GDPR: A guide for musicians

Last updated: April 2026

You might have noticed a recent increase in the number of emails you are getting from companies talking about changes to their privacy policy – they could be asking you to “opt in” to receiving further updates, or simply letting you know that there is an option to “opt out”. This is all down to a change in European data regulations known as the General Data Protection Regulation. In this blog, we discuss what GDPR is and how it might affect musicians.

Data protection is a hot topic right now; with the recent revelations surrounding the alleged misuse of data by firms like Cambridge Analytica (and Facebook’s failure to adequately protect the information of it’s users) the media spotlight has not just been focused on Mark Zuckerburg testifying on Capitol Hill, but on the issue as a whole.

Indeed, the whole culture of “who gets to know what”, and what they do with it, is now the subject of a very contentious debate.

As such, the new regulations are not simply reactionary – they are very precedent. Now is as good a time as any to consider what information your business holds about its customers and how you utilise it.

Even huge companies like Apple have been looking at the way 3^rd parties, like Facebook, utilise their platform user’s information, the BBC reports.

What is GDPR?

The General Data Protection Regulation (or GDPR for short) is an update to European-wide laws surrounding the handling of data, replacing The Data Protection Act of 1998.

When the original act was written, technology had not made quite the level of progress it has now and so there was little regulation on things like the location data of smart phones, for instance.

GDPR is designed to give you much more control of your personal information (as well as how and when it is collected) and forces companies to justify why they need the information they gather, while providing a framework for what they can and cannot do with it.

The new regulation also quantifies what personal information is, and highlights several topics that it deems as “special category data” (broadly similar to the concept of sensitive personal data under the 1998 Act) and requiring additional protections.

GDPR in practice

GDPR means there will be fewer “pre-ticked” boxes when companies ask for your information and the law compels whatever company it is to use clearer language in their descriptions of privacy policy.

You may also be required to “opt in” to allowing a company to use your data. The law change has lead to many companies needing to rewrite their privacy policy, and subsequently inform their customers.

Should you want, you also have the right to request whatever data a company holds on you. If you don’t like what you hear, you also have to right to request that that information is deleted, although there are some limits to this right, such as information held by hospitals or journalists.

Under UK GDPR there are two tiers of financial penalty. The higher maximum is £17.5 million or 4% of total annual worldwide turnover (whichever is greater), with a lower tier of £8.7 million or 2% for less serious infringements. In practice, most ICO fines on smaller businesses are well below the maximum, and the Commissioner looks at seriousness, harm, intent and cooperation when deciding the level.

They will also be required to notify you if they have any kind of data breach or hack where your information might have been vulnerable.

How does GDPR affect musicians?

Data protection law is not an easy subject to get your head around and it is often unclear how any regulation change might specifically affect your business, whether you perform solo or via a live music agency. The first thing to remember is that ALL business (including sole traders and self-employed musicians) is compelled to abide by GDPR.

Bands often hold more personal information on people than they think that they do. For example, it would be highly unlikely for you to take a booking for a wedding or birthday party without needing to know the name, location and (ofcourse!) the age of the client.

How you store and use this information would almost certainly be subject to GDPR. You may also collect other information, such as financial and banking details, and details contained in your gig contracts.

The Musicians’ Union also has information for staying on the right side of GDPR regulations which can be found on the dedicated page of their website.

If you have an online store or an email list for keeping fans up to date, Cyberprmusic.com also has some suggestions for how to best comply:

• If you have one on your site, update the privacy policy for your webstore / email list so it is compliant. Disclaimer: We are not lawyers.
• Ensure that every EU citizen has the choice to opt-in. Create a “required” checkbox which requires the recipient or viewer to read your privacy policy & link to the privacy policy you created above. The easiest way to make sure that you’ve covered all of your EU subscribers
• Send an email to all of your subscribers which prompts them to re-confirm their subscription or makes it very obvious that they can unsubscribe. You are asking them to confirm that they really want to receive emails from your list. Since you followed the rules to begin with and didn’t sign anyone up who didn’t sign themselves up, there’s a good chance they will continue to subscribe. If not, there’s nothing you can do – do not sign anyone up for a list without their proven consent.

If you use a 3^rd party service, like MailChimp, they also state:

• Mailchimp has made it easier for you to set up for compliance, but you’ll still have to log in and 1) create an opt-in form and 2) make sure you understand their privacy policy, and how it applies to your business
• You can find the instructions for setting up your Opt In form on Mailchimp here

UK GDPR vs EU GDPR: what changed after Brexit

When the UK left the European Union, EU GDPR stopped applying directly. The UK government retained the regulation in domestic law as the UK GDPR, which sits alongside the Data Protection Act 2018. For most musicians and bands based in the UK, the day-to-day rules are almost identical to the EU version: the same seven principles, the same rights for individuals, and the same requirement to have a lawful basis for using personal information.

If you market to or book clients in the EEA, the EU version of GDPR can also apply on top of UK GDPR. In either case, the Information Commissioner’s Office (ICO) is the UK regulator you report to, and their website is the most reliable source for current guidance.

Practical UK GDPR checklist for musicians and bands

If you run a band or gig as a solo performer, the following checklist covers the areas the ICO is most likely to care about:

• Keep the personal data you hold to the minimum you actually need for bookings.
• Have a simple written privacy policy on your website that explains what you collect, why, and how long you keep it.
• Use explicit opt-in for any marketing emails and keep a record of when consent was given.
• Store client files and enquiries securely, with strong passwords and limited sharing across band members.
• Delete old enquiries and client details you no longer need.
• If you suffer a data breach that puts people at risk, report it to the ICO within 72 hours.
• Respond to any requests from clients to access, correct or delete their data within one calendar month.

The Data Use and Access Act 2025: what musicians should know

The Data Use and Access Act 2025 is the UK’s first major update to data protection since UK GDPR came into force. Most of its provisions started to apply from 5 February 2026, with a further round of changes rolling through into mid 2026. It does not tear up UK GDPR, but it does make targeted reforms around areas like automated decision making, legitimate interests, and how complaints about data handling are escalated to the ICO.

For a working band, the headline is that the core rules have not changed: you still need a lawful basis to use personal information, you still need to be transparent about what you do with it, and you still need to handle requests from individuals properly. The ICO is publishing updated guidance as the new provisions come into force, so it is worth bookmarking their website and checking in periodically.

Summary

While it is mainly big business that is likely to feel the biggest effect of GDPR, it is always wise to be cautious when it comes to the handling of data. Interpret laws to the best of your ability and don’t do anything with anyone’s data that you wouldn’t be happy having done to yours. If you’re thinking about the wider legal side of running a band, it’s also worth reading our guide to image rights and photo copyright for musicians.

You may think it’s a great idea to trade email lists with a friend who plays similar music, but if their fans haven’t given their expressed consent, you may fall foul of the law… as well as potentially annoy a large group of people!

How do you ensure you keep your customer’s data safe? Do you have any top tips on following GDPR? Post your advice in the comment box below!