Data is valuable. Attendee email addresses, demographics, spending patterns, and feedback all help you run better events and sell more tickets. But the days of casually collecting data without thought for privacy are over. The UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) set clear rules about how personal data can be collected, stored, and used. Getting this wrong carries financial penalties of up to £17.5 million or 4% of annual global turnover (whichever is higher) under UK GDPR, but the practical consequences of poor data practice, lost trust, damaged reputation, and disengaged audiences, can be equally damaging.
Understanding the legal framework
UK GDPR
The UK GDPR applies to any organisation that processes personal data of individuals in the UK. Personal data is any information that can identify a living person, directly or indirectly. This includes names, email addresses, phone numbers, IP addresses, location data, and even photos where individuals are identifiable.
The key principles of UK GDPR are lawfulness, fairness, and transparency (you must have a lawful basis for processing data and be open about what you do with it), purpose limitation (data can only be used for the purposes stated when it was collected), data minimisation (collect only what you need), accuracy (keep data correct and up to date), storage limitation (do not keep data longer than necessary), and integrity and confidentiality (keep data secure).
PECR
PECR sits alongside UK GDPR and specifically governs electronic communications: marketing emails, text messages, and the use of cookies and similar technologies on websites. Under PECR, you need consent to send marketing emails to individuals (there is a limited exception called "soft opt-in" for existing customers), consent to use non-essential cookies on your website, and compliance with specific rules about how you identify yourself in electronic communications.
Lawful bases for processing
Under UK GDPR, every instance of data processing must have a lawful basis. The most relevant bases for event organisers are consent (the individual has given clear, informed agreement), contract (processing is necessary to fulfil a contract, such as sending tickets to a ticket buyer), and legitimate interest (processing is necessary for a legitimate business purpose, balanced against the individual's rights). Each data processing activity should be mapped to a specific lawful basis, documented in your privacy notice.
Data collection at the ticket purchase stage
When someone buys a ticket, you need certain information to fulfil the order: their name, email address, and payment details at minimum. This processing is lawful under the "contract" basis because it is necessary to deliver the ticket.
However, adding the buyer to a marketing mailing list requires a separate lawful basis. The options are explicit consent (an unticked checkbox that says "I would like to receive marketing emails about future events") or the soft opt-in, which allows you to send marketing emails to existing customers about similar products or services, provided you gave them a clear opportunity to opt out at the point of data collection and include an unsubscribe option in every email.
The soft opt-in is widely used by event organisers, but it must be applied correctly. It only covers marketing about your own events (not third-party promotions), the customer must be given a clear opt-out at the point of purchase, and every subsequent email must include an easy unsubscribe mechanism. If in doubt, explicit consent is the safer approach.
For information on setting up compliant ticket purchase processes, see our guide to setting up online ticket sales.
Data collection through surveys
Post-event surveys collect data with consent as the lawful basis: the attendee voluntarily chooses to complete the survey. Your survey should include a clear statement at the beginning explaining what data you are collecting, why, and how long you will keep it. Link to your full privacy notice for those who want more detail.
If you ask demographic questions (age, gender, income), make these optional and explain why you are asking. "We use this information to understand our audience and improve future events" is a clear, legitimate purpose. Avoid asking for data you do not have a specific plan to use. Data minimisation is a core GDPR principle, and collecting information "just in case" does not comply with it.
Data collection on-site
Wi-Fi data collection
Some events offer free Wi-Fi that requires attendees to register with an email address. This is a legitimate data collection mechanism, but it must be transparent. The registration page should clearly state that you will use the email address for marketing (if that is the intention), provide a consent mechanism (an unticked checkbox for marketing consent), and link to your privacy notice.
Collecting technical data through Wi-Fi (device types, session durations, movement patterns within the venue) raises additional privacy considerations. This data can constitute personal data if it is linkable to an individual. Ensure your privacy notice covers this type of processing and that you have an appropriate lawful basis.
Photography and video
Event photography creates personal data (identifiable images of attendees). Your lawful basis for general crowd photography is typically legitimate interest, but you must inform attendees in advance (through terms and conditions, signage at the event, or both) that photography will take place and images may be used for promotional purposes.
Individuals have the right to object to their image being used. Have a process in place for handling such requests. For close-up or identifiable photographs used in marketing materials, best practice is to obtain specific consent from the individuals pictured.
CCTV and security cameras
CCTV at events is typically justified on the basis of legitimate interest (safety and security) or compliance with legal obligations. You must display clear signage informing people that CCTV is in operation, specify who is responsible for the footage, and state the purpose and retention period. The Surveillance Camera Commissioner's code of practice provides guidance for the UK.
Cashless payment data
If your event uses a cashless payment system (RFID wristbands or similar), the transaction data collected is personal data if it is linked to an identified individual. Be transparent about what data is collected, how it is used, and how long it is retained. If you plan to use spending data for marketing or analytics purposes beyond processing the payment, this requires a separate lawful basis and disclosure.
Third-party data sharing
Sharing attendee data with sponsors, partners, or other third parties requires particular care. Under UK GDPR, the individual must be informed at the point of data collection that their data may be shared, told who it will be shared with and for what purpose, and given a genuine choice (consent must be freely given and not a condition of purchasing a ticket).
Pre-ticked boxes, bundled consent ("by buying a ticket you agree to receive emails from our sponsors"), and vague statements ("we may share your data with selected partners") are not compliant. Be specific: "We would like to share your email address with [Sponsor Name] so they can send you offers related to [specific products/services]. Tick this box if you agree."
Privacy notices
Every event should have a privacy notice (also called a privacy policy) that covers what personal data you collect, why you collect it (the purpose) and the lawful basis for each purpose, who you share it with, how long you keep it, the individual's rights (access, correction, deletion, objection, portability), how to contact you with privacy queries, and how to complain to the Information Commissioner's Office (ICO).
The privacy notice must be easy to find and written in clear, plain language. Link to it from your ticket purchase page, survey introduction, and event website footer. The ICO provides template text and guidance on writing privacy notices that event organisers can adapt. For a broader overview of GDPR obligations, see our dedicated GDPR compliance guide for event organisers.
Data security
UK GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data. For event organisers, this means securing your databases and email platforms with strong passwords and two-factor authentication, limiting access to personal data to people who need it for their role, using reputable, GDPR-compliant tools and platforms for data storage and processing, having a plan for responding to a data breach (you must report certain breaches to the ICO within 72 hours), and regularly reviewing who has access to your data and revoking access when it is no longer needed.
Building trust through transparency
Compliance is the floor, not the ceiling. The events that build the strongest audience relationships are those that go beyond minimum legal requirements and make privacy a visible part of their brand. Telling attendees explicitly how their data is used and how it is protected builds trust. Offering genuine control (easy unsubscribes, clear data deletion processes, preference centres) shows respect.
In a world where data breaches and privacy scandals regularly make headlines, audiences increasingly value organisations they can trust with their information. Being genuinely privacy-conscious is not just a legal obligation. It is a competitive advantage. Your CRM and data management practices should reflect this commitment at every level.