Here at thrive we've worked with lots of different cultural organisations to get them up to speed with GDPR. Through running GDPR events and workshops, and discussing the topic online, we’ve heard a lot of questions coming from the sector. So we've worked with the Information Commissioner's Office to provide answers to your top concerns:
Why is this happening?
The GDPR is all about putting the customer first. We’ve all heard stories about companies playing fast and loose with people’s personal data, and sending out nuisance emails that people can’t unsubscribe from.
In the cultural sector, we’re not in the business of using people's data to hard-sell them products. Instead, we're usually more interested in bringing the benefits of arts, culture, and heritage to as many people as possible. That can involve email or postal marketing to let people know what's on, or collecting surveys and box office data as part of audience research. GDPR is a great opportunity for the sector to let our audiences know what we're doing with their data, and why.
Will we be hit with a big fine if we don't comply?
From May 25th 2018 the Information Commissioner's Office has had the power to impose fines of up to €20 million, or 4% of annual global turnover. But are small arts organisations really in the firing line?
Here’s what Elizabeth Denham, the Information Commissioner has to say:
It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
So, mistakes will be made, you may not have fully completed your journey to compliance, but if you can prove you have tried to be accountable, they will look favourably on this.
The first step is reading up on GDPR and getting a good understanding of it (which you're doing right now!), and then completing a data audit and working towards full compliance. (You can check out our blog on where to start for some handy resources and templates.)
Can we still email businesses, schools, and community groups?
The GDPR applies to personal data only – so something that can be tied back to an identifiable individual. A wide range of things could identify an individual, including name, identification number, location data or online identifier.
So if you are emailing a non-personal email address without a name (such as info@ or admin@) you won't need explicit consent or soft opt-in. The only requirement is that you must identify yourself in the email and provide contact details.
It’s a good idea to keep a ‘do not send’ list on file to record those who told you they don’t want to receive marketing messages from you.
To find out more about the regulations around email, check out our email marketing flowchart.
What about videos and photos?
You must get the permission of all the people who will appear in a photograph, video or webcam image before you record the footage. That means children as well as adults. You must make it clear:
• Why you are using that person’s image
• What you will be using it for, and
• Who might want to look at the pictures
You could do this by including the details in event sign-up or ticketing information, making an announcement at the start of your event, putting up clear notices, or including the advice in a theatre programme. You'll need to let people know how they can object too - do they need to notify you or simply move away from a clearly defined area?
If a person can be identified from a photo or video, then it is classed as personal data so you should treat it like any other personal data - keep it secure and don't store for longer than is needed. And if you're sharing it with third parties - you'll need to get permission for that too.
Does historical data need to be GDPR compliant too?
Not all data needs to be GDPR compliant, but all Personal Data does. If your archives/historical information contains personal data about at least one living person, it must be GDPR complaint. You must have a clear reason for why you are keeping the data and why you need it. You cannot keep personal data ‘just in case’.
You must have a reason for holding the information, it must be stored correctly and you must have a retention period document explaining your reasoning for keeping it. And if you're sharing it with third parties - you'll need permission for that too.
Can I keep data I have now for archive purposes?
Generally, you shouldn’t keep any personal data longer than you have a use for it. But, you can keep it for research, historical or statistical purposes as long as the data is not used in a way which would affect any particular individuals, and it is not processed in a way which would cause substantial damage or distress to the data subject.
I have names on my mailing list which gave consent, but no record of consent. Do I have to re-consent them all under GDPR?
If they’ve already consented and this consent is up to GDPR standards, and you have evidence of this, you’re fine. If not, they’ll need to re-consented or you’ll need to use another basis for processing. For postal mailings, this is likely to be consent or legitimate interests and for emails you might use consent or soft opt-in.
Should I just delete my email marketing lists and start from scratch?
Not necessarily. Stop and think before you do this - you may be able to hold on to a lot of your email contacts.
You don’t need to rely on consent for all of your email marketing. Soft opt-in can be used too. Check out our email marketing flow chart to see all your options.
Can I get consent verbally?
You can – just make sure to keep good records of this and keep a copy of the script that was used when asked for consent at the time. It doesn’t need to be the whole conversation, but what was explained to the customer.
How much evidence of consent do I have to keep? Does it all need to be hard-copy?
You’ll need to keep records of who consented, when they consented, a copy of what they consented to (like a paper form or link to an online one), along with evidence of how they consented (such as a signature or an online opt-in timestamp). You will also have to record if they ever withdraw consent. It doesn’t matter if this kept in paper files or online, so long as it’s secure.
Get Personalised GDPR Support
If you have a question that isn't answered above, you can leave us a comment below and we'll do our best to answer. We’re also offering bespoke GDPR workshops for cultural organisations for £150 + VAT, so please drop me an email if you're interested.
Note: This is intended to provide an overview of GDPR and is not a definitive statement of the law.
For a definitive guide, check out the Information Commissioner’s Office website.