UK GDPR for event organisers, written plainly.
This guide explains what UK GDPR and PECR actually require in practice for the kind of events run by am-dram societies, charity fundraisers, schools, parishes, dance schools, and small venues. It is general information for UK event organisers, not legal advice. UK GDPR and ICO guidance evolve. For decisions specific to your organisation, consult a solicitor or contact the Information Commissioner's Office directly.
Last updated 28 April 2026.
Reviewed against ICO guidance, the UK GDPR (legislation.gov.uk), and the Data (Use and Access) Act 2025 to the best of our knowledge at the time of writing. UK GDPR and ICO guidance evolve. For decisions about your specific situation, talk to a solicitor or consult the ICO directly.
The 80/20 of UK GDPR for event organisers.
1. Only collect what you actually need.
Data minimisation is a core UK GDPR principle (Article 5(1)(c))
For a typical ticket order, a name and an email address are usually enough. Name lets you check the booking on the door. Email lets you deliver the ticket and contact the buyer if anything changes. You should not ask for date of birth, postal address, phone number, dietary requirements, gender, or anything else unless you have a concrete reason, and you should be ready to explain that reason if asked. Worked example: a community theatre selling £12 tickets to a Saturday-night show needs name plus email. It does not need date of birth (no age restriction), postal address (e-tickets, not posted), or phone number (email is sufficient). Adding those fields is a data minimisation breach even if the buyer happily fills them in. Every extra field is data you have to protect, retain, and potentially delete on request.
- Name and email cover most ticketing scenarios. Anything beyond that needs a documented reason
- Ask for dietary requirements only when there is catering and the kitchen will see the list
- Ask for date of birth only when you genuinely need to verify age (over-18 events, age-restricted licences)
- Ask for accessibility needs only when you can act on them in advance, and treat them sensitively
- Avoid postal address and phone number unless physical post or urgent contact is genuinely required
- Every optional field is data you have to look after, secure, and potentially produce on a subject access request
A quick checkpoint.
2. Pick a lawful basis under Article 6, and stick to it.
UK GDPR Article 6 sets out six lawful bases for processing personal data
Article 6 of UK GDPR sets out six lawful bases: (a) consent, (b) performance of a contract, (c) compliance with a legal obligation, (d) vital interests, (e) public task, and (f) legitimate interests. The exact wording of each is set out in the UK GDPR on legislation.gov.uk and in the ICO's lawful basis guidance. You must identify which one applies to each kind of processing and document it. For ticket sales, the data you genuinely need to deliver the ticket and run the event is usually covered by performance of a contract (Article 6(1)(b)) — the buyer has bought a ticket and you need their details to honour the order. Marketing emails almost always rely on consent (Article 6(1)(a)) plus PECR Regulation 22. Some background processing such as fraud prevention may rely on legitimate interests (Article 6(1)(f)), but only after you have completed a documented Legitimate Interests Assessment (LIA) showing the three-part test of purpose, necessity, and balance has been satisfied.
Article 6(1)(b): Contract
The data you need to deliver the ticket and run the event itself. Usually the right basis for the core ticketing transaction.
Article 6(1)(a): Consent
Marketing emails, optional photo permissions, anything not strictly required to fulfil the order. Must be unambiguous and freely given.
Article 6(1)(f): Legitimate interests
Sometimes appropriate for background activity like fraud checks or basic analytics. Requires a documented Legitimate Interests Assessment.
3. Marketing consent under UK GDPR and PECR Regulation 22.
Two regimes apply to electronic marketing, both must be satisfied
If you want to email past or future attendees about other shows, fundraisers, or upcoming events, you almost certainly need their consent. Under UK GDPR, consent must be freely given, specific, informed, and unambiguous — which in practice means a positive opt-in action, not a pre-ticked tick box. PECR Regulation 22 specifically governs unsolicited electronic mail to individual subscribers (email, SMS, automated calls). The soft opt-in in PECR Regulation 22(3) is structured as three conditions: the person's details were collected during a sale or negotiation for a sale, the marketing is for similar products or services, and the person was given a clear chance to opt out when their details were collected and in every later message. Worked example: a small theatre wants to email last season's ticket buyers about the autumn pantomime. The soft opt-in is potentially available; those people bought tickets directly from the theatre, the new mailing is for a similar product (another show), and they had a simple opt-out at point of sale and an unsubscribe link in every email. If any of the three conditions is missing, you need fresh consent.
