The Terrorism (Protection of Premises) Act, also known as Martyn’s Law, was given royal assent last week. Here, we examine the data protection implications this new legislation will have.
Martyn’s Law is named after Martyn Hett, one of the 22 victims of the Manchester Arena terrorist attack in 2017. His mother, Figen Murray, has been a vocal campaigner for stronger security at public venues, and it was through her efforts that this legislation has been brought forward.
The new legislation applies to public venues, events, and certain public spaces. Any premises with a capacity of 100 or more will be impacted.
The law is designed to ensure that public venues and spaces have effective plans and measures in place to deal with potential terrorist threats. It introduces a tiered system based on the size and type of venue.
- Standard Tier: For venues with a capacity of 100 to 799 people.
- Required to undertake simple preparedness measures, such as staff training and basic emergency procedures.
- Enhanced Tier: For venues with 800+ capacity.
- Requires more comprehensive risk assessments, security planning, and implementation of counter-terrorism measures.
Whilst Martyn’s Law is not data protection legislation like the UK GDPR or Data Protection Act 2018, its primary focus is on physical security and counter-terrorism preparedness — making sure venues are ready to respond to and, key to data protection, reduce both the threat and impact of a terrorist attack.
How does Martyn’s Law impact how venues might handle data protection?
- Staff Training Records: Venues should keep records of who has completed counter-terrorism training, which involves handling employee personal data. Data protection training is also important in this, to ensure information is not made vulnerable to attackers.
- Visitor or Event Attendee Data: Some venues might implement registration or ticketing systems as part of their safety planning, which could involve collecting and storing names, contact info, or even CCTV footage — all of which falls under data protection law.
- Security Systems: Use of CCTV, facial recognition, or surveillance tech may raise privacy concerns, but is a key component of Martyn’s Law. Data gathered through these systems would need to comply with data collection, storage limitation, and other GDPR principles.
- Incident Response: If a security incident happens, data may be shared with emergency services or law enforcement, which must be done lawfully under data protection rules.
- Risk Assessments: Venues should complete risk assessments surrounding physical security and potential vulnerability to threats. A physical security assessment is also a key part of data protection, since physical security also protects stored data.
As of April 2025, Martyn’s Law has been formally introduced to Parliament and is making its way through the legislative process. It has broad public and political support, though some business and local government groups have raised concerns about the cost and implementation burden.
Venues will likely need to consider data protection compliance as part of their broader security measures. If you’re managing a venue or planning events, it’s wise to think about both physical security and data privacy together. Our BLS team has extensive experience in physical security, counter terrorism legislation and data protection. If our expertise could benefit you and your team, do get in touch.
A physical review may be an option as a starting point which is a dedicated and intrusive examination of your physical security arrangements to identify and address weaknesses and vulnerability in the environment your information is stored and the effectiveness of your processes and security.
We will visit your premises and assess your physical, technical and organisational security, from suitable locks on doors and windows to the storage of physical documents. We will look at your needs for CCTV, whether you have the correct procedures in place for the destroying of documents containing personal data and your staff protocols regarding visitors, ‘empty desk policies’ and much more. We will also interview relevant staff to ensure their knowledge of physical security is at a suitable level.
This is a very specific requirement and what is covered will depend on the premises and requests from staff nearby.
We will then produce a detailed report, featuring our findings and recommendations to improve security where necessary.
Get in touch to request a physical security review at your premises.
