Why Email Is the Weakest Link in Your Event Safety Chain
Why Email Is the Weakest Link
in Your Event Safety Chain
And what to do about it before Martyn’s Law compliance bites.
David Franklin|SafetyDocs
You wouldn’t run an event without a risk assessment. You wouldn’t let contractors on site without approved RAMS. You wouldn’t skip the emergency procedures briefing.
But chances are, you’re distributing all of those documents by email.
And in doing so, you’re introducing a set of risks that most event organisers haven’t fully considered — risks to data security, compliance, operational accuracy, and your ability to prove due diligence when it matters most.
This article breaks down why email fails as a safety document sharing system, what the regulatory landscape expects of you, and what a purpose-built alternative looks like in practice.
The Version Control Problem Nobody Can Solve
Let’s start with the most visible failure, because every event professional has experienced it.
A contractor emails you their RAMS. You review it, request changes, and email it back. They make amendments and send a new version — but to a different contact on your team. Meanwhile, the original version has been forwarded to the site manager, who printed it for the ops folder three days ago.
On event day, three different people are working from three different versions of the same document.
This isn’t carelessness. It’s what happens when your document management system is an email inbox. Email creates copies, not connections. Every send is a fork in the road. Every forward is another version that exists outside your control.
Now multiply that by every contractor, every document type, every event. The compound effect isn’t just confusion — it’s a genuine safety risk. If someone is working from an outdated emergency procedure or a superseded site plan, the consequences aren’t administrative. They’re operational.
The Security Problem Hiding in Plain Sight
Beyond version control, email introduces a category of data security risks that most event teams haven’t mapped.
Safety documents routinely contain personal data: names, phone numbers, roles, sometimes medical information for first aid and welfare teams. Site plans may include sensitive security details — entrance and exit routes, control room locations, crowd management measures, CCTV positions.
Under UK data protection law, you’re required to protect this information with measures “appropriate to the risk.” So how does email measure up?
Email encryption is weaker than you think
Most email travels using a protocol called STARTTLS, which is what’s known as “opportunistic encryption.” It tries to encrypt the connection, but if it can’t, it sends the message in plaintext anyway. Unless both your organisation and the recipient’s have enforced strict transport security (using standards like MTA-STS or DANE), there’s no guarantee your safety documents are encrypted in transit.
The UK’s National Cyber Security Centre (NCSC) explicitly flags this vulnerability and recommends MTA-STS to prevent downgrade attacks — where an attacker forces the connection back to unencrypted.
Once sent, you’ve lost control
This is the fundamental limitation. When you email a document, you create a copy on the recipient’s device, in their inbox, on their email provider’s servers, and potentially in backups. You cannot recall it. You cannot revoke access. You cannot even confirm who has read it.
If a contractor leaves the project, their copy of your site security plan is still sitting in their inbox. If someone forwards it to an unintended recipient — which the ICO confirms is the single most commonly reported breach type — you may not even know it happened.
Metadata tells its own story
Even where email content is protected, the metadata isn’t. Header fields — sender, recipient, subject line, timestamps — travel in the clear and accumulate at every relay point. A subject line reading “Manchester Arena — Security Assessment v3 — CONFIDENTIAL” tells an adversary something useful before they’ve opened the attachment.
What the Regulators Expect
UK GDPR
Under Article 32, you must implement “appropriate technical and organisational measures” to protect personal data. The ICO explicitly recognises encryption as one such measure. But beyond encryption, the regulation expects you to demonstrate access control, data minimisation, and the ability to respond to breaches — including notifying the ICO within 72 hours.
If your safety documents are distributed by email, demonstrating who had access to what becomes extraordinarily difficult. Proving that access was limited to authorised individuals? Even harder.
UK government email guidance is direct: email should not be used to transfer bulk sensitive data. It recommends secure web services or access-controlled portals for routine sharing of sensitive datasets.
Martyn’s Law
The Terrorism (Protection of Premises) Act received Royal Assent in May 2025, and venues have up to 24 months to comply. The Security Industry Authority (SIA) is the regulator.
For venues in the enhanced tier (800+ capacity), the requirements include formal security assessments, documented security plans, and — critically — the ability to demonstrate compliance. That means audit trails. Version history. Proof of who approved what and when.
