A Brief Overview of GDPR for Festivals and Events

August 28, 2019

What is GDPR?

The General Data Protection Act (GDPR) is a European regulation designed to protect the privacy of EU citizens and to give them control over their personal data. The GDPR not only applies to companies within the EU, it also extends to foreign companies that collect or process the personal information of European citizens. Penalties for non-compliance can surpass 20 million euros.

Why is this important to Festivals and events?

In the festival and event industry, we collect a significant amount of personal information from employees, contractors, artists, crew and attendees. Additionally, we use a variety of different technologies to collect, store and process this information: Ticketing software, mobile attendees apps, RFID/Cashless systems, marketing software and back of house management software. This information and the systems we use to manage it are crucial to delivering a world class festival or event. If a festival or event, no matter its location, collects, processes and stores the information of European citizens, it is legally required to comply with the GDPR. Not addressing this regulation appropriately leaves festivals and events open to risk of massive fines and potential lawsuits.

What do I need to do in order to be compliant with GDPR?

The GDPR is a complex piece of privacy legislation that requires information security and privacy law expertise to properly implement and manage.

Here are a few high level requirements that are needed as part of GDPR implementation plan:

  • Understanding and documenting the data you collect and why you collect it
  • Protecting the data you collect using industry accepted information security practices including documented internal policies and procedures
  • Educating your employees on information security and privacy
  • Conducting Vendor compliance assessments to ensure the providers that process your data are GDPR compliant and that they responsibly protect your data using accepted security practices
  • Reviewing or re-writing privacy policies to illustrate the data you collect and how you use it


The GDPR is the most aggressive piece of privacy legislation ever passed into law. It sets an unprecedented standard of protection and control of personal information. As festival and event organizations have expanded their use of data and data management systems, the passing of this legislation puts new responsibility, costs and risks on the shoulders of the festival and event industry. The result of failing to take this act seriously could have catastrophic impact on your business.

If you would like to learn more about implementing GDPR into your festival or event organization, click here to download our eBook.

Discover the event technology our parent company, Patron Technology, has to offer.

Learn More