GDPR compliance for events: what UK planners must know

GDPR compliance for events: what UK planners must know

TL;DR: GDPR applies to all events collecting personal data from UK or EU residents regardless of size or format.Attendee consent and transparent privacy notices are essential for lawful data collection and sharing.Implementing proactive, documented workflows and security measures minimizes GDPR risks and ensures compliance.

TL;DR:

• GDPR applies to all events collecting personal data from UK or EU residents regardless of size or format.
• Attendee consent and transparent privacy notices are essential for lawful data collection and sharing.
• Implementing proactive, documented workflows and security measures minimizes GDPR risks and ensures compliance.

Organising a corporate event involves far more than booking the right venue and confirming catering. The moment you ask someone for their name, email address, or dietary requirements, you are processing personal data, and that means GDPR applies. Many event planners still believe these regulations target large technology firms or consumer-facing brands, but GDPR applies to all events collecting personal data from UK or EU individuals, including in-person, virtual, and hybrid formats, regardless of where the organiser is based. This article walks you through when GDPR is triggered, what your obligations are, and how to build a practical compliance workflow that protects both your attendees and your organisation.

Table of Contents

• When does GDPR apply to events?
• Key GDPR requirements for event registration and consent
• Ensuring data security and minimising risk
• Building a GDPR compliance workflow for your event
• Why standard event checklists aren’t enough for true GDPR compliance
• Elevate your next event with secure, compliant planning
• Frequently asked questions

Key Takeaways

When does GDPR apply to events?

Having established why every event must consider GDPR, let us clarify the situations that bring it into play.

The UK General Data Protection Regulation defines personal data broadly. Any information that can identify a living individual qualifies, and that includes the obvious examples such as names and email addresses, but also less obvious ones like IP addresses captured during a webinar, photos taken at a conference, or dietary preferences that might reveal a health condition or religious belief. If your event registration form collects any of these, you are processing personal data, full stop.

One of the most persistent myths in event management is that GDPR only matters above a certain scale. In reality, event size is not a qualifying factor . A 12-person internal strategy day where you collect attendee names and lunch preferences is subject to the same regulatory framework as a 5,000-delegate conference. What matters is intent and data collection , not headcount.

Types of events affected

GDPR applies broadly across all event formats:

• In-person events : registration forms, badge printing, attendance lists, photography and video recording
• Virtual events : platform logins, recording of sessions, chat logs, polling responses
• Hybrid events : all of the above, often simultaneously, with additional complexity around data flows between platforms
• Internal corporate events : staff away-days, training sessions, and meetings where HR or workforce data is involved
• Third-party managed events : conferences where you act as an exhibitor or sponsor rather than the primary organiser

The territorial scope of GDPR is equally broad. If your event targets UK or EU residents, even a US-based organiser must comply. This is particularly relevant for global corporate clients hosting pan-European conferences or international trade events.

Common scenarios that trigger GDPR

Consider these real-world situations that often catch planners off-guard:

• A delegate registration system that automatically syncs with a CRM
• A mobile event app that tracks session attendance and behaviour
• Badge-scanning technology used by exhibitors to capture contact details
• A post-event survey that collects identifiable responses
• Photography or social media tagging at networking dinners

The key question is not “how many people attended?” but rather “did we collect identifiable data, and do we have a lawful basis for doing so?”

The key question is not “how many people attended?” but rather “did we collect identifiable data, and do we have a lawful basis for doing so?”

Understanding the full scope of GDPR triggers is the foundation of responsible event planning. For a broader look at GDPR event requirements overview and how venue choices intersect with compliance, it is worth reviewing your end-to-end data flows before any booking is confirmed.

Key GDPR requirements for event registration and consent

Understanding the triggers for GDPR, you now need to know exactly what is expected when collecting attendee details.

Registration is the primary point at which personal data enters your event ecosystem, and it is where most compliance failures begin. The Information Commissioner’s Office (ICO) is clear that privacy notices must be clear at the point of registration, covering what data is collected, the purposes for processing, how long it will be retained, who it will be shared with, and what rights the individual holds.