- Tick boxes must be empty by default. Pre-ticked boxes do not constitute valid consent under UK GDPR
- Marketing consent must be separate from accepting terms or completing a purchase (no bundled consent)
- Silence, inactivity, or pre-checked boxes do not count as consent. The law requires a positive action
- Make withdrawal as simple as signing up. Every email needs a working unsubscribe link
- Keep an auditable record of when, how, and what each person consented to
- The PECR soft opt-in is narrow. All three conditions in Reg 22(3) must be met, and you should document your reasoning
4. Custom questions, special category data, and children.
If you would not act on the answer, do not ask the question
Most ticketing platforms let you add custom questions to the order form. Treat that as a privilege, not a default. Dietary requirements: yes, if there is catering and the answers will reach the kitchen. Accessibility needs: yes, if you can act on them — and remember that health-related accessibility data is special category data under Article 9 and needs stronger safeguards. Photo permissions for child performers: yes, with a clear opt-in answered by the parent or person with parental responsibility. Pre-ticked boxes are unlawful. Worked example: a school nativity production wants to publish a photo gallery. The order form must include an explicit, unticked opt-in such as 'I give permission for the school to photograph my child during the production for inclusion in the school newsletter and website', separate from booking the ticket, and recorded against each child. UK GDPR Article 8 specifically governs consent for the offer of information society services directly to a child, and the UK has set the threshold at age 13 (legislation.gov.uk Article 8). For all other processing of children's data, and as a practical safeguard for school and youth-event scenarios involving photos and special category data, the working standard is consent from a person with parental responsibility.
- Make the purpose of each question clear at the point of asking (privacy notice transparency)
- Special category data under Article 9 (health, biometrics, religion, sexual orientation) needs explicit consent or another Article 9 condition
- For children, get explicit consent from a person with parental responsibility. Pre-ticked boxes are unlawful
- Avoid asking for date of birth, marital status, or occupation unless you have a real and stated reason
- Review your custom questions before each event. Old questions tend to hang around long after the reason has gone
5. Storage limitation: keep data only as long as you need it.
Article 5(1)(e), the storage limitation principle
UK GDPR does not set fixed retention periods — that is your decision based on what you need the data for, and you must be able to justify it. Financial records (orders, payments, refunds) typically need to be kept for around six years to satisfy HMRC. Attendee lists for an individual event can usually be deleted shortly after the event plus a reasonable window for refund requests and complaints. Marketing contacts should be kept only as long as the person consents; if they unsubscribe, remove them promptly. The accountability principle (Article 5(2)) means you must be able to show your reasoning, so write your retention periods down even if it is just a paragraph in a document called 'Data retention policy'.
Financial records
Around six years for HMRC purposes. Confirm with your accountant for your specific situation.
Attendee lists
Event date plus a refund and complaint window. Often a few months is enough. Delete then.
Marketing contacts
Until the person withdraws consent or you stop sending mail to that group. Honour unsubscribes within days, not weeks.
