherence, the GDPR governing body is threatening significant fines and penalties for non-compliant organizations of up to €20 million or 4% of gross revenue (whichever is greater!). It is predicted that the new regulation will generate upwards of $6 billion within the first year alone, a number you do not want to be a contributor too!

Now is the time to ensure you are aware and prepared, speak to your advisor to find out how to best prepare ahead of May 25, 2018. On behalf of all of our clients, FIRST is actively taking the necessary steps to ensure full preparedness around all event operations before the deadline. This includes a redesign of internal policies and coordinating with all trusted third-party partners to ensure compliance. For more information about how you can prepare for GDPR, contact

Disclaimer: This content was gathered and summarized from various sources to convey general information and in no way constitutes legal advice. Readers are advised to conduct further research and seek professional advice for their organizations.