We empower event organizers around the globe, from destination festivals, major sporting and music events to club nights, local fairs, charity fundraisers, and private galleries.
Start an event, members’ hub or virtual event for your community and discover how Eventcube can transform your business.
Get Started
I wrote this because the same five misconceptions come up in almost every conversation I have with organisers, and because the UK's data protection rules changed in early 2026, making much of the advice still circulating online out of date. In this article, I will bust the five most common GDPR myths in event ticketing, covering who counts as a data controller, when you actually need consent, how long to keep attendee data, and what the Data (Use and Access) Act 2025 changed, and finish with a six-step compliance checklist you can put in place in an afternoon.
I have already written about the questions you should ask a vendor before signing a contract (that piece is published over on LinkedIn here. This one is about the myths themselves.
It applies the moment you collect personal data from anyone in the UK or EU, and a name and email address count. There is no headcount below which the rules switch off, and free events get no exemption. A 30-person webinar that captures email addresses is in scope. So is a community fundraiser with a sign-up sheet.
I understand where the myth comes from. The enforcement stories that make the news involve airlines and hotel chains, so it feels like a big-company problem. But the law was never written with a size threshold, and the ICO has taken action against very small organisations. More to the point, your attendees do not care how big you are. If their data leaks from a 50-person event, the damage to trust is the same.
No. This is the one I want to put on a poster. Under GDPR, you are the data controller, the person who decides what gets collected and why. The platform is the processor that handles data according to your instructions.
The controller carries the heavier obligations, and you cannot contract your way out of them. A certified platform keeps its side of the street clean. Yours is still yours.
Here is roughly how it splits:
The wrinkle is that some platforms use attendee data for their own purposes, marketplace ticketing being the obvious example, and at that point, they may become a joint controller, and the lines blur.
One of the reasons we built Eventcube white-label was to avoid that mess entirely: the organiser owns the attendee relationship and the data, full stop. If you want to see what the processor's side of the bargain should look like in writing, certifications, sub-processors, and who touches what, the companion article covers it, and our own documentation lives at trust.eventcube.io.
You do not. Over-asking makes things worse. Consent is just one of six lawful bases under GDPR. When someone buys a ticket, you process their details on a contract basis, so no consent box is needed. Where you genuinely need explicit, affirmative consent is for marketing to people who have not opted in, and for special category data like accessibility or dietary requirements.
The organisers who get this wrong tend to bolt a consent checkbox onto every field, which trains attendees to tick boxes without reading them, which is precisely the opposite of what consent is for. And a pre-ticked box does not count at all; the attendee has to make the choice themselves.
The better discipline is to interrogate the checkout form. Name and email are operationally necessary. The date of birth for a free webinar is not. Every field beyond the basics should have to argue for its place.
This myth has a twin: "I can keep everything forever", and they are both wrong. The actual principle is storage limitation: keep data as long as a genuine purpose justifies it, then delete or anonymise. Financial records have to be retained for tax purposes. Marketing data should go when consent lapses. "Just in case" is not the purpose.
The reason this matters in practice is breach response. Under the UK GDPR, you have 72 hours from becoming aware of a notifiable breach to report it to the ICO. Seventy-two hours is nothing if you do not already know what data you hold and where it sits. Organisers with tidy retention habits handle breaches in an afternoon. Organisers with nine years of unexamined exports in a shared drive do not.
The UK rules did change, and recently. The Data (Use and Access) Act 2025 received Royal Assent in June 2025, and most of its data protection provisions took effect on 5 February 2026, with a final tranche due on 19 June 2026. It amends UK GDPR, the Data Protection Act 2018, and PECR. If you operate under EU GDPR, this does not affect you in the same way; it is a UK reform.
I would not lose sleep over it. As data protection commentator Susie Parker put it, for most businesses, this is a case of reviewing policies and tightening processes rather than starting again. The one genuinely reassuring update: the European Commission renewed the UK's adequacy decision on 19 December 2025, valid until 27 December 2031, so data continues to flow freely between the UK and the EU without extra paperwork.
Honestly, not much. Strip out the folklore, and you are left with three questions: what do you collect, why, and how does someone get it removed? Everything else is a process. If I were setting this up for an event tomorrow, I would do it in this order:
That list takes an afternoon for most events and covers the vast majority of what the ICO would ever ask you about.
GDPR compliance for event organisers is smaller than its reputation. The rules apply to events of every size. You are the data controller, whichever ticketing platform you use. Consent is only needed where the law specifically asks for it, retention is about purpose rather than panic, and the 2026 UK reforms are an adjustment, not an upheaval.
In my experience, the organisers who end up in trouble are almost never the ones who collected the wrong thing; they are the ones who could not explain what they had or why they had it. GDPR is, underneath the acronym, a transparency test. Pass that, and the rest tends to follow.
This is general guidance, not legal advice. The ICO's guidance at ico.org.uk is the best plain-English starting point for UK organisers; for anything specific to your event, talk to a data protection adviser.