6. Data subject rights: Articles 15 to 22.
The rights every UK ticket buyer has, and how to handle requests
UK GDPR Articles 15 to 22 give individuals a set of rights you must respect: access (Article 15), rectification (Article 16), erasure (Article 17, also known as the right to be forgotten), restriction (Article 18), portability (Article 20), and objection (Article 21). You generally have one calendar month — the 'applicable time period' — to respond. The deadline now sits in Article 12A of the UK GDPR, inserted by the Data (Use and Access) Act 2025, and can be extended by up to two further months where the request is complex or there are many requests. The response is usually free. Most requests for small event organisers are simple: confirm what you store, share it, and remove what is not needed. The right to erasure is real but not absolute. Article 17(3) lets you refuse where you have a legal obligation to keep the data (for example HMRC) or need it to establish, exercise, or defend legal claims. ICO guidance is being updated to reflect the 2025 Act. Always explain your reasoning in writing when you decline a request, and do not ignore it; the ICO can act on late or missing responses.
- Diary the one-month deadline as soon as a request arrives (it can be extended by two months for complex requests, with notification)
- Verify the requester is who they claim to be before sharing data, but do not demand more than is reasonable
- For a group booking, redact other people's personal data before disclosing. A buyer's rights extend only to their own data
- Share the data in a clear, common format (PDF or CSV is fine for most cases)
- You can refuse erasure where you have a legal obligation to retain (HMRC, ongoing dispute), but explain why and confirm what you have removed
- Keep a log of every request received, the deadline, and how you responded
7. You are the controller. The platform is the processor.
Article 4 distinction, and why it matters
UK GDPR Article 4(7) defines the controller as the entity that determines the purposes and means of processing. Article 4(8) defines the processor as one that processes data on behalf of the controller. Both definitions are confirmed in the UK GDPR text on legislation.gov.uk. For ticket sales, you the event organiser are typically the controller. You decide what data to collect, what custom questions to ask, who to email, and how long to keep records. The ticketing platform is typically a processor, holding and processing data on your documented instructions under a written contract that meets the requirements of Article 28. This matters for accountability: the privacy notice on your event page is your responsibility, the marketing consent is your responsibility, and breach reporting for incidents on your side is your responsibility. The platform is responsible for technical and organisational security measures and following your instructions. Some scenarios are joint controllerships (Article 26 requires a transparent arrangement between joint controllers, with the essence made available to data subjects), for example a venue and a promoter who jointly decide on data use, and those need a written arrangement setting out who does what.
You (controller)
Privacy notice, lawful basis, marketing consent, custom questions, retention periods, breach reporting for incidents on your side.
Platform (processor)
Secure storage, technical safeguards, processing only on your instructions, breach reporting for platform-side incidents, sub-processor management.
Joint controllers
Where two organisations jointly decide purposes and means (e.g. venue and promoter). Article 26 requires a written arrangement.
8. Personal data breaches and the 72-hour rule (Article 33).
What counts, what to report, and what to record
A personal data breach is any incident that leads to the accidental or unlawful loss, alteration, unauthorised disclosure of, or access to personal data. Common examples for event organisers: emailing an attendee spreadsheet to the wrong recipient, losing a laptop or USB stick with attendee data, a volunteer sharing the door list outside the team, or an attacker gaining access to a mailbox. Under Article 33, if the breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware (the wording in Article 33(1) on legislation.gov.uk). Under Article 34, if the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify the affected people directly and in clear, plain language. Article 33(5) requires you to document every breach you are aware of, including those that did not need reporting. The ICO can ask to see the log.
- Identify what data was involved, how many people are affected, and what the likely impact is
- If risk to individuals is likely, notify the ICO under Article 33 within 72 hours, even if you have not finished investigating
- If risk is high, notify affected people directly under Article 34, in plain language, with practical steps
- Document every breach in a written log, even minor ones, to satisfy the accountability principle
- Containment first, then notification, then root-cause review and process change
9. Where event organisers commonly get this wrong.
Patterns the ICO sees again and again
Most UK GDPR enforcement against small organisations comes from the same handful of avoidable mistakes. Reviewing your setup against this list will catch the majority of issues before they become incidents.
