GDPR for
Event Organisers

Every ticket sale collects personal data: name, email address, phone number, payment details. If you use a scanner app at the door, you are processing data about who attended. If you take photos or video at events, that is personal data too.

Under UK GDPR (the Data Protection Act 2018 and UK GDPR retained from EU law), you are a data controller for all the personal data you collect. That means you are legally responsible for how it is collected, stored, used, and deleted.

The penalties for non-compliance are significant. The Information Commissioner's Office (ICO) can issue fines of up to £17.5 million or 4% of annual turnover, whichever is higher. In practice, small organisers are more likely to face enforcement action from complaints than proactive ICO audits, but the risk is real.

The good news is that compliance for event organisers is straightforward. You do not need a lawyer or a data protection officer for most small to medium events. You just need to follow the principles and document what you do.

Under UK GDPR, you need a lawful basis for processing every piece of personal data. For event organisers, two bases cover most situations.

Contract: When someone buys a ticket, you have a contract with them. You can process their name, email, and payment details because it is necessary to fulfil that contract (deliver the ticket, provide access to the event, send booking confirmations). This covers most of your core data processing.

Legitimate interest: You may have a legitimate interest in processing some data beyond the contract, such as analysing attendance patterns to improve future events. You need to balance your interest against the individual's rights and document your reasoning.

Consent: For marketing emails, you generally need explicit consent. A clear, unticked checkbox at purchase saying “I would like to receive emails about future events” is the standard approach. Pre-ticked boxes are not valid consent under UK GDPR.

Soft opt-in for existing customers: There is an exception under the Privacy and Electronic Communications Regulations (PECR). If someone bought a ticket from you, you can email them about similar events without explicit consent, provided you gave them the option to opt out at the time of purchase and in every subsequent email. This is called the “soft opt-in” and is widely used by UK event organisers.

For more on building your email list compliantly, see our email marketing guide.

Here is a practical checklist of what you need as an event organiser to be GDPR compliant.

Privacy policy: A written document explaining what data you collect, why, how long you keep it, and who you share it with. This must be accessible from your event listing and website. It does not need to be long, but it must be clear.

Consent mechanisms: An unticked checkbox for marketing consent at the point of ticket purchase. An unsubscribe link in every marketing email. A way for people to withdraw consent at any time.

Data processing records: A simple document listing what personal data you hold, where it is stored, why you have it, and when you will delete it. This is called a Record of Processing Activities (ROPA). A spreadsheet is sufficient.

Data sharing agreements: If you share attendee data with third parties (venues, promoters, sponsors), you need a written agreement covering how they will handle that data. Your ticketing platform is a data processor acting on your behalf, and their terms should cover this.

Breach procedure: If personal data is compromised (hacked database, lost laptop, accidental email to the wrong person), you must report it to the ICO within 72 hours if it poses a risk to individuals. Have a simple process documented for who to contact and what steps to take.

Individuals have specific rights under UK GDPR that you must be able to fulfil.

Right of access: Anyone can request a copy of all personal data you hold about them. You must respond within 30 days. This is called a Subject Access Request (SAR).

Right to erasure: Individuals can ask you to delete their personal data. You must comply unless you have a legal obligation to keep it (for example, financial records for HMRC). Note that you can retain anonymised or aggregated data for analytics.

Right to rectification: If someone's data is wrong (misspelled name, old email address), they can ask you to correct it.

Right to object: Individuals can object to you using their data for direct marketing at any time. When they object, you must stop immediately. This is why every marketing email must have an unsubscribe link.

Right to portability: Individuals can request their data in a commonly used format (CSV, for example) to transfer to another service. This is rarely exercised but you should be able to fulfil it.

Using a ticketing platform like tickts that gives you full access to your customer data makes it straightforward to fulfil these requests. Platforms that restrict your access to buyer data make compliance harder.

Taking photos and video at events involves personal data. Here is how to handle it.

General crowd shots: Photography of crowds at a public event generally falls under the legitimate interest basis. However, you should inform attendees that photography will take place. A notice on your event listing and at the venue entrance is standard practice.

Individual photos: Close-up photos of identifiable individuals require more care. If you use them for marketing, get consent or ensure you have a strong legitimate interest basis. A model release form is best practice for any individual featured prominently in marketing materials.

CCTV and security cameras: If the venue has CCTV, this is typically the venue's responsibility, not yours. But if you install additional cameras, you need signage and a lawful basis.

Event listing notice: Add a line to your event listing: “Photography and video will take place at this event for promotional purposes. By attending, you acknowledge this. If you do not wish to be photographed, please speak to a member of staff.” This is not consent under GDPR (attendance is not consent), but it sets expectations and demonstrates transparency.

For broader event planning considerations including risk assessments, see our event planning checklist.