Do small event organisers in the UK need to comply with GDPR?

Yes. UK GDPR and the Data Protection Act 2018 apply regardless of organisation size. Charities, am-dram societies, school PTAs, parishes, and community groups all handle personal data when selling tickets, and the law applies to them in exactly the same way as to a national venue. The good news is that compliance for a typical small event organiser is straightforward: identify your lawful basis under Article 6, collect only the minimum data, give buyers a clear privacy notice (Articles 13/14), get proper consent for marketing under PECR Regulation 22, keep data secure, and only retain it as long as you genuinely need.

What data do I actually need to collect from ticket buyers?

Usually just a name and an email address. Email is needed to deliver the ticket and contact the buyer if the event changes. The data minimisation principle in UK GDPR Article 5(1)(c) means you should only collect what is adequate, relevant, and limited to what is necessary. Date of birth, postal address, phone number, dietary requirements, and accessibility needs should only be collected when you have a documented reason — and you should be able to explain that reason if the ICO ever asks.

Do I need consent to email past attendees about future events?

Generally yes. Marketing emails to individuals require an opt-in under PECR Regulation 22, which sits alongside UK GDPR. The opt-in must be unambiguous, separate from terms acceptance, easy to withdraw, and recorded. There is a limited "soft opt-in" exception under PECR Regulation 22(3) for existing customers being told about similar products or services. The soft opt-in can apply where the person's details were collected during a sale or negotiation for a sale, the marketing is for similar products or services, and the person was given a clear chance to opt out when their details were collected and in every later message. The ICO frames this as three conditions, all of which must be met. If any are missing, you cannot rely on it and need fresh consent.

How long should I keep attendee data?

Only as long as you genuinely need it. That is the storage limitation principle in Article 5(1)(e). Financial records typically need to be kept for around six years for HMRC purposes. Attendee lists for an individual event can usually be deleted shortly after the event plus a reasonable refund and complaints window. Marketing contacts should be kept until the person withdraws consent or asks to be removed. Write down your retention periods, even if it is just a paragraph; the accountability principle requires you to be able to demonstrate compliance.

Who is responsible for GDPR compliance — me or the ticketing platform?

Usually you, the event organiser, are the data controller for attendee information because you decide what data to collect and what to do with it (Article 4(7)). The ticketing platform is typically a processor (Article 4(8)), handling data on your documented instructions. This means you are responsible for the privacy notice on your event page, your marketing consent, your custom questions, and your retention decisions. The processor is responsible for keeping the data secure and following your instructions. The split is set out in the data processing terms. Read them.

What do I do if a buyer asks me to delete their data?

Take the request seriously and respond within the applicable time period: one calendar month from the relevant time. That deadline now sits in Article 12A of the UK GDPR, inserted by the Data (Use and Access) Act 2025, which can be extended by up to two further months where the request is complex or there are many requests. The right to erasure (Article 17) is real but not absolute: you can refuse if you have a legal obligation to keep the data (for example HMRC financial records), or if it is needed to establish, exercise, or defend a legal claim. ICO guidance on the precise mechanics is under review following the 2025 Act. In practice most requests are easy to action: remove them from marketing lists, delete unnecessary personal details, and explain in writing what you have kept and why.

What counts as a data breach and when do I report it?

A personal data breach is any incident that leads to accidental or unlawful loss, alteration, disclosure of, or access to personal data. Common examples are emailing an attendee list to the wrong person, losing a laptop with attendee data, or finding that an exported spreadsheet has been shared outside the team. Under Article 33, if the breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware of it. If the risk is high, Article 34 requires you to also notify the affected individuals without undue delay. Document every breach you become aware of, even ones you do not report.

UK GDPR for event organisers, written plainly.

If you sell tickets, run a charity raffle, or organise a school production, you are processing personal data and you are a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The rules sound intimidating, but for most small event organisers compliance comes down to a handful of practical habits backed by named legal concepts.