What a compliant privacy notice must include

1. The identity of the data controller : Who is responsible for the data? This should be your organisation’s legal name and contact details, along with the Data Protection Officer (DPO) if one is appointed.
2. The lawful basis for processing : Are you relying on consent, legitimate interests, or a contractual necessity? You must state this clearly, and you must actually have a valid basis.
3. Specific purposes : “Marketing purposes” is not sufficient. You need to state whether data will be used for event communications, badge printing, post-event follow-up, or sharing with sponsors.
4. Retention periods : Attendees have the right to know how long their data will be kept. “Indefinitely” is never acceptable under GDPR.
5. Third-party sharing : If sponsors, exhibitors, or platform providers will receive data, this must be disclosed at registration, not buried in terms and conditions.
6. Individual rights : Attendees must be informed of their rights to access, rectify, erase, object, and port their data.

Consent, legitimate interests, and the badge-scanning trap

Consent and legitimate interests are the two most common lawful bases for event data. Consent must be freely given, specific, informed, and unambiguous. A pre-ticked box does not count.

Legitimate interests can cover certain operational uses, such as sending logistical event information to registered attendees, but it cannot justify sharing data with third parties without proper disclosure. This is where badge scanning by exhibitors becomes a significant compliance risk. When an exhibitor scans a delegate’s badge, they are capturing personal data and become a separate data controller with their own GDPR obligations. This requires explicit, granular consent from the attendee before the scan takes place, and the exhibitor must provide their own privacy notice.

Granular consent means a separate tick-box for each specific purpose, not one blanket agreement covering everything.

Granular consent means a separate tick-box for each specific purpose, not one blanket agreement covering everything.

Pro Tip: If your event involves exhibitors or sponsors who wish to scan badges or receive attendee lists, build a dedicated consent layer into your registration flow well before the event date. Retrofitting consent is both impractical and legally fragile.

Special category data such as disability requirements, dietary information linked to religious beliefs, or medical conditions demands even higher standards. You should collect only what is strictly necessary and apply additional safeguards throughout processing. Always review your event accommodation data policies when booking residential events where this type of information is routinely collected.

Ensuring data security and minimising risk

After securing the right consents, you must ensure the data remains protected throughout the event lifecycle.

Data security is not a back-office concern. It is an active responsibility that runs from the moment the first registration form is submitted to the moment the last record is deleted. Events create unique security challenges because data moves across multiple platforms, devices, and teams under significant time pressure.

Security measures across the event lifecycle

The ICO’s guidance is unambiguous: encryption, access controls , and a documented breach response plan are fundamental requirements, not optional extras. Special category data must be deleted promptly after the event unless there is a clear, documented reason for retention.

Responding to a breach

Even the most well-prepared events can experience incidents. A laptop left in a taxi, a spreadsheet sent to the wrong address, or a platform vulnerability can all trigger a data breach. Your response determines both the regulatory outcome and the reputational impact.

If a breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware. This is not negotiable. The 72-hour clock starts the moment your organisation has reasonable awareness of the incident, not when the investigation is complete.

Pro Tip: Prepare a one-page breach response card for your on-site event team covering who to contact, what information to record, and how to escalate. Run a short tabletop exercise with your team before each major event.

For high-stakes scenarios involving sensitive attendee populations, reviewing your approach to emergency event data planning can help ensure your incident response is embedded in broader event contingency planning rather than treated as a separate concern.

Building a GDPR compliance workflow for your event

With data security measures in place, an organised compliance workflow ensures your event stands up to regulatory scrutiny.

A solid compliance workflow is not a one-time audit. It is a repeatable process that runs in parallel with your event planning timeline. The key steps for UK organisations include mapping data flows, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, training staff, auditing processors, and establishing a retention schedule.

Step-by-step compliance workflow

1. Map your data flows: Before any planning begins, document what personal data you will collect, where it will be stored, who will access it, and where it will travel. This includes third-party platforms, registration systems, accommodation providers, and catering managers.
2. Assess the need for a DPIA: A Data Protection Impact Assessment is required when processing is likely to result in a high risk to individuals. The ICO advises thatDPIA for large-scaleor sensitive data processing should be conducted proactively, not reactively. Large conferences, events handling medical information, or those using facial recognition or behavioural tracking technology all trigger this requirement.
3. Draft compliant registration materials: Privacy notices, consent forms, and registration page copy should all be reviewed by your DPO or legal team before going live.
4. Audit your processors: Every third party that handles attendee data on your behalf, whether it is a registration platform, an event app provider, or a venue’s Wi-Fi system, must have a Data Processing Agreement (DPA) in place. Without this, you are exposed.
5. Train your event team: Staff who check in delegates, manage badge printing, or operate virtual platforms must understand the basics of GDPR. A 30-minute briefing before the event is not sufficient for complex operations. Build training into your standard event preparation.
6. Establish a retention and deletion schedule: Decide before the event how long each category of data will be kept and who is responsible for deletion. Document this and follow through.

