GDPR How to be compliant & still engage effectively
Back to Experience channel

How to be GDPR Compliant and Still Engage with Audiences Effectively

Known as the most important change in data privacy regulation in the last twenty years, GDPR has fundamentally impacted the way data is handled. In this article we revisit what you actually need to know from an event professional’s perspective, we’ll tackle the grizzly GDPR bear & provide easily digestible & useful insights on how you can tame and approach it.

By Lucy Holden

Known as the most important change in data privacy regulation in the last twenty years, the General Data Protection Regulation has fundamentally impacted the way data is handled. In fact, in recent research 60% of respondents said GDPR has significantly changed their organisations’ workflows for collecting, using, and protecting personal information. (Source: McDermott, Will & Emery)

Cast your mind back to May and you’ll remember an influx of emails asking for your re-consent to receive email marketing. So now the dust has settled and we make our way towards 2019, we see that emails have died down but website cookies have increased. Although it’s been a few months, are you clear on how GDPR affects you from an events perspective, and how it impacts exhibitions, conferences, guest lists and so forth?

Sign up to the MCI Experience Channel!


We know that some of the GDPR pain points stem from a lack of expert staff (43%), followed by lack of budget (40%) and limited understanding of GDPR regulations (31%). (Source: Crowd Research Partners). In this article we revisit what you actually need to know from an event professional’s perspective, we’ll tackle the grizzly GDPR bear and provide easily digestible and useful insights on how you can tame and approach it.

We know you’re short on time, so if you just want the topline summary then click here to go to the end of the article for our key takeaways.


GDPR Compliancy at Exhibitions

GDPR Compliancy at Exhibitions


Let’s jump right in and explore GDPR compliancy at sponsored events and exhibitions. Here we will cover common scenarios and describe the best plan of action.

Scenario one:

You have invested marketing budget to promote your products and/or services at an exhibition. Having a presence with an exhibition stand can open many doors and craft an environment for meaningful interactions. We’re sure you’ll agree that it’s a missed opportunity to leave these conversations within the exhibition’s four walls. It’s imperative to your ROI that you can continue to engage with potential prospects and, indeed, brand advocates post-event.

More often than not, events will opt for badges with a registration barcode or QR code. These make interactions incredibly easy for delegates and exhibitors as it allows for information to be passed electronically in the blink of an eye. In this situation it’s important to always ask the following question: “Is the consent legally obtained?”

Our GDPR experts advise that exhibitors can collect personal data if they validly obtain the consent of the participants. Where the data subject presents his/her badge to be scanned, he/she expresses their consent by a positive act. At this moment, the exhibitor must explain the purposes of this personal data collection.

So in summary, you will be GDPR compliant when scanning a delegate’s badge providing you are explaining what you will use the delegate’s data for. You will also be compliant by allowing individuals to opt-out of badge scanning. It is worth noting that all organisers should have a consent element as part of their original registration. But we advise double checking.

Scenario two:

Let’s use another example: an event organiser has sold LIVE data downloads of the delegates who entered their symposium as part of the sponsorship package.

When delegates register for an event, you should ensure that there is a clear question to ask if delegates consent to sponsor communications. The consent is validly obtained if:

(1) The data subject is warned of the use that is made of their data (it’s the case when they register and took note of the Privacy Statement),

(2) And that the registration form contains a clause providing for this scanning possibility (“Exhibitors or sponsors may scan your badge when you visit their stand. If you don’t want your badge to be scanned, please let the exhibitor know directly. Otherwise, your personal data will be released to them.”)

We use a variety of different technologies to collect, store and process this personal information: Ticketing software, mobile attendees apps, RFID/Cashless systems, marketing software and back of house management software. 

When partnering with vendor suppliers, it’s crucial you do your due diligence by conducting compliance assessments to ensure the providers that process your data are GDPR compliant and that they responsibly protect your data using accepted security practices, including signed formal data protection contractual clauses.

GDPR Compliancy for Guestlist invitations

Compliant Guest List Invitations


If you have an upcoming gala dinner or an awards evening to host, you may be wondering whether you have crossed your ts’ and dotted your i’s when it comes to GDPR. Forming a guest list can be tricky at the best of times but it is imperative that you contact your guests in a compliant way. Research shows that 60% of CMOs and senior-level marketers believe that GDPR will make it harder to build a direct relationship with the consumer – we’re here to tell you that it doesn’t have to be this way.  