This guide explains what UK GDPR and PECR actually require in practice for the kind of events run by am-dram societies, charity fundraisers, schools, parishes, dance schools, and small venues. It is general information for UK event organisers, not legal advice. UK GDPR and ICO guidance evolve. For decisions specific to your organisation, consult a solicitor or contact the Information Commissioner's Office directly.

Last updated 28 April 2026.

Reviewed against ICO guidance, the UK GDPR (legislation.gov.uk), and the Data (Use and Access) Act 2025 to the best of our knowledge at the time of writing. UK GDPR and ICO guidance evolve. For decisions about your specific situation, talk to a solicitor or consult the ICO directly.

The 80/20 of UK GDPR for event organisers.

Most event organisers do not need to become privacy professionals. You need to: identify a lawful basis under Article 6 for every kind of processing you do; collect only the minimum data required to deliver the ticket and run the event (Article 5(1)(c), data minimisation, confirmed in the UK GDPR text on legislation.gov.uk); give buyers a clear privacy notice that meets the information requirements of Articles 13 and 14; obtain proper opt-in consent under PECR Regulation 22 before sending electronic marketing; keep the data secure (Article 5(1)(f), integrity and confidentiality); and only hold onto it as long as you genuinely need it (Article 5(1)(e), storage limitation). Everything else in this guide is detail around those habits.

For a typical ticket order, a name and an email address are usually enough. Name lets you check the booking on the door. Email lets you deliver the ticket and contact the buyer if anything changes. You should not ask for date of birth, postal address, phone number, dietary requirements, gender, or anything else unless you have a concrete reason, and you should be ready to explain that reason if asked. Worked example: a community theatre selling £12 tickets to a Saturday-night show needs name plus email. It does not need date of birth (no age restriction), postal address (e-tickets, not posted), or phone number (email is sufficient). Adding those fields is a data minimisation breach even if the buyer happily fills them in. Every extra field is data you have to protect, retain, and potentially delete on request.

Name and email cover most ticketing scenarios. Anything beyond that needs a documented reason
Ask for dietary requirements only when there is catering and the kitchen will see the list
Ask for date of birth only when you genuinely need to verify age (over-18 events, age-restricted licences)
Ask for accessibility needs only when you can act on them in advance, and treat them sensitively
Avoid postal address and phone number unless physical post or urgent contact is genuinely required
Every optional field is data you have to look after, secure, and potentially produce on a subject access request

A quick checkpoint.

If your current order form asks buyers for date of birth, postal address, phone number, or anything beyond name and email "just in case", that is the section to action first. Removing unnecessary fields is the single biggest compliance win available to most small organisers, and the cheapest. The rest of this guide is about handling the data you do collect properly. If your audience is mostly children (school productions, dance recitals), the custom-questions section and the photo-consent edge case matter more than usual; the page on Seaty for schools covers the practical implementation.

Article 6 of UK GDPR sets out six lawful bases: (a) consent, (b) performance of a contract, (c) compliance with a legal obligation, (d) vital interests, (e) public task, and (f) legitimate interests. The exact wording of each is set out in the UK GDPR on legislation.gov.uk and in the ICO's lawful basis guidance. You must identify which one applies to each kind of processing and document it. For ticket sales, the data you genuinely need to deliver the ticket and run the event is usually covered by performance of a contract (Article 6(1)(b)) — the buyer has bought a ticket and you need their details to honour the order. Marketing emails almost always rely on consent (Article 6(1)(a)) plus PECR Regulation 22. Some background processing such as fraud prevention may rely on legitimate interests (Article 6(1)(f)), but only after you have completed a documented Legitimate Interests Assessment (LIA) showing the three-part test of purpose, necessity, and balance has been satisfied.

Article 6(1)(b): Contract

The data you need to deliver the ticket and run the event itself. Usually the right basis for the core ticketing transaction.

Article 6(1)(a): Consent

Marketing emails, optional photo permissions, anything not strictly required to fulfil the order. Must be unambiguous and freely given.

Article 6(1)(f): Legitimate interests

Sometimes appropriate for background activity like fraud checks or basic analytics. Requires a documented Legitimate Interests Assessment.

