GDPR – 2 years later in the middle of a pandemic

The General Data Protection Regulation (GDPR) is the data protection legislation which came into place on 25th May 2018. It replaced the old Data Protection Act and sits alongside The Privacy and Electronic Communications Regulation (PECR).

GDPR was introduced to further protect everyone and their personal data, as the previous legislation was out of date. The old data protection act was created nearly 30 years ago, before the Internet and E-commerce were really a thing. GDPR was put into place to cover the new ways of living and working online and hopes to prevent us from having our personal data misused.

However no one could predict the change we are currently experiencing with COVID-19. Whether we like it or not, many cultural organisations are using online to stay in touch with audiences and get some content out to people during the lockdown. With social distancing, online will remain a key channel for some time.

It is important to remember, even in this uncertain time, GDPR still applies.

We have to continue to respect the wishes of the people we are talking to.

• Make sure you are only getting in touch with people who said they wanted to hear from you. These other contacts you may still have stored somewhere who haven’t subscribed to your communication channels should have been deleted by now.
• When people gave you their consent, you should have given them information on what type of content they would receive from you such as newsletters, upcoming shows info etc.

These two rules still apply today. We can’t just message people because there is a worldwide pandemic. Desperate times don’t always call for desperate measures.

Think about your personal experience: how do you feel when you receive those emails you didn’t sign up for? I don’t know about you, but I received 100s of emails from people telling me how they are handling Covid-19. To be honest, I don’t really care about how an online sunglass shop I bought from once 5 years ago is handling Covid-19.

How does it work for the Arts, Culture and Heritage sectors?

Of course for us in the arts, culture and heritage sectors, we do have important things to tell our customers. We need to tell them that attractions/ venues are closed, shows cancelled and what refund policies are in place. This is fine as the Legal Basis for processing their data isn’t consent in these instances i.e. we are within GDPR guidelines to tell all audiences this information whether or not we’ve got their consent. The basis we are using here is legitimate interest, which is one of 6 legal basis for processing data. The full list is below:

• Consent (which has actively been given)
• Legitimate Interest (like soft-opt in but has rules around it)
• Public Interest (it is in the public interest to know this information)
• Contractual Obligation (you are in a contract with someone and need to let them know changes)
• Legal Obligation (your personal data needs shared due to a legal requirement.)
• Vital obligation (someone’s life could depend on you sharing their personal data e.g. If someone had a heart attack in your venue during a workshop you would pass on any health information you have on them to the ambulance)

These 6 basis for processing data are all as equal and as viable as each other. None takes priority over another. Therefore, it is important to note which legal basis you are using to contact people.

If you are a council and need to let them know about reopening or new protocols in place, it could be argued that ‘public interest’ is an appropriate basis.

Or if people had bought tickets to a show that had to be re-scheduled, they entered into a contract with your organisation at the time of purchase. So to fulfil your side of the contract, you need to let them know the new date or how to claim a refund.

After my extensive study of GDPR, I find it is a great legislation brought in to protect us all. As a sector, we should always be able to make GDPR work for us. When the reason for contact is really thought about, there will usually always be a legal basis for your purpose.

We also need to think about GDPR in our new ways of working from home. Make sure devices with access to work emails and networks are double password protected, only use your own private Wi-Fi to work on, make sure you have updated security on your home laptops/ computers and that all data protection policies are still being followed such as deletion of information no longer required.

Plus, it’s thinking about wee things like making sure you don’t leave your devices open in your home for others to read and that if you brought any document home with you, ensure they are safely locked away if they contain personal data.

I know this can all seem a bit OTT but better to be safe than sorry!

My Top Tips:

• GDPR is not scary and not awkward, it is there to protect us all. Don’t be afraid of it, it can smell fear!
• Don’t try to copy big businesses and organisations. The blatant ignorance I have seen from massive companies over the past couple of years is ridiculous.
• Visuals and videos (even voice recordings) are personal data. Make sure you have consent to use them before you post them online or use in marketing.
• GDPR isn’t ever ‘done’. It is a continuous legal requirement that needs reviewing and updating yearly.

Some additional helpful resources:

• We have loads of really useful online information on GDPR in our Toolkits and Templates section
• We also offer GDPR sessions and refreshers sessions.
• A great blog from Katy Raines on how to ask people to donate from cancelled performances.
• Information Commissioner's Office UK hub for data protection and Covid-19.
• ICO’s information about data protection and working from home.