Let’s go back to basics and understand where you got your data from. We need to understand its origin and if it was obtained fairly.

To start with it’s worth noting that the GDPR does apply to B2B marketing – the ICO says that ‘you may be able to rely on ‘legitimate interests’ to justify some of your business-to-business marketing’ providing that ‘you can show the way you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing’.

In this case, sending out an invitation to a gala dinner or awards ceremony is a legitimate interest and email marketing is applicable. If you are the event’s data controller and have a list of existing active contacts from the last three years, you can safely invite them if you use a GDPR compliant mailing tool like MailChimp. Issues can arise in Outlook as it does not provide a simple way to unsubscribe, nor does it offer in-depth analytics. We recommend consistently applying an unsubscribe link with every email you send to ensure that people can withdraw their consent at any given time.

Alternatively if you collected business cards at a trade show, you can contact the person for business legitimate interest.

GDPR Compliancy for B2C Events

Compliant B2C Events

We’ve said it before and we’ll say it again – festivals are the go-to way to attract millennials. They also provide the perfect set up for a brand activation or a product sampling event to consumers. But how can you communicate to your prospective mailing list before and after?

As aforementioned its best to comb through the data you have to understand if the list has consented to communications. Following our Marketing Tool Best Practices (below) will also help when making sure you are being compliant.

During the registration process, make sure you include a check box asking if attendees would like to sign up to email communications. This way if they consent, you can carry on the conversation after the event. The email must also link to a privacy policy describing the way their data will be processed and for what purposes – this way subscribers can activate their rights.

Starting a new list is not a bad idea either! For public consumer events it’s always beneficial to create as much buzz around an event as possible. Promote your festival or activation online through your social media and encourage participation through these channels.

What’s more, you can build up an engaged email list through website sign up forms. Stay compliant by using GDPR-friendly forms that include checkboxes for opt-in consent, and information that clearly explains how and why you are using their data. This means that you’ll have a clear breadcrumb trail showing exactly when people signed up to your list and proof that they have opted in for communications.

Continuing the event legacy is as important as the event itself. Keep the conversation flowing with follow up event communication to those that have opted-in. Make sure to pay close attention to the length of time you retain personal data for, a.k.a. the retention period. According to GDPR, it is not possible to retain personal data for an undefined period. At MCI we have defined guidelines in terms of data retention length per category of data processing. For instance, personal data collected during an event should not be retained more than 5 years after the event date, unless a shorter period is mentioned in the client’s contract.

Marketing Tool GDPR Best Practice

Marketing Tool Best Practice

When using a marketing tool like MailChimp it is important to cover off a few essential GDPR best practices.

  1. Ensure that each of your emails include a Permission reminder in the email footer.

    Here you will clearly explain to recipients how you got their data. It can be as simple as putting ‘You are receiving xx emails because you recently signed up for updates through our website’ or ‘You attended a previous xx event or expressed an interest via the event website’.

  2. Display a clear unsubscribe link on every single email communication.

    This way recipients can decide to opt out at any time. You can also provide a softer option for them to update their preferences, as they may want to remain subscribed to your event updates but unsubscribe from your monthly e-news for example.

  3. If in doubt always secure permission before you send.

    Don’t assume you have permission, and if you’re unsure seek confirmation.

 

Top GDPR takeaways
Our Top GDPR Takeaways

    1. Be transparent: tell delegates what their data will be used for and why.

    2. Clarify contractual relationships: Agree roles and responsibilities with partners in the terms of Data Protection.

    3. Track: keep a record of how you acquired delegate data so that you have a clear trail to follow.

    4. Sponsor communications: should only be sent to delegates who have opted in to receive them. Ensure you have explicit permission and that the event organisers have given you a GDPR compliant list.

    5. Collect consent: if you didn’t GDPR proof your contacts before May, you should collect consent from them before sending any future communications.

    6. Follow our Marketing tools best practice 

We hope we’ve given you some handy insights that will influence how you approach GDPR in the future.

At MCI Experience we’re pioneers of personalised brand and event experiences. We love to help our clients find the perfect solutions to their brand challenges.

Find out exactly how we can help you – get in touch!