- Asking for date of birth, address, and phone number "just in case", a clear data minimisation breach under Article 5(1)(c)
- Pre-ticked marketing consent boxes. UK GDPR consent must be unambiguous and freely given, so pre-ticked is not valid
- Treating silence or non-response as consent. Silence is not consent under any reading of UK GDPR
- Forgetting to action a deletion request within the applicable time period — Article 12A of the UK GDPR (inserted by the Data (Use and Access) Act 2025) defines this as one calendar month, extendable by up to two further months for complex or multiple requests; the ICO can act on late responses
- No privacy notice on the event page. Articles 13 and 14 require specific information at the point of collection
- Sharing attendee lists with sponsors, venues, or partners without identifying a lawful basis (and usually consent)
- Photographing children without explicit consent from a person with parental responsibility, and never relying on a pre-ticked permission
- Using "legitimate interests" as a catch-all without conducting and documenting a Legitimate Interests Assessment
- Forgetting that you remain the controller even when using a ticketing platform. The platform is your processor, not a substitute
- Bundling marketing consent into terms acceptance. Bundled consent is invalid and easily challenged
10. Edge cases at real-world events.
Photos, cookies, joint bookings, and venue-promoter splits
A handful of scenarios trip up organisers who otherwise have a solid baseline. Each needs its own thinking; assumptions from the core ticket-sale flow do not always carry across.
Photo and video at events
Identifiable individuals — especially children — need explicit consent. A sign at the door is awareness, not consent. Build a photo opt-in into the order form and honour requests not to be photographed.
Cookies on event pages
PECR Regulation 6 requires consent for non-essential cookies (analytics, marketing, third-party trackers). Strictly necessary cookies are exempt. A passive banner is not consent. The user must take a positive action.
Email follow-up to past attendees
Either fresh consent under UK GDPR plus PECR Regulation 22, or the soft opt-in if all three conditions in Reg 22(3) are met (sale-or-negotiation context, similar products or services, opt-out at point of collection and in every later message).
Joint controller scenarios
Where the venue and the promoter both decide on data use, Article 26 requires a written arrangement setting out who handles privacy notices, subject rights, and breach reporting. Get this in writing before tickets go on sale.
Group bookings and shared data
When one person books for several, you only have a contractual relationship with the buyer. A subject access request from a guest gives them rights only over their own personal data, so redact carefully.
Special category data on order forms
Health, religion, sexual orientation, and biometric data are Article 9 special category data. You need explicit consent or another Article 9 condition, plus an Article 6 basis. Do not collect unless you must.
A practical UK GDPR checklist for UK event organisers.
2. A documented lawful basis under Article 6 for each kind of processing (contract for the ticket sale, consent for marketing, legitimate interests for any background processing, with an LIA on file).
3. A separate, unticked marketing opt-in box on your order form that satisfies UK GDPR consent and PECR Regulation 22, never bundled with terms acceptance.
4. Custom questions kept to the minimum, with a stated reason for each one and stronger safeguards for any Article 9 special category data.
5. Attendee lists and exports stored securely, shared only with people with a need to know, and deleted when the event is closed out and the refund window has passed.
6. A written retention schedule covering financial records, attendee lists, marketing contacts, and any custom question data, with a date for next review.
7. A simple process for subject access, rectification, and erasure requests, with someone responsible for replying within one calendar month.
8. A breach log and a one-page incident plan: who is told, who decides whether to notify the ICO, and how affected individuals are contacted if needed.
If your situation has a vertical-specific angle.
A reminder on legal advice.
Related guides and policies
Run your events on a platform that takes data seriously.
Sources & further reading
ICO guidance
ICO Guide to UK GDPR
ICO guidance on lawful basis for processing (Article 6)
ICO guidance on individual rights (Articles 15-22)
ICO guidance on direct marketing and PECR
ICO guidance on personal data breaches (Articles 33 and 34)
ICO guidance on children's information (Article 8)
UK legislation
UK GDPR (Regulation (EU) 2016/679) (legislation.gov.uk)
Data Protection Act 2018 (legislation.gov.uk)
Privacy and Electronic Communications (EC Directive) Regulations 2003 / PECR (legislation.gov.uk)
