GDPR // Ticketing System Readiness Series

How are leading systems responding to changes in EU Data Protection? In the latest in this series we take a look at PatronBase.





Back Ground

PatronBase supplies ticketing / crm systems to a variety of organisations around the World, including the UK and Spain.


Their view

PatronBase has focused its offering on consent based permission as a basis for processing and on-going marketing communications.


What we saw

We examined several elements of the PatronBase offering during our session, including the box office and online flows for recording consent, as well as examining the granular audit trail that the system records and the tools PatronBase offer to allow for customised messaging online through its ‘Web Module’ – their out of the box online tool.


Great to see

PatronBase offers and almost unlimited range of marketing communication ‘levels’ and ‘channels’ – allowing venues to specify the types of communication a patron would like to have, as well as the method they would like to receive them in. This opens the door to allow customers to perhaps specify emails and postal contact for brochures and promotional material, whilst only post for fundraising asks.



PatronBase has audits permissions by operator and application channel as standard

What we didn’t see ……. but is coming

At present PatronBase’s communication levels are not driven by a user’s basket or previous consents obtained. There is a concerted development drive to deliver ‘named third party’ consents in an upcoming version. Given PatronBase already has a deep level of segmentation on events, by ‘Promoter’, “Project’ and other key identifiers, they will simply be needing to reference these to develop the consent user journey.


Transition Services and Issues

With many of the foundations in place to allow venues to be GDPR compliant there may not be a huge amount for PatronBases users to actually do or need assistance with.  Once the new named third-party consent permission structure is delivered, it will be necessary for venues to seek the correct named consents for their existing users. PatronBase will be delivering consulting and professional services to their clients in this area.


Issue to consider

They key item we saw that users should check is that their statements displayed to box office operators and web customers (including all web interfaces, as PatronBase supports many different online personas or ‘skins’) are consistent, in their meaning and scope.  We didn’t see this as likely, but it is possible, that online a statement may read “tick this box if you don’t…..” and offline it may read “tick this box if you do…..”.


Stand out feature

It sounds incredibly boring to list the strength and clarity of audit trails as a stand out feature, but when using consent as a basis for processing and contacting customers under GDPR it is going to be vitally important. Not only are these audit trails already (and have been for many years) they are clearly exposed in the UI too. This audit, coupled with already existing reports which look to satisfy as DSAR (Data Subject Access Request) that may come in, could mean that venues can respond with almost a single click of the button. We do hope venues do not find themselves subject to too many DSARs, but already having that box ticked is a great feature to see.



PatronBase has a strong audit engine underlying its ticketing and fundraising toolsets. The ability to edit messaging to clearly as well as having a suite of reports to satisfy DSAR requests provides a solid base for venues to move towards GDPR. The delivery of named third party consents based on purchases is the only piece of the puzzle missing and we look forward to seeing that in soon to be released versions.

This article gives information in relation to what we consider to be best practice. However, compliance is context and fact sensitive and as such following any guidance does not guarantee regulatory or statutory compliance.

The Information Commissioners Office will judge any complaint on its own merits, and organisations in need of context or situation specific legal advice should seek it from an appropriately qualified source.

This work has been made possible by support from Arts Council England