Most ticketing platforms let you add custom questions to the order form. Treat that as a privilege, not a default. Dietary requirements: yes, if there is catering and the answers will reach the kitchen. Accessibility needs: yes, if you can act on them — and remember that health-related accessibility data is special category data under Article 9 and needs stronger safeguards. Photo permissions for child performers: yes, with a clear opt-in answered by the parent or person with parental responsibility. Pre-ticked boxes are unlawful. Worked example: a school nativity production wants to publish a photo gallery. The order form must include an explicit, unticked opt-in such as 'I give permission for the school to photograph my child during the production for inclusion in the school newsletter and website', separate from booking the ticket, and recorded against each child. UK GDPR Article 8 specifically governs consent for the offer of information society services directly to a child, and the UK has set the threshold at age 13 (legislation.gov.uk Article 8). For all other processing of children's data, and as a practical safeguard for school and youth-event scenarios involving photos and special category data, the working standard is consent from a person with parental responsibility.

Make the purpose of each question clear at the point of asking (privacy notice transparency)
Special category data under Article 9 (health, biometrics, religion, sexual orientation) needs explicit consent or another Article 9 condition
For children, get explicit consent from a person with parental responsibility. Pre-ticked boxes are unlawful
Avoid asking for date of birth, marital status, or occupation unless you have a real and stated reason
Review your custom questions before each event. Old questions tend to hang around long after the reason has gone

UK GDPR does not set fixed retention periods — that is your decision based on what you need the data for, and you must be able to justify it. Financial records (orders, payments, refunds) typically need to be kept for around six years to satisfy HMRC. Attendee lists for an individual event can usually be deleted shortly after the event plus a reasonable window for refund requests and complaints. Marketing contacts should be kept only as long as the person consents; if they unsubscribe, remove them promptly. The accountability principle (Article 5(2)) means you must be able to show your reasoning, so write your retention periods down even if it is just a paragraph in a document called 'Data retention policy'.

Financial records

Around six years for HMRC purposes. Confirm with your accountant for your specific situation.

Attendee lists

Event date plus a refund and complaint window. Often a few months is enough. Delete then.

Marketing contacts

Until the person withdraws consent or you stop sending mail to that group. Honour unsubscribes within days, not weeks.

UK GDPR Articles 15 to 22 give individuals a set of rights you must respect: access (Article 15), rectification (Article 16), erasure (Article 17, also known as the right to be forgotten), restriction (Article 18), portability (Article 20), and objection (Article 21). You generally have one calendar month — the 'applicable time period' — to respond. The deadline now sits in Article 12A of the UK GDPR, inserted by the Data (Use and Access) Act 2025, and can be extended by up to two further months where the request is complex or there are many requests. The response is usually free. Most requests for small event organisers are simple: confirm what you store, share it, and remove what is not needed. The right to erasure is real but not absolute. Article 17(3) lets you refuse where you have a legal obligation to keep the data (for example HMRC) or need it to establish, exercise, or defend legal claims. ICO guidance is being updated to reflect the 2025 Act. Always explain your reasoning in writing when you decline a request, and do not ignore it; the ICO can act on late or missing responses.

Diary the one-month deadline as soon as a request arrives (it can be extended by two months for complex requests, with notification)
Verify the requester is who they claim to be before sharing data, but do not demand more than is reasonable
For a group booking, redact other people's personal data before disclosing. A buyer's rights extend only to their own data
Share the data in a clear, common format (PDF or CSV is fine for most cases)
You can refuse erasure where you have a legal obligation to retain (HMRC, ongoing dispute), but explain why and confirm what you have removed
Keep a log of every request received, the deadline, and how you responded

UK GDPR Article 4(7) defines the controller as the entity that determines the purposes and means of processing. Article 4(8) defines the processor as one that processes data on behalf of the controller. Both definitions are confirmed in the UK GDPR text on legislation.gov.uk. For ticket sales, you the event organiser are typically the controller. You decide what data to collect, what custom questions to ask, who to email, and how long to keep records. The ticketing platform is typically a processor, holding and processing data on your documented instructions under a written contract that meets the requirements of Article 28. This matters for accountability: the privacy notice on your event page is your responsibility, the marketing consent is your responsibility, and breach reporting for incidents on your side is your responsibility. The platform is responsible for technical and organisational security measures and following your instructions. Some scenarios are joint controllerships (Article 26 requires a transparent arrangement between joint controllers, with the essence made available to data subjects), for example a venue and a promoter who jointly decide on data use, and those need a written arrangement setting out who does what.

