GDPR Compliance Checklist for Event Organisers

If you sell tickets, collect attendee data, or send marketing emails, you are a data controller under the UK GDPR and EU GDPR. That means you have legal obligations around how you collect, store, use, and delete personal data. The fines for getting it wrong are significant — up to £17.5 million or 4% of annual turnover — but more practically, poor data handling erodes customer trust and can result in complaints to the Information Commissioner's Office (ICO) that consume weeks of your time.

This guide is a practical checklist — not legal advice, but a clear framework for event organisers who want to handle data responsibly and lawfully. Work through each section and address any gaps in your current processes.

1. Establish Your Lawful Basis for Processing

Under GDPR, you cannot collect or use personal data without a lawful basis. For event organisers, two bases are most relevant:

• Contractual necessity (Article 6(1)(b)). When someone buys a ticket, you need their name and email to fulfil the contract — to send them the ticket, provide event updates, and manage check-in. This lawful basis covers the data processing that is strictly necessary to deliver the service they paid for. You do not need separate consent for this.
• Consent (Article 6(1)(a)). For anything beyond fulfilling the ticket purchase — marketing emails, sharing data with sponsors, profiling for targeted advertising — you need explicit, freely given consent. This means an unticked checkbox (not pre-ticked) with clear language explaining what the person is agreeing to.

Checklist Items

• Document which lawful basis you rely on for each type of data processing.
• Ensure marketing consent is collected via an unticked, opt-in checkbox at checkout.
• Keep the consent request separate from the terms and conditions acceptance — they are different things.
• Record when and how consent was given (timestamp, IP address, the exact wording shown).

2. Consent at Checkout

Your checkout page is where most data collection happens. Getting consent right at this point is critical:

• Separate marketing consent from purchase terms. "I agree to the terms and conditions" and "I would like to receive marketing emails" must be two separate checkboxes. Bundling them is not valid consent under GDPR.
• Use clear, plain language. Not "We may contact you with information about our services and those of our partners." Instead: "Yes, I would like to receive emails about future events from [Your Brand]. You can unsubscribe at any time."
• Do not pre-tick the marketing checkbox. Pre-ticked boxes are explicitly prohibited. The customer must take an affirmative action to consent.
• Make consent genuinely optional. The customer must be able to complete their ticket purchase without consenting to marketing. If declining marketing prevents the purchase, the consent is not freely given and is invalid.

Checklist Items

• Review your checkout page and ensure marketing consent is a separate, unticked checkbox.
• Verify that customers can complete purchases without opting into marketing.
• Check that the consent language clearly states who will contact them and for what purpose.
• Ensure every marketing email includes a one-click unsubscribe link.

3. Data Retention Periods

GDPR requires that you do not keep personal data for longer than necessary. "We keep everything forever, just in case" is not compliant. You need a defined retention policy:

• Transaction data (name, email, purchase amount). Retain for 6 years after the event. This aligns with HMRC's requirement to keep financial records for 6 years and provides protection in case of legal disputes.
• Marketing consent records. Retain for as long as the consent is active, plus 12 months after the person unsubscribes (to prove you had valid consent during the period you were marketing to them).
• Check-in and attendance data. Retain for 12 months after the event. This data is useful for event analysis but does not need to be kept indefinitely.
• Customer support correspondence. Retain for 24 months after the last interaction. If a dispute arises, you need the correspondence history.

Checklist Items

• Create a data retention schedule listing each data type, its retention period, and the deletion method.
• Set up automated deletion or anonymisation for data that has passed its retention period.
• Review your ticketing platform's data retention settings — ensure they align with your policy.
• Document your retention policy in your privacy notice.

4. Right to Erasure (Right to Be Forgotten)

Under Article 17, individuals have the right to request that you delete their personal data. As an event organiser, you must be able to comply with these requests — but there are exceptions:

• You can refuse erasure if you need the data for legal obligations. Transaction records required for tax purposes (HMRC's 6-year rule) cannot be deleted simply because someone requests erasure. You can, however, anonymise the data — replace the name with "Anonymised" and remove the email — while retaining the financial record.
• Marketing data must be deleted on request. If someone asks to be removed from your marketing lists, do it immediately. There is no legitimate reason to refuse.
• Respond within 30 days. GDPR requires you to respond to erasure requests within one calendar month. If the request is complex, you can extend by two months — but you must inform the requester within the first month.

Checklist Items

• Establish a process for receiving and handling erasure requests (a dedicated email address works).
• Know where all personal data is stored — your ticketing platform, email marketing tool, spreadsheets, WhatsApp groups, etc.
• Be able to delete or anonymise data across all systems within 30 days.
• Keep a log of erasure requests and your response to each.

