· The Popup Pal Team

GDPR for event organisers in 2026: a plain-English guide

This is a practical overview, not legal advice — if you’re unsure about your obligations, speak to a data protection professional or check the ICO’s guidance.

If you sell tickets or take stall applications, you collect personal data: names, emails, phone numbers, sometimes dietary or accessibility needs. Under UK GDPR that makes you a data controller — the person who decides why and how that data is used. Platforms you use to collect it (Popup Pal included) act as your data processor, handling data only on your instructions. The controller hat comes with real obligations, but for a typical event they are entirely manageable.

Know your lawful basis

Every use of personal data needs one of the six lawful bases. For organisers, three do almost all the work:

  • Contract — processing a buyer’s name and email to deliver the tickets they bought, or a trader’s details to administer their pitch. No consent needed; it’s simply necessary to do the thing they asked for.
  • Legitimate interests — operational messages like “the car park has moved” to people attending your event, or keeping records for a reasonable period after the event.
  • Consent — marketing. Emailing past attendees about your next event needs a real opt-in: an unticked box at checkout, recorded with a timestamp. Buying a ticket is not consent to a newsletter.

Marketing: the bit organisers get wrong

The pattern that gets small organisers in trouble is exporting every past buyer into a mailing tool and blasting them. Don’t. Keep your marketing list strictly to people who opted in, make every message include an unsubscribe that actually works, and honour it immediately. If a trader captures visitor emails at their stall (for instance with a stall QR code), those people joined that trader’s list — the consent belongs where it was given.

Collect less, keep it briefly

Data minimisation is the cheapest compliance there is. Ask only what you need — if you don’t genuinely use phone numbers, stop collecting them. Then set a retention rule you can actually state out loud, for example: order details kept as long as needed for accounting and refund obligations; marketing contacts kept while consent stands; application data for unsuccessful traders deleted after a season. Write it down; that document is most of your privacy notice.

When someone exercises their rights

Any attendee can ask what data you hold (access), ask you to correct it, or ask you to delete it where you no longer need it. You normally have one calendar month to respond, and you can’t charge for it. In practice this means: know where your data lives (your ticketing platform, your inbox, your spreadsheet), and be able to search it by email address. If a platform holds the data for you, it should support export and deletion — here is how Popup Pal handles it.

The short version

  1. You’re the controller; your platforms are processors — have a privacy notice that says so.
  2. Tickets and stall admin need no consent; marketing always does.
  3. Collect the minimum, state a retention period, and delete on schedule.
  4. Be able to find, export and delete one person’s data within a month.

None of this requires a consultant for a village-hall fair. It requires tidiness — which, conveniently, is the same thing a well-run event requires anyway.