Skip to main content

Understanding GDPR’s impact on event data and helpful security tips

keyboard with GDPR superimposed on return key
(Image credit: Pixabay)

As more event organizers are choosing virtual venues to reduce the risk of spreading Covid-19, data privacy and complying with regulations such as the European General Data Protection Regulations (GDPR) is a top priority for any organizer that collects data on individuals from the European Union and European Economic area. GDPR is a legal framework enforced by the European Union in 2018 which sets out mandatory rules on how companies can use EU citizens’ data. Any company that collects data from EU citizens is legally obliged to comply with GDPR, no matter where in the world that company is located.

But complying with General Data Protection Regulations (GDPR) is challenging to event organizers who aren’t as familiar with global data privacy laws. Large-scale events such as conferences, summits, exhibitions, product launches, trade, and jobs fairs have confirmed their continued existence and allowed a seamless and engaging experience, on par with their physical counterparts. What organizations need to remember, however, is the implications of collecting a vast array of rich, valuable, and sensitive data from participating attendees and businesses. 

Virtual and hybrid events platforms draw data from areas that include the number of logins and a breakdown of new and active users. This data also covers sessions, providing metrics on the number of total unique views, video replays, total unique replays, how many users liked each session, and how many made notes per session. It records how many registrations each session has, how many chats engagements took place, how many impressions the Q&As delivered, and more. Ultimately, this data enhances the virtual and hybrid event experience for attendees and helps organizers form strategies that drive ROI, as well as the risk of non-compliance.

Failing to handle such data in an ethical and safe way can potentially tarnish the reputation of an organization, leading to difficulties around attracting new business and repeated transactions from loyal customers. Additionally, the financial consequences can prove catastrophic.  Companies found to be non-compliant can be fined up to €20 million or 4% of annual global turnover (whichever is greater). To this day, there have been 281,000 data breach notifications and £245.3 million of fines imposed for a wide range of infringements across all European Union member states, with Germany and the Netherlands topping the table, closely followed by the UK. Across many EU countries as well as the UK, the money collected from non-compliance fines is brought back to the community and used to fund public services, just like tax revenues.

On top of this, there are new data protection regulations coming into effect on a global level, such as the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and South Africa’s Protection of Personal Information (POPI). Maintaining compliance with regulations around virtual events is, therefore, a complex undertaking, and there are a few key areas that businesses need to consider. Here’s a list of GDPR issues that event planners need to be aware of to remain in compliance with the regulations:

Attendee consent

It’s crucial that organizers actively seek consent before any attendee data is collected. The agreement should be as easy to access and simple to understand as possible for attendees.

Event registration

Capturing data in the event registration form helps to build a database of all event attendees. Under GDPR, organizers need to keep in mind EU attendees’ Right to Privacy and must be selective about the information the form asks for.

Data sharing

Event planners are obligated to disclose to attendees where their data is being shared for what purposes. They must also provide access to personal data for any attendee that requests it and fulfill any attendee’s request to transfer it to another data controller.

Data breaches

Cybercrime is an escalating issue with stories of breaches regularly featured in the news cycle. If event data is breached, the organizers must notify the relevant authorities and affected attendees within 72 hours of becoming aware of it.


Under the ‘Right to be Forgotten’ event, attendees have the power to opt out of marketing activities that use their personal data and can request that it is wiped from every database. Planners must honor these requests.

Essential GDPR security measures

In the age of GDPR, there are three essential security measures event organizers should consider:

1. Regular security system checks and updates

Checking and applying software updates to security systems as regularly as possible will help to ensure vulnerabilities are mitigated, and the chances of a data breach are minimized.

2. Regular audits and certifications

ISO 27001 certification helps to ensure that your IT systems are standardized and secure, making compliance much easier to achieve. Storing and processing data requires any business to follow other standards too. Each system you use to work with event data must adhere to these standards and comply with audits.

3. Upgrading security systems

While we’ve already covered the importance of keeping security systems updated, event planners should also consider upgrading to the newest and most technologically advanced security systems when the budget allows. This means you will have access to get the latest and greatest protection to help with compliance.

Looking ahead

While virtual events were initially integrated out of necessity due to Covid-19, a long-term online trend has emerged as businesses have recognized its value in a post-pandemic world.  As the events industry adapts to these virtual and hybrid models, potential data regulation hurdles and processes can be eased by following the above considerations and three steps to better security, alongside choosing a platform with high-security standards, built-in data collection, analysis, and management capabilities. 

While setting a budget and auditing the security process may be time-consuming, the investment is considerably less than the risks to reputation, fines, and non-compliance.  Considering the ubiquity of virtual events now and into the future because of the benefits and convenience offering a remote option confers, the sooner that organizations codify their security standards with event planners, the easier it will be to protect organizations from data breaches and privacy violations.

Mayank Agarwal, Chief Technology Officer and Co-founder, Hubilo

Mayank Agarwal, Chief Technology Officer and Co-founder, Hubilo.