Skip to main content

Risk assessments, Prevent and General Data Protection Regulation

Event managers must ensure that all hazards associated with an event have been identified, as far as is reasonably practicable.

Event managers must ensure a suitable and sufficient risk assessment is in place. Where risks have been identified, the event manager will ensure that action is taken to eliminate, reduce or control the risks so that it is as low as is reasonably practicable and the control measures are documented in this risk assessment.

An event risk assessment template is recommended for use by the event manager. A specific Risk assessment for online events is also advised as these events include additional types of risks. Note: If you have speakers at your event, the University Speakers and Events Policy (Exeter) / Speakers and events Process (Cornwall) must be followed, including risk assessment and approval of your speakers.

Following completion of the risk assessment, this should be sent to relevant parties such as those that are partaking in or supporting an event.

In addition, a risk assessment should be provided to relevant parties when requesting permission for an event to take place.

Where actions are identified by the risk assessment an action plan will be created and a lead person(s) assigned to ensure that all actions are undertaken.

Where there are actions in the action plan that cannot be fully resolved, the event manager must escalate within their management structure to seek support.  The line manager must establish under what circumstances the event can proceed, or not, based on discussions with the event manager and other key people as appropriate.

The risk assessment must be treated as a ‘live’ document and be updated when actions in the action plan are complete.

For further guidance on risk assessments please visit the Event Management Standard or contact

The University is committed to the protection of freedom of speech and academic freedom, alongside a duty of care to its staff, students and visitors. Our policies for the booking of speakers and events reflect this and confirm our commitment to allow events to go ahead providing that they are within the law.

These policies are available to staff and students on the Prevent website.

The law around data protection has changed. General Data Protection Regulation (GDPR) has now applied in the UK since 25 May 2018, replacing the current Data protection Act. GDPR law will continue to apply once the UK has exited the European Union. The new regulation introduces more stringent requirements for protection and accountability, and gives individuals more control over their personal data. To comply with this, the University – and every colleague – will have to do some things differently in the way we collect, use and manage personal data, so that we are compliant with the new law.

The new GDPR law applies to 'personal data', but gives more detail to this, and includes a wide range of personal identifiers within its definition of personal information. For example, online identifiers such as IP addresses now count as personal data. The law also refers to sensitive personal data as 'special categories of personal data', making specific reference to genetic and biometric data.

For more information and how this may apply when organising an event, please visit the University's GDPR webpages.