June 03, 2025
Data & Analytics Events
By Mike Fletcher
Meetings_&_Events_Trends_Thumbnail
A person is working on a laptop
2025 Meetings and Events Trends
Learn what 2025 will have in store for the meetings and events industry.
Download the eBook

Working in events, how we collect, store, and use personal data has never been more important or more scrutinized. From facial recognition check-ins to hyper-personalized event apps, technology has transformed the event experience. But with that transformation comes greater responsibility.

As event professionals and marketers, you are custodians of significant volumes of personal data, and with that comes legal, ethical, and reputational obligations.

For example, the General Data Protection Regulation (GDPR), for example, isn’t just a compliance box to tick—it’s a foundation for attendee trust in an increasingly data-driven events landscape. In this article, we look at why GDPR is more relevant than ever in 2025 and how to stay compliant.

Why data privacy and compliance matter more than ever

Today’s attendees expect seamless, personalized experiences, but also demand transparency and control over their personal information. Meanwhile, regulators have ramped up scrutiny, with data breaches leading to serious consequences.

With increased digital touchpoints across virtual, hybrid, and in-person events, data privacy is no longer confined to registration forms. It encompasses everything from your event website’s cookie banner to how your CRM handles contact segmentation.

In short, privacy is everyone’s responsibility, from planners to marketers and tech partners. And with consumer trust in how brands handle data at an all-time low and the amount of personal data available for increased personalization at an all-time high, it’s a responsibility that needs to be taken seriously.

💡Hear from Stephen Macatuno, Cvent’s VP Marketing – Global Demand Center, on the key regulations you should know:

Why GDPR still matters in 2025

Introduced in 2018, GDPR is a UK and EU regulation that governs how personal data is collected, processed, stored, and shared. For events, it means being clear, secure, and accountable at every stage of the event lifecycle.

In the years since its introduction, GDPR has led to high-profile enforcement actions across industries, including events. In 2023, for example, a global conference organizer was fined for failing to obtain proper consent for marketing emails and sharing attendee data with unauthorised third parties. The message is clear: compliance is not optional.

Whether you’re hosting a product launch in London or a hybrid summit with EU delegates, if you’re collecting data from UK or EU residents, GDPR applies to you.

“On the one hand, we have consumer expectations. Audiences demand personalization, something that feels unique, special, and meant for them. When it’s done well, it increases their engagement, conversion and levels of satisfaction. On the other hand, we have privacy, security, and compliance. Consumers are more aware than ever of how their data is used. And we’ve all seen what happens when brands get this wrong - damaged reputations, lost trust, and massive fines.”

Mary Kluck, Director, Cvent Consulting

What kind of event data are you collecting?

You often collect far more personal data than you may realise. Consider the following:

  • Registration forms: Name, email, company, job title, dietary and accessibility requirements
  • Mobile apps: Login details, activity tracking, session bookmarks
  • Lead capture tools: Badge scans, exhibitor notes, contact details
  • Event surveys and polls: Opinions, feedback, behavioral insights
  • Travel/accommodation info: Passport numbers, travel preferences, accessibility needs

Every one of these touchpoints can help increase the personalization of your events, and yet, they also pose a risk if not managed properly, and every one of them must be GDPR-compliant.

💡Learn about the shift from third-party to first-party data:

The hidden risks and touchpoints

However well-intentioned you are, it’s easy to overlook key compliance risks such as:

  • Cookies and tracking on event websites: Without a proper consent mechanism, tracking website visitors could breach GDPR.
  • CRM integration and email marketing: Adding contacts to lists without explicit opt-in consent is a common (and costly) mistake.
  • Third-party data processors: Any tech partner or platform that processes attendee data on your behalf must meet GDPR standards. That includes badge printing providers, mobile app suppliers, and analytics platforms.
  • Event Wi-Fi networks: Collecting user data or login details through public or semi-public Wi-FI at your event venue can introduce privacy concerns, especially if data is shared with sponsors or used for remarketing without consent.
  • On-demand content and session replays: If you’re offering recorded sessions post-event, ensure attendee participation (such as chat comments or names displayed during Q&A) is handled sensitively and in line with your privacy notice.

6 tips for navigating GDPR

Fortunately, staying compliant doesn’t mean compromising on innovation. With the right practices and partners, you can deliver personalized, data-driven experiences safely and legally.

Follow these six GDPR best practices:

1. Get clear consent

  • Use unticked opt-in boxes for marketing communications.
  • Ask for cookie consent before tracking site behavior.
  • Give attendees the option to update preferences anytime.

2. Be transparent

  • Include easy-to-find privacy policies on your website and registration forms.
  • Be clear about what data you’re collecting and why.
  • Disclose any third-party data sharing.
  • Let users control their data. Give them the option to adjust their preferences and opt out of cookies, event tracking, or event follow-up communications.

