Alan Ballany
Written by

What you need to do to keep fully compliant with the new data protection regulations and do right by your audiences.

Designed to protect the rights of the public, everyone will need to make sure that the ways they manage personal data is compliant with new General Data Protection Regulations (GDPR).

Even though many people are feeling significant anxiety around the changes, there’s a real opportunity for cultural organisations. Simply put, better data management can bring real benefits to the volume and value of the audiences you attract.

From 25 May 2018, you’ll need to comply with GDPR, the new data protection regulations. There are fundamental changes that will impact upon all areas of your work across the company. Though they are European regulations, they will still be implemented in the UK despite Brexit.

If you are willing to use this policy change as the catalyst for internal review and adjustments, you will be building a stronger organisation for the long term. Better processes will help avoid complaints and prevent a crisis, which could cause reputational damage. Cleaner, more accurate data reveals insights about audiences’ motivations and barriers to attending. Better data means stronger, more cost-effective marketing lists, messages that matter to the recipient and an increase in audience trust so audiences and stakeholders are more likely to engage with you.

Rights and responsibilities

As a rule of thumb, rights belong to individuals and responsibilities belong to organisations. It’s their personal data after all. The direction of change is that individuals’ rights are getting more robust and our responsibilities are getting more demanding.

Data protection is organised around eight core rights that individuals should be able to count on. GDPR strengthens all of them but, in particular, how their data is used, stored, shared and deleted. For example, if individuals ask for it then you will need to give them a copy of the data you hold about them and you have to share the legal basis under which you hold it. If the information you hold is inaccurate you will have to correct it.

What do your new responsibilities mean?

In the new system we all have to meet a higher bar around accountability and governance. You want to have evidence of your compliance with GDPR, in particular:

  • Have a written internal policy committing your organisation to handling personal data responsibly and for a good reason.
  • Write your privacy policies succinctly in language that everyone can easily understand.
  • You and your team members are trained in data management good practice.
  • Every time you capture data, whether you collected it in person or online, your privacy statements are clear about what the data is for and how it will be used.
  • A higher bar for consent means you need to make sure your opt-in boxes aren’t pre-ticked yes and that it is as easy to opt-out as it is to opt-in.
  • Keep a record of when/how individuals consented to receive information from you, including what they agreed to (in the privacy statement) and when consent was given.
  • Provide extra safeguards to protect sensitive personal data (especially for young people or around protected characteristics).

If you discover you’ve had a data protection breach you’ll have to disclose it. You will have a legal obligation to report the breach within 72 hours of discovering that it has happened. When you report, you have to inform both theInformation Commissioner’s Office (ICO) and individuals who are affected by the breach. People’s right to rectification is getting more robust. Under GDPR, the ICO will be the enforcers and they’re going to be able to levy significantly larger fines (up to 4% of annual global turnover or €20 million, whichever is greater).

What’s the current situation in the cultural sector?

Our November event, ‘Don’t get left behind or fined’ (in partnership with the ICO) was filled to capacity. It was clear many people are concerned about the coming changes and their impact on their ability to communicate with their audiences. Our research in advance of the event showed that there are high levels of awareness within cultural organisations about the fact that GDPR changes are coming. While a few organisations are ahead in their preparations, many still have a lot to do to get ready. In particular, we could see that there are real gaps around managing the consent that is needed to continue to use the customer data that you already have and confusion around when you have a ‘legitimate interest’ to do so.

Why start now?

It’s not too late! You’ve still got almost six months to bring your policies and procedures up to date. The best way to start is to get to the bottom of where things stand in your organisation right now. To help you do this, Culture Republic has launched a new GDPR resource hub specifically for Scotland’s cultural sector.

Three steps to getting GDPR-ready

There’s practical guidance for artists, producers and cultural organisations of any scale or art form. Follow the three step journey, which will help you to access where you are, what you need to do and how to turn your audience data into a powerful asset to understand who your audiences are, who they could be and how to reach them.

  1. Start by taking stock. Use the GDPR readiness test to get a feel for how much work you have to do and where your areas of uncertainty are. Then dig into the details of your data management.
  2. Use our free data audit workbook and templates to get a clear inventory of your current data, people and processes in order to make improvements.
  3. As you begin to make changes or when need more detail, the GDPR resource hub has a series of articles to ground you in the basics (e.g. What’s a ‘data processor’? What does the ‘right to be forgotten’ mean?) and the details (from the international data shield agreement to where personal data might be hiding within your organisation).

As the deadline approaches, we will continue to keep you up to date on what you need to be aware of.

Finally, if you like the sound of our GDPR workshop in partnership with the ICO, you haven’t missed the boat – we have another one on the way in February.

This article was originally published on the Creative Scotland website