5. Data Subject Access Requests (DSARs)

Any person has the right to request a copy of all personal data you hold about them. This is called a Data Subject Access Request. You must respond within 30 days with a complete, readable copy of their data.

• Identify all data sources. A DSAR response must cover every system where the person's data exists — your ticketing platform, email lists, CRM, spreadsheets, door lists, and even informal records like WhatsApp messages.
• Provide data in a common format. CSV or PDF is standard. The data must be readable by the person — raw database exports with column codes are not sufficient.
• Verify identity before responding. You must confirm that the person making the request is who they claim to be. Ask for enough information to match them in your systems (e.g., email address and date of purchase) but do not demand excessive identification.

Checklist Items

• Create a DSAR response template and process document.
• Map all locations where attendee data is stored.
• Test your process by running a mock DSAR — can you gather all data for a specific person within 30 days?
• Assign a specific person or role to handle DSARs.

6. Cookie Consent

If your event website or ticket page uses cookies — and it almost certainly does — you need a cookie consent mechanism that complies with PECR (Privacy and Electronic Communications Regulations) alongside GDPR:

• Strictly necessary cookies do not require consent. Session cookies, authentication cookies, and shopping cart cookies are essential for the site to function. These can be set without consent.
• Analytics and marketing cookies require consent. Google Analytics, Facebook Pixel, TikTok Pixel, retargeting cookies — all of these require explicit consent before being placed on the user's device.
• Use a proper consent management platform (CMP). A basic "This site uses cookies" banner is not sufficient. You need a CMP that lets users accept or reject specific cookie categories, remembers their choice, and blocks non-essential cookies until consent is given. Tools like CookieYes, Cookiebot, or Osano provide this.
• Do not use dark patterns. The "Accept All" button should not be more prominent than the "Reject All" or "Manage Preferences" option. Both options should be equally accessible.

Checklist Items

• Audit all cookies on your event website and ticket pages.
• Implement a CMP that blocks non-essential cookies until consent is given.
• Ensure "Reject All" is as easy to click as "Accept All."
• Test that analytics and tracking pixels do not fire before consent is granted.

7. Third-Party Data Sharing

As an event organiser, you share attendee data with several third parties. Each sharing arrangement needs to be documented and disclosed:

• Payment processor (e.g., Stripe). Stripe processes card details and receives the customer's name, email, and billing address. Stripe acts as an independent data controller for payment data. You do not need consent for this sharing — it falls under contractual necessity — but you must disclose it in your privacy notice. Link to Stripe's privacy policy.
• Email marketing provider (e.g., Mailchimp, Brevo). If you export attendee data to an email platform for marketing, the email provider is your data processor. You need a Data Processing Agreement (DPA) with them — most major providers offer one. Only export data for people who have given marketing consent.
• Ticketing platform. Your ticketing provider (including TicketWave) processes data on your behalf and acts as a data processor. Ensure there is a DPA in place. Check where the data is hosted — within the UK/EEA is preferred. If data is transferred outside the EEA, appropriate safeguards (Standard Contractual Clauses) must be in place.
• Sponsors and partners. Sharing attendee data with sponsors requires explicit, informed consent. This must be a separate consent request from general marketing. "We may share your data with our event sponsors" is not sufficient — name the sponsors or describe the category clearly.
• Door staff and security. If you share guest lists (names) with door staff, this is a data processing activity. Ensure door lists are deleted after the event and that staff understand they cannot retain or share the data.

Checklist Items

• List every third party that receives attendee data.
• Ensure a Data Processing Agreement is in place with each processor.
• Disclose all third-party sharing in your privacy notice.
• Obtain separate consent before sharing data with sponsors or partners.
• Verify that all third parties store data in GDPR-compliant jurisdictions or have appropriate transfer safeguards.

Your GDPR Compliance Checklist — Summary

Print this, pin it to your wall, and work through it for every event:

1. Lawful basis documented for all data processing activities.
2. Marketing consent collected via separate, unticked, opt-in checkbox.
3. Privacy notice published and linked from checkout page.
4. Data retention schedule created and automated where possible.
5. Erasure request process established with a dedicated contact point.
6. DSAR response process documented and tested.
7. Cookie consent mechanism implemented with genuine accept/reject options.
8. Third-party data sharing documented and disclosed.
9. Data Processing Agreements in place with all processors.
10. Staff briefed on data handling (especially door staff with guest lists).
11. Consent records stored with timestamps and exact wording shown.
12. Unsubscribe link present and functional in every marketing email.

GDPR compliance is not a one-off task — it is an ongoing responsibility. Review this checklist quarterly, update your processes as your data handling evolves, and keep your privacy notice current. The good news is that compliant data handling also builds customer trust, reduces spam complaints, and protects your reputation. TicketWave is built with GDPR compliance at its core, with built-in consent management, data export tools, and Data Processing Agreements as standard.