Tuesday, August 22, 2017

Is your art organisation or business ready for GDPR - the replacement of the Data Protection Act?

HEADS UP! Next year, on 25 May 2018, a new EU General Data Protection Regulation comes into effect - and this may well affect YOU.

It affects 
  • ALL art organisations holding the PERSONAL DATA of EU data subjects (people living in the EU). This INCLUDES any individual or organisation holding personal data for reasons other than those relating to the strictly personal requirements of an individual: 
    • art businesses - including artists with lists of collectors and contacts
    • art galleries and 
    • national and local art societies and groups 
  • ANY businesses located outside the EU having a transaction involving personal data with anybody (i.e. a data subject) living in the EU - including transfer of any data to another country - which means its ambit goes way beyond the EU.

Why is this happening?

The existing Data Protection legislation is being replaced because it is no longer fit for purpose for the changes in the ways data is collected and the scope and reach of organisations across the world in relation to people living in the EU. Bottom line security has been too lax and there have been too many data breaches with implications for crime and the personal security and lives of individuals.

Home Page for the EU GDPR website

The general data protection regulation (GDPR) is a new EU law. It will replace the current Data Protection Act on 25 May 2018It does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable to all on that date. (i.e. the transition is happening now and has been for some time!). You can read more about this in the links at the end of this post.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site. EU GDPR
There are heavy fines for organisations which do not comply.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
You may remember when Google and others thought that EU Laws and Regulations didn't affect them. They changed their minds once they started being fined very large sums by the EU.

If you're an artist with an art business which records personal data OR a member of an art society or you might want to forward a link to this blog post to your Chair - highlighting this fact.

"Personal data" is defined by the European Commission as
"personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
In the new legislation a breach of the regulation will be defined as follows
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Why I'm writing about data protection

In my last management job prior to retirement, one of my responsibilities as a senior support services manager in a very large organisation was being the statutory named Data Guardian for a specific set of data about children and young people.

There's nothing quite like having a responsibility where "the buck stops here" for making you sit up and pay much more attention to both the requirements of data protection - and the penalties for non-observance!

One of the reasons Data Guardians (with different titles) were introduced in relation to Data Protection is that many organisations don't think too much or too long about how they process personal data and whether it is safe and secure from those who have no need to know.

For example, I guarantee most art galleries and art societies will never have given much, if any, thought to the need to protect the personal data they collect from visitors, collectors, members etc.  Visitor books lying around with addresses and email addresses on view for all to see is a very simple indicator of an organisation that is very probably NOT data aware (e.g. if you want to invite people to receive information from you, get people to write their contact details on a slip of data and/or leave their cards somewhere out of view and inaccessible to the public)

One of the things I have been doing  over the last decade or more is pointing out to various art organisations from time to time the precise ways in which they were grossly breaching the provisions of the current Data Protection Act - which is about to be replaced by this new law. Typically organisations both large and small, national and local, voluntary, charitable and statutory have been surprised / alarmed and then followed up and most have made changes to the way they operate as a result.

One example is publishing the addresses and/or contact details of artists in exhibition catalogues or other publications or websites without their informed and written consent.

The incentive to make changes to that sort of approach in future are the very significant fines which are due to be be introduced - because the EU perceives that people and organisations have been too lazy in their attitudes and actions!

GDPR - Key points to note

If you're already compliant with the existing Data Protection Act, then the changes are just a step change.

However if you've never given it any thought or had it on the "To Do" list for far too long then now is the time to sit up and pay attention!  You have until May 2018 to get your act together!

So what are the key "need to know" points?
  • The general data protection regulation (GDPR) replaces the current Data Protection Act.
  • A single set of rules will apply to ALL EU member states
  • NEW: the aim is to eliminate territorial ambiguities in legal cases - it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location 
  • ALL businesses and charities have to comply and it's very likely that the UK will adopt all or most of GDPR as domestic legislation - irrespective of Brexit 
  • it applies to ‘personal data’  - that's any data you record, manually or digitally, about individuals that can identify them eg name, address, telephone number, bank account details
  • the new act applies to all ‘controllers’ and ‘processors’ 
    • the controller - organisation that collects data from EU residents; says how and why personal data is processed; and 
    • the processor acts on the controller’s behalf e.g. organisation that processes data on behalf of data controller
  • applies to processing carried out by virtually ALL organisations
    • organisations operating within the EU 
    • organisations outside the EU that offer goods or services to individuals in the EU 
    • excludes only law enforcement processing and processing relating to purely personal/household activities. 
  • consent must be given in an intelligible and easily accessible form
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Key Areas to Consider | ICO Data protection reform / Overview of the GDPR
  • NEW introduction of the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. This is explained in greater detail later in this guide.  In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. 
The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. This includes requiring them to: (i) maintain certain documentation, (ii) conduct a data protection impact assessment for more risky processing (DPAs may compile lists of what is caught), and (iii) implement data protection by design and by default, eg data minimisation.The EU General Data Protection Regulation 2017 | Allen & Overy 
  • CHAPTER VIII deals with Remedies, liability and penalties. Anybody who suffers material or non-material damage as a result of an infringement has the right to 
    • an effective judicial remedy against a controller or processor (Article 79)
    • be compensated by the organisation causing the infringement (Article 82)
  • fines will relate to the nature and scope of the infringement and the extent to which the organisation had acted to prevent it happening (Article 83)
The following links provide the ICO definitions of how GDPR provides rights for individuals:
The ICO has prepared
It's likely that there will be
  • defined Codes of Conduct published
  • Certification and Accreditation Bodies - with certification adjusted to the needs of different sizes of organisations.  (Think of it like the security certificate you need to have if you want somebody to do a monetary transaction on your website - in effect it's the same thing)


1 comment:

  1. Thank you for this. I was just discussing this last week as treasurer of an art society. We are intending to collect buyers' emails, already we hold members', and it set off alarm bells. I will phone them up to get advice on how best to proceed as we might as well put in action now, the steps to maintain confidentiality.


COMMENTS HAVE BEEN CLOSED AGAIN because of too much spam.
My blog posts are always posted to my Making A Mark Facebook Page and you can comment there if you wish.

Note: only a member of this blog may post a comment.