Event Marketing in a GDPR World: What’s allowed, what’s not & tips for Pardot.

Share this article...

Marketing that surrounds events and trade shows is important to get right – after all, they are a significant investment when compared to other marketing initiatives. Engaging with attendees before, during and after the event is key to effective marketing and influencing the sales pipeline.

 In comes GDPR, a new data privacy legislation that places new restrictions on collecting and processing personal data. As many people have discovered while preparing for GDPR, there are plenty of ‘grey areas’ to tackle – the parts of the new regulation that are open to interpretation, and therefore, potentially opening the business to data breaches.

Event marketing is one of those grey areas. The multitude of ways a prospect can engage with your organisation as a result of an event makes justifying and tracking marketing consent tricky. What is allowed if:

  • You capture a new lead at an event?
  • You collect a business card from a bowl collection?
  • A salesperson meets a prospect?
  • You receive show data from the organisers?

You’re not alone if you are confused about what consent counts when, how and where during the whole event marketing lifecycle.

This piece goes into a few tips about event marketing in an age of Data Privacy. It’s by no means an exhaustive list, but covers things to bear in mind for the event marketing lifecycle.

First question: Event Host or Exhibitor?

Answering this question is important to note from the outset, because there are different approaches depending on whether you are:

  • Hosting/Running the event yourself
  • An exhibitor at an event (being run by a 3rd party)

If your company is the event host, you have more control over data collection and usage. You also have visibility into attendee consent at each stage of the journey (eg. at registration). If your access to data is controlled by a conference organiser, you may need to dig deeper into the small print on the exhibitor contract you sign (which should reflect their Data Privacy Policy); for example, if they are handling the data to you after the event, they will have had to gain attendee’s permission to share and transfer their data.  

Your answer to this question will also be relevant later, post-event.

Pre-event: Invitations & Promotion

The email invitation is ready – who do you send it to? How you put together your mailing list for an event invitation depends on how your Salesforce/Pardot account has been set up to handle permissions and consents.  

A simple setup would be controlled by Pardot public lists, which are visible on the email preference centre for prospects to opt themselves in and out as they desire. If you have a public list called ‘Event Updates’, then it would be a case of using this as your mailing list. Although this has been marketing best practice up until now, a single opt-in won’t be considered sufficient for GDPR (Articles 5-7 say you need to track where and when the opt-in was given, plus an expiry date). 

However, with GDPR coming into action, many organisations will need to go beyond this simplistic way of managing preferences. Extending Salesforce to track and maintain opt-in permissions is something that has been covered on the Salesforce GDPR Sprint Salesforceben series. Ian Gotts, a GDPR expert, digs deep into how Salesforce should be extended to manage individual’s consents to each type of content, marketing channel, related to the relevant legal basis. It’s a solid framework that will keep Privacy Permissions in check, at scale. It’s worth checking with your Salesforce Admin how to segment data for mailing lists going forward; new additions could range from a few new fields to multi-layer consents (like this framework).

Pre-event: Lead Capture Setup

If you are collecting leads at the event (eg. with an iPad), then you must prepare your lead capture forms to include an opt-in checkbox field for each consent, bearing in mind there may be more than one (eg. product updates, event invites, blogs). Although opt-in checkboxes have been used by companies for countless of years, now it’s necessary to ensure new prospects are explicitly agreeing to your intentions for processing their data. Read this great tutorial by Nebula Consulting to get that setup.

Your data capture tech may be ready, but don’t forget about the people handling the iPad/scanner! Briefing your team is so important. Anyone collecting data should know what to say to data privacy questions when asked. What will your organisation be doing with people’s data? What are they opting into? Even if this information is written, everyone should be clued up for full transparency. Guerilla scanning won’t go down too well either.

Post-event: Get Clued-up on ‘Legal Basis’

Understand what your Salesforce org requires in order to comply with your organisation’s data storage and processing rules.

If your Salesforce org now houses a privacy opt-in framework for Salesforce, you should seek your admin’s help before attempting any loading. With Ian’s framework, a permission record needs to be added for each person that will specify all their opt-in details, ie. ‘product updates allowed by email because agreed when attending Dreamforce ’17 workshop on 8 Nov 2017 and this expired on 7 Feb 2018’. That’s a lot to get right! You only need to see the Event Marketing process map that Elements.cloud published in their portal – it may look complicated, but it’s important not to underestimate.

Then, it’s crucial to understand which ‘Legal Basis’ applies to each category of captured data.

‘Legal Basis’ are the valid reasons that we can store and process an individual’s data. These 6 categories are listed in Article 6 of GDPR:

  • Consent
  • Contract
  • Legitimate Interests
  • Legal Obligation
  • Vital Interests
  • Public Task

In the private sector, you are likely to come across three of six*: ‘consent’, ‘contract’, and ‘Legitimate Interests”.

In marketing, we will be most familiar with ‘consent’, when an individual agrees to how you want to use their data. As a customer, the ‘contract’ covers your reason to store and process their data.

(*unless you are dealing with ‘special category’ data).

And what about ‘‘Legitimate Interests”? The ICO say that Legitimate interests flexible, and “could in principle apply to any type of processing for any reasonable purpose”. That sounds like a grey area!

Let’s tackle the data you have captured at the event. You need to specify a Legal Basis for every record that enters your database, to justify why you are processing that data.

The ‘formal’ ways to capture data (iPad form, badge scanner, post-show export from 3rd party), are covered by ‘consent’ if you have done your data capture setup properly, or read the small print on the exhibitor contract you signed.

What about the ad-hoc ways? I mentioned one in the introduction that commonly causes questions: a salesperson meets a prospect and collects a business card. This face-to-face interaction can count as ‘Legitimate Interests”. But, slow down! Don’t abuse this 1-to-1 relationship, and don’t automatically opt the individual in to marketing lists. You should keep them separate from your other event data – yet, you can try to gain their consent…

Post-event: Double opt-in

Double opt-in, also known as ‘confirmed opt-in’, is good practice in marketing automation. It ensures that people are granting you their ‘explicit consent’ – a core requirement of GDPR.

Going back to the question: ‘are you an event host or exhibitor?’, it’s important to note that if data is sent to you post-show by a 3rd party, you may have to put prospects through a double opt-in flow. In fact, you should ask them to confirm their details (validating their email address), and their consent.

Read this post for more on how to implement this flow in Pardot: ‘The Secret to Building a Double Opt-In Mechanism in Pardot

Double opt-in can be worked into your follow-up emails for maximum impact. Speedy follow-up is key – wait a week and your prospects will have forgotten who you are.


This piece has covered a few tips about event marketing in an age of Data Privacy. I’ve touched on how you should:

  • Segment your database for Invitations & Promotion campaigns
  • Prepare your lead capture forms & team
  • Store new data for continued compliance
  • Verify new prospects’ consent with double opt-in

This is by no means an exhaustive how-to, but it has covered some things to bear in mind for the event marketing lifecycle.

Add Comment