GDPR: One Year On

Terry Rosoman | Posted on Wed 22 May 2019 at 11.33AM
Categories: Tips

Discover the impact of GDPR and how you, as an event organiser, can remain compliant to ensure your customers’ data remains safe.

This time last year, the new General Data Protection Regulations (GDPR) was prominent in the press threatening fines to companies for non-compliance of up to €20 million. Each and every one of us was bombarded with emails from companies that we once signed up to or purchased from, seeking new consent for their marketing activities. One year on, from what was perceived as potentially the new ‘Y2K bug’, how has GDPR impacted both business and individuals, and how compliant are Event Organisers?


GDPR was introduced across Europe to provide a standardised approach to the protection of personal data. Within the first nine months of these new regulations, there were 206,326 cases reported across Europe including 65,000 reports of a potential breach and 95,000 complaints from Data Subjects. The total number of fines for non-compliance is currently €55.96 million, although €50 million of this figure is made up from one fine by the French Authority against Google.

Event Organisers

Although the Data Commissioners have been focussing on improvement and rectification rather than big fines for non-compliance, it doesn’t mean that Event Organisers can get away with not undertaking their own due diligence when it comes to GDPR. If you sell tickets for an event, you are a Data Controller and responsible for the personal data of your Customers. Irrelevant if you are part of a registered company, self-employed or even acting in a voluntary capacity in organising an event. You are accountable under GDPR.

The UK’s Information Commissioner, Elizabeth Denham, is clear on the requirement for accountability stating “if a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation”. But if you haven’t yet undertaken any work to meet your own obligations under GDPR to safeguard your Customer’s data, it’s not too late to get started.

We present eleven steps to help you on your way to compliance and ensuring your Customers' data remains safe.

  1. Visit the ICO website
    Our recommendation as a starting point is to visit the ICO website where there is a wealth of information and guidance for small business on GDPR compliance.

  2. Appoint a GDPR Champion
    You must take GDPR seriously and appoint someone in your organisation or team to take responsibility of GDPR compliance. This person needs to be someone who can take the time to understand your GDPR obligations and what sections of the legislation will/won’t affect you. They also need to be someone who can implement change to ensure compliance and have the support of the wider team. Some organisations may need to appoint a Data Protection Officer – refer to the ICO guidance as to whether this is a requirement for you.
  3. Understand the data you collect, process and store
    Undertake a data mapping exercise to identify all the personal data that you collect, process, share and store. This may not be limited to your Customers' Data but that of your Employees, Volunteers, Suppliers or Partners. This will provide you with a comprehensive record of your activities and start to identify security concerns, gaps in policy or procedure, failures to securely delete data and data that is no longer relevant and therefore should not be stored.

  4. Identify the data your share
    Identify the third parties with whom you share personal data. This could be TicketSource or other organisations such as MailChimp, your own merchant services, CRM systems or even another Event Organiser. Have you been able to ensure the compliance of these third parties with GDPR and are Data Processing Agreements or Data Sharing Agreements in place?

    TIP: If you share Customer Data for marketing purposes with third parties such as other Event Organisers or Venues, TicketSource enables you to seek consent from Customers to share this data and can be found in the Event Designer feature.

    TicketSource is fully compliant with GDPR and will always act to safeguard your Customers' data and only act in accordance with the Data Processing Agreement which is in place.

  5. Know why you are processing Personal Data
    You can only process Personal Data if you’re able to establish a legal basis for processing. This may be delivery of a contract (e.g. for ticket bookings), legitimate interest or consent.

    TIP: Obtaining consent to be placed on a marketing list must now be granular (e.g. the Customer presented with separate options for postal, email or text marketing). You can select which marketing options to present to customers via your Data Protection settings in your TicketSource account.
  6. Create and publish your Privacy Policy
    One of the key requirements of GDPR is transparency, so you are required to create a Privacy Policy outlining why you are processing personal data, your retention period, who it will be shared with and the Data Subject’s own rights under GDPR. This is also known as the right to be informed and must be provided to the Data Subject at the earliest opportunity. A checklist regarding what needs to be included in a Privacy Policy can be found here: Privacy Policy Checklist

    TIP: TicketSource enables Event Organisers to upload their own Privacy Policy to their TicketSource account which will be made available to all Customers who are booking online. You can also set your retention period in TicketSource which ensures that Customer Data is automatically deleted in line with your policy.

  7. Undertake Data Protection Impact Assessments (DPIA)
    DPIA is a process to help you to identify and minimise risk during your processing activities. If you undertake processing that is likely to result in a high risk to Individuals, you are required to undertake a DPIA. The ICO also recommend that it is good practice to undertake this process for any major project that requires the processing of personal data. The ICO has a checklist to help you decide if a DPIA is necessary and can be found here: DPIA Checklist

  8. Understand Individual’s Rights
    Ensure you understand the new Data Subject’s rights under GDPR and make sure you have policies and procedures in place to deal with these rights as they arise. This may range from Subject Access Requests (a Data Subject’s right to see the data that you hold on them), Right of Rectification (correct personal data) and the Right to be Forgotten (this will be dependent on your retention policy and if you have a good reason for holding data for a prolonged period of time, beyond the event date).

  9. Review your GDPR Policies
    Review your existing policies and procedures to see if they comply with GDPR. The key policies that you should have in place include (but are not limited to):
    - Data Protection Policy
    - Data Security Policy
    - Privacy Policy
    - Data Retention Policy and Procedure
    - Data Breach Policy and Procedure
    - Subject Access Request Policy and Procedure

  10. Make data privacy part of your ongoing process
    Develop a process to ensure that GDPR compliance is an ongoing focus for you and your team. When you start a project, implement an alternative technology, introduce a new third party processing partner or share data with a different organisation, the above steps should be considered and implemented from the start of the process to ensure you are doing all that you can to maintain the safety of the data.

  11. Document everything!
    Above all else, as you work through this process to meet your GDPR compliance, ensure you document everything.  This would include minutes of meetings, reasons for key decisions such as whether you need (or don’t need) a Data Protection Officer, all processes such as Data Mapping, DPIA, etc.  Should you be in the unfortunate situation where you experience a data breach or a complaint is made to the ICO, this will go some way to demonstrate your accountability and intent to meet your obligations under GDPR which will place you in a much stronger position compared to doing nothing at all.  

If you have any questions regarding the Data Protection features within your TicketSource account, please contact our Support Team on 0333 666 4466 or

The advice and features outlined in this article are only meant to assist you in your data protection compliance and not intended as legal advice. We strongly recommend you take your own legal advice in deciding how to comply with GDPR.

Free Online Ticketing System

Sign up and set up an online box office for any event in any venue within minutes.

Get Started

Free Event Organiser Newsletter

Get free professional advice and information regarding event organising sent straight to your inbox.

You may opt-out of future TicketSource emails at any time using the unsubscribe link within the email. Read our Privacy Policy here.

Popular Posts

Hitting The Right Note With Orchestral Concert Tickets

Free Online Ticketing System Sign up and set up an online box office for any event in any venue within minutes. Get StartedIn 2018, tickets...

Small Town, Big Screen: Box Office Support for Community Cinema

Free Online Ticketing System Sign up and set up an online box office for any event in any venue within minutes. Get StartedThe British Film...

How to Successfully Put on a Theatre Play

Free Online Ticketing System Sign up and set up an online box office for any event in any venue within minutes. Get StartedWith over 32,000...

Case Study (18)
Features (17)
News (16)
Tips (17)
Updates (7)