Map your data flows : Before any planning begins, document what personal data you will collect, where it will be stored, who will access it, and where it will travel. This includes third-party platforms, registration systems, accommodation providers, and catering managers.

Assess the need for a DPIA : A Data Protection Impact Assessment is required when processing is likely to result in a high risk to individuals. The ICO advises that DPIA for large-scale or sensitive data processing should be conducted proactively, not reactively. Large conferences, events handling medical information, or those using facial recognition or behavioural tracking technology all trigger this requirement.

Draft compliant registration materials : Privacy notices, consent forms, and registration page copy should all be reviewed by your DPO or legal team before going live.

Audit your processors : Every third party that handles attendee data on your behalf, whether it is a registration platform, an event app provider, or a venue’s Wi-Fi system, must have a Data Processing Agreement (DPA) in place. Without this, you are exposed.

Train your event team : Staff who check in delegates, manage badge printing, or operate virtual platforms must understand the basics of GDPR. A 30-minute briefing before the event is not sufficient for complex operations. Build training into your standard event preparation.

Establish a retention and deletion schedule : Decide before the event how long each category of data will be kept and who is responsible for deletion. Document this and follow through.

Comparing approaches: reactive vs. proactive compliance

Pro Tip: Link your GDPR compliance workflow directly to your event risk assessment. Reviewing event risk assessment steps alongside data protection obligations ensures nothing slips through the gap between operational and regulatory planning.

Why standard event checklists aren’t enough for true GDPR compliance

Having mapped out a compliance workflow, it is worth reflecting on the real-world gaps that experience consistently reveals.

The uncomfortable truth about event GDPR compliance is that most planners treat it as a documentation exercise rather than a cultural commitment. They download a checklist, tick the boxes, and move on. The problem is that GDPR pitfalls in events are almost always contextual. They emerge in the gap between what the form says and what actually happens on the day.

Name badges are a good example. Name badges are permissible under legitimate interests if attendees are clearly informed and given an opt-out option. But the moment an exhibitor photographs those badges, scans a QR code, or records names from an attendee list without explicit consent, you have a breach in progress. We have seen near-misses arise from something as routine as a printed delegate list left on a registration desk.

The planners who navigate GDPR most effectively are those who regard transparency as a value, not a legal obligation. When attendees genuinely understand how their data will be used and feel respected in the process, compliance becomes a byproduct of good practice rather than a burden. That mind-set shift is what separates professional event management from reactive tick-boxing.

For deeper reading on aligning data responsibilities with wider business event strategy insights , the connection between compliance, trust, and delegate experience is worth exploring.

Elevate your next event with secure, compliant planning

Ready to put robust compliance into practice for your next event? At Jigsaw Conferences, we have been supporting corporate event planners across the UK since 2003, and we understand that GDPR considerations do not exist in isolation from venue choice, logistics, and budget. Our free venue-finding service connects you with spaces that understand their own data obligations, giving you one less variable to manage. Whether you are organising a 20-person board meeting or a 2,000-delegate annual conference, our team can help you source venues aligned with your compliance, accessibility, and operational requirements. Speak to us today and let us take the complexity out of your next event.

Frequently asked questions

Do small internal events need to comply with GDPR?

If you collect or process any personal data of attendees, GDPR applies, regardless of event size, so all UK corporate events should consider compliance. Even a small internal meeting where you record names and contact details falls within the scope of GDPR.

Can we share attendee data with sponsors under GDPR?

You can share data with sponsors, but only with explicit, granular consent from each attendee and by ensuring the sponsor provides their own privacy notice. Exhibitors and sponsors become separate data controllers the moment they receive that information.

What do we do if there’s a data breach at our event?

If the breach risks the rights and freedoms of attendees, you must notify the ICO within 72 hours and take immediate steps to contain the incident and document your response.

Is it legal to sell attendee lists after an event?

No. Selling attendee lists without explicit opt-in consent from each individual is not permitted under GDPR and could result in significant regulatory penalties and reputational harm.