You (controller)

Privacy notice, lawful basis, marketing consent, custom questions, retention periods, breach reporting for incidents on your side.

Platform (processor)

Secure storage, technical safeguards, processing only on your instructions, breach reporting for platform-side incidents, sub-processor management.

Joint controllers

Where two organisations jointly decide purposes and means (e.g. venue and promoter). Article 26 requires a written arrangement.

A personal data breach is any incident that leads to the accidental or unlawful loss, alteration, unauthorised disclosure of, or access to personal data. Common examples for event organisers: emailing an attendee spreadsheet to the wrong recipient, losing a laptop or USB stick with attendee data, a volunteer sharing the door list outside the team, or an attacker gaining access to a mailbox. Under Article 33, if the breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO without undue delay and, where feasible, not later than 72 hours after becoming aware (the wording in Article 33(1) on legislation.gov.uk). Under Article 34, if the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify the affected people directly and in clear, plain language. Article 33(5) requires you to document every breach you are aware of, including those that did not need reporting. The ICO can ask to see the log.

Identify what data was involved, how many people are affected, and what the likely impact is
If risk to individuals is likely, notify the ICO under Article 33 within 72 hours, even if you have not finished investigating
If risk is high, notify affected people directly under Article 34, in plain language, with practical steps
Document every breach in a written log, even minor ones, to satisfy the accountability principle
Containment first, then notification, then root-cause review and process change

Most UK GDPR enforcement against small organisations comes from the same handful of avoidable mistakes. Reviewing your setup against this list will catch the majority of issues before they become incidents.

Asking for date of birth, address, and phone number "just in case", a clear data minimisation breach under Article 5(1)(c)
Pre-ticked marketing consent boxes. UK GDPR consent must be unambiguous and freely given, so pre-ticked is not valid
Treating silence or non-response as consent. Silence is not consent under any reading of UK GDPR
Forgetting to action a deletion request within the applicable time period — Article 12A of the UK GDPR (inserted by the Data (Use and Access) Act 2025) defines this as one calendar month, extendable by up to two further months for complex or multiple requests; the ICO can act on late responses
No privacy notice on the event page. Articles 13 and 14 require specific information at the point of collection
Sharing attendee lists with sponsors, venues, or partners without identifying a lawful basis (and usually consent)
Photographing children without explicit consent from a person with parental responsibility, and never relying on a pre-ticked permission
Using "legitimate interests" as a catch-all without conducting and documenting a Legitimate Interests Assessment
Forgetting that you remain the controller even when using a ticketing platform. The platform is your processor, not a substitute
Bundling marketing consent into terms acceptance. Bundled consent is invalid and easily challenged

A handful of scenarios trip up organisers who otherwise have a solid baseline. Each needs its own thinking; assumptions from the core ticket-sale flow do not always carry across.

Photo and video at events

Identifiable individuals — especially children — need explicit consent. A sign at the door is awareness, not consent. Build a photo opt-in into the order form and honour requests not to be photographed.

Cookies on event pages

PECR Regulation 6 requires consent for non-essential cookies (analytics, marketing, third-party trackers). Strictly necessary cookies are exempt. A passive banner is not consent. The user must take a positive action.

Email follow-up to past attendees

Either fresh consent under UK GDPR plus PECR Regulation 22, or the soft opt-in if all three conditions in Reg 22(3) are met (sale-or-negotiation context, similar products or services, opt-out at point of collection and in every later message).