3. Limit data collection

  • Only collect the data you need to deliver the experience.
  • Avoid asking for sensitive data unless it’s absolutely necessary.
  • Set access controls so that sensitive information isn’t exposed.
  • Regularly audit your forms and fields.

4. Store and process data securely

  • Use platforms that encrypt data and offer secure access controls.
  • Understand your integrations and how your data flows between tools.
  • Define internal data retention periods and deletion policies.
  • Train staff and suppliers on data security.

5. Choose GDPR-compliant suppliers

  • Make sure your technology partners offer compliance tools and documentation.
  • Sign data processing agreements with all third-party suppliers.

6. Have a plan for data breaches

  • Prepare an internal response process.
  • Know when and how to notify regulators and attendees.
  • Document all incidents—even minor ones.

💡Want to go deeper? Catch up with this webinar on data privacy and personalisation in events for more insights:

“Know your security rules and regulations, make your data policies clear and easy to understand, don’t overpersonalize or personalize too quickly as it could feel invasive to your attendees, and prioritise first-party data - it’s a lot more valuable and compliant than third-party data.”

Stephen Macatuno, VP, Marketing – Global Demand Center, Cvent

How Cvent helps with data privacy

Cvent’s platform and suite of tools are designed with data protection in mind. Whether you’re managing registration, email marketing, lead retrieval, or reporting, Cvent helps you maintain compliance every step of the way.

Key GDPR-compliant features include:

  • Consent capture tools for registration and marketing
  • Secure data storage and encryption
  • Customisable privacy settings for attendees
  • Tools to support data deletion and Subject Access Requests (SARs)
  • Cookie warning overlays in all customer-facing pages to provide notice that cookies are being used.

Using an event platform designed with compliance in mind gives you confidence and reassures your attendees that their information is in safe hands.

“Invest in secure technology. Not all tools are created equal. Use platforms that prioritise compliance, encrypting things within your CRM for security, and of course, AI tools that protect and process your data responsibly.”

Stephen Macatuno, VP, Marketing – Global Demand Center, Cvent

FAQs: Your GDPR questions answered

Do I need to ask for cookie consent on my event site?
Yes, especially if you’re using tracking tools like Google Analytics or Facebook pixels. Use a cookie banner that offers users the option to accept or reject non-essential cookies.

What should I include in a privacy policy?
A clear explanation of what data you collect, why you collect it, how it’s stored, and who you share it with. Avoid legal jargon. Clarity builds trust.

How long can I keep attendee data after the event?
Only as long as necessary. Define a retention period (e.g., six or 12 months) and delete or anonymise data once it’s no longer required.

Can I personalize experiences and still comply with GDPR?
Yes! As long as you’ve obtained informed consent and are transparent about how personalization works, privacy and personalization can absolutely coexist.

Do I need a separate privacy policy for each event?

Not necessarily, but your general privacy policy should clearly cover event-specific data practices. For high-profile or complex events, a dedicated event privacy notice may improve clarity and trust.

Can I share attendee data with sponsors or exhibitors?

Only if the attendee has explicitly consented to it. Make this opt-in clear during registration (e.g., I agree to share my details with selected sponsors”) and avoid bundling consent with other terms.

What is a Data Processing Agreement (DPA), and do I need one with suppliers?

Yes. A DPA outlines how your vendors handle personal data on your behalf. Under GDPR, you are required to have these agreements in place with all third-party processors.

Do I need to appoint a Data Protection Officer (DPO)?
Not always. You only need a DPO if your organization regularly processes large volumes of sensitive data or tracks individuals on a large scale. However, having a designated data privacy lead is best practice.

What should I do if an attendee requests to be forgotten”?
Under GDPR, individuals have the right to erasure. You must respond promptly—verify their identity, delete their personal data where required, and confirm the action. Platforms like Cvent can help facilitate this.

Make GDPR part of your event strategy

Your attendees trust you with their data, so honour that trust by making privacy part of your planning and marketing DNA:

  • Audit your current data processes.
  • Review your consent mechanisms and privacy notices.
  • Work with trusted tech partners like Cvent, who support compliance from the ground up.

Data privacy isn’t just about protecting your organization; it’s about respecting your attendees. In 2025, the most successful events will be those that find the balance between smart personalized experiences that don’t violate data trust.

Mike leaning against the wall in his home with London skyline wall art in the background.

Mike Fletcher

Mike has been writing about the meetings and events industry for almost 20 years as a former editor at Haymarket Media Group, and then as a freelance writer and editor.

He currently runs his own content agency, Slippy Media, catering for a wide-range of client requirements, including social strategy, long-form, event photography, event videography, reports, blogs and ghost-written material.

More articles from Mike Fletcher

Subscribe to our newsletter

Sign me up