Email doesn’t give you any of that. A platform designed for the purpose does.
What a Purpose-Built System Looks Like
The alternative to email isn’t “better email.” It’s a different model entirely — one where documents live in a single, controlled environment rather than being copied across dozens of inboxes.
Here’s what that looks like in practice with SafetyDocs:
One version of the truth
Documents exist in one place. When a contractor submits their RAMS, it’s uploaded to the platform — not attached to an email. When amendments are requested, they happen within the system. Everyone with permission sees the current version. There is no “Final_v7” problem because there’s only ever one version: the live one.
Permissions, not possession
Access is granted to named individuals based on their role. A contractor sees the documents relevant to their scope. A venue safety manager sees everything. A site operative sees what they need for the day.
When the engagement ends, access is revoked. Not “we asked them to delete the email” — actually revoked, at the platform level, immediately.
Automated workflows
SafetyDocs doesn’t just store documents. It manages the process. Contractors are prompted to submit. Documents are reviewed. Amendments are requested through the system. Approvals are recorded with timestamps and user attribution.
This means no more chasing contractors for updated RAMS via email. No more wondering whether the version in the site folder has been approved. The system handles the workflow, and the audit trail builds itself.
Built-in audit trail
Every action is logged. Who uploaded what. Who reviewed it. Who approved it. Who accessed it and when. This isn’t a nice-to-have — it’s the foundation of demonstrable compliance under both UK GDPR and Martyn’s Law.
Try reconstructing that from an email chain.
Encryption without the complexity
SafetyDocs runs on AWS infrastructure within the UK, behind Cloudflare’s enterprise security layer. All data is encrypted in transit (via enforced HTTPS/TLS — no opportunistic fallback) and at rest. Multi-factor authentication can be enforced per role. The platform supports enterprise identity providers via SAML and OpenID Connect.
None of this requires your contractors to install special software, manage encryption keys, or remember to password-protect a ZIP file. The security is built into the platform, not bolted onto the workflow.
The Human Error Equation
Technology aside, the strongest argument against email for safety documents is human.
People forward emails to the wrong address. They reply-all when they shouldn’t. They leave sensitive attachments in inboxes that get compromised. They print documents and leave them on desks. They work from outdated versions because they didn’t see the latest email buried in a thread.
None of these are technology failures. They’re predictable outcomes of using a tool for something it wasn’t designed to do.
A centralised platform doesn’t eliminate human error. But it narrows the surface area dramatically. There’s one place to go, one version to work from, and a clear record of who did what. When something goes wrong — and eventually something will — you have the evidence to respond, contain, and report within the timeframes the ICO expects.
Making the Shift
If you’re an event organiser or venue operator still managing safety documentation by email, the question isn’t whether you should change. It’s how quickly you can.
Start here:
1.Audit your current process. How many safety documents did you send by email last month? How many versions of each exist? Could you produce an access log if the ICO asked for one?
2.Classify your documents. Which ones contain personal data? Which ones contain security-sensitive information? Those are the ones that should move to a controlled platform first.
3.Talk to your contractors. Most contractors are used to submitting documents however the venue or organiser asks. If you provide a portal, they’ll use it. The shift is easier than you think.
4.Evaluate SafetyDocs. It’s built specifically for this workflow — event safety documentation, shared between venues, organisers, and contractors, with the version control, permissions, and audit trail that email can never provide.
The Bottom Line
Email is a communication tool. It was never designed to be a document management system, a compliance platform, or a security-controlled distribution channel.
Every time you attach a safety document to an email, you’re creating a copy you can’t control, in a system you can’t audit, with encryption you can’t guarantee.
SafetyDocs exists because event safety documentation deserves better than that. One ecosystem. Create. Sync. Share. Comply.
The risk of staying on email isn’t theoretical. It’s the version confusion that leads to the wrong procedure on event day. It’s the personal data sitting in a compromised inbox. It’s the regulator asking for an audit trail you can’t produce.
The tools exist to fix this. The only question is whether you’ll fix it before something forces your hand.
David Franklin is the founder of SafetyDocs, a platform purpose-built for event safety documentation and compliance. For more information, visit safetydocs.org