Joint controller scenarios

Where the venue and the promoter both decide on data use, Article 26 requires a written arrangement setting out who handles privacy notices, subject rights, and breach reporting. Get this in writing before tickets go on sale.

Group bookings and shared data

When one person books for several, you only have a contractual relationship with the buyer. A subject access request from a guest gives them rights only over their own personal data, so redact carefully.

Special category data on order forms

Health, religion, sexual orientation, and biometric data are Article 9 special category data. You need explicit consent or another Article 9 condition, plus an Article 6 basis. Do not collect unless you must.

A practical UK GDPR checklist for UK event organisers.

1. A short, plain-English privacy notice on your event page or organisation page that satisfies Articles 13 and 14: what data you collect, the lawful basis, retention, who it is shared with, and how to exercise rights.

2. A documented lawful basis under Article 6 for each kind of processing (contract for the ticket sale, consent for marketing, legitimate interests for any background processing, with an LIA on file).

3. A separate, unticked marketing opt-in box on your order form that satisfies UK GDPR consent and PECR Regulation 22, never bundled with terms acceptance.

4. Custom questions kept to the minimum, with a stated reason for each one and stronger safeguards for any Article 9 special category data.

5. Attendee lists and exports stored securely, shared only with people with a need to know, and deleted when the event is closed out and the refund window has passed.

6. A written retention schedule covering financial records, attendee lists, marketing contacts, and any custom question data, with a date for next review.

7. A simple process for subject access, rectification, and erasure requests, with someone responsible for replying within one calendar month.

8. A breach log and a one-page incident plan: who is told, who decides whether to notify the ICO, and how affected individuals are contacted if needed.

If your situation has a vertical-specific angle.

UK GDPR applies the same way to every organiser, but the sensitivities differ. If you are a school collecting child names, year groups, dietary needs, and photo permissions, our guide for schools covers the higher data-sensitivity expectations on educational settings. If you are a dance school sharing rehearsal photos and choreography videos with student families, the guide for dance schools goes into the consent patterns that work for under-13 performers. If you are a charity asking for Gift Aid declarations alongside a ticket purchase, our charity ticketing guide covers HMRC retention alongside donor data. If you are a parish or place of worship handling congregant data for older audiences who may have access needs, the guide for churches covers the gentler expectations for that audience.

A reminder on legal advice.

This guide is general information for UK event organisers. It is not legal advice. UK GDPR, PECR, and ICO guidance evolve, and the right answer for your organisation depends on facts only you know. For decisions specific to your situation, particularly around children's data, special category data, joint controllerships, or any breach you are unsure about, consult a solicitor or contact the Information Commissioner's Office directly. The ICO publishes detailed guidance and a small-organisation helpline.

Related guides and policies

Plain-English explanations and the policies that sit behind the platform.

Privacy policy Cookies Custom questions on order forms Mailshots and marketing emails Terms of service How UK ticketing fees work

Run your events on a platform that takes data seriously.

A well-designed UK ticketing platform should make it easy to be a responsible controller: minimal data collection by default, clear marketing consent options, secure storage, and straightforward export and deletion when a buyer asks. That is the bar to look for, whichever platform you choose.

Sources & further reading

This guide draws on ICO guidance and UK legislation. For decisions specific to your organisation, consult these primary sources directly or speak to a qualified data protection professional or solicitor.

ICO guidance
ICO Guide to UK GDPR
ICO guidance on lawful basis for processing (Article 6)
ICO guidance on individual rights (Articles 15-22)
ICO guidance on direct marketing and PECR
ICO guidance on personal data breaches (Articles 33 and 34)
ICO guidance on children's information (Article 8)

UK legislation
UK GDPR (Regulation (EU) 2016/679) (legislation.gov.uk)
Data Protection Act 2018 (legislation.gov.uk)
Privacy and Electronic Communications (EC Directive) Regulations 2003 / PECR (legislation.gov.uk)

UK GDPR for event organisers, written plainly.

The 80/20 of UK GDPR for event organisers.

1. Only collect what you actually need.

A quick checkpoint.