Friday, March 23, 2018

Got the GDPR Jitters? 10 things you need to know as an artist / art society / art gallery

The law on data protection says what you should do when you collect, use, store or do anything else with people’s personal data. This law changes on 25 May 2018. Making data protection your business | ICO

The NEW & MANDATORY General Data Protection Regulation (GDPR) takes effect on 25th May 2018. 

I was not surprised that my inbox yesterday contained an email from the Treasurer of an Art Society about GDPR - which I've provided edited highlights of below
Please forgive me disturbing you, I am the Treasurer of (an art society). We are a small society based in (a county). We are a mixture of Amateur and Professional Artists, and I have been getting the "jitters" regarding GDPR and our mailing list that we use to invite prospective clients to our Annual Exhibition in July.
In my opinion the Treasurer is quite right to be getting "jitters" if they have done nothing yet to make sure they are going to be compliant.  On the other hand, with good organisation, a calm approach and some sensible actions I think it's entirely possible they can be compliant in a pretty short space of time.

The main challenge is in educating people and maintaining that compliance over time - and NOT lapsing back into bad habits.

Frankly the GDPR thing is so enormous, that initial attempts to explain it while well-meaning have tended towards a "one size fits all" approach and forgotten to tailor it more specifically to sole traders as well as very large organisation (and everybody inbetween!)

Fortunately, progress has been made since my last post on this topic Is your art organisation or business ready for GDPR - the replacement of the Data Protection Act? and there's now some much better information and guidance around - including some specifically for the small trader and smaller organisation or charity.

Bottom line - Governments are getting VERY serious about the protection of breaches of regulations that protect people's personal data.
  • mistakes are no longer acceptable
  • unwillingness to change is NOT acceptable
  • regulations make change mandatory
  • financial penalties mean people are paying attention.
Many members of the public are demanding higher standards from organisations – large and small – that collect and use their personal information.

10 things you need to know about GDPR
- as an artist / art society / art gallery

Before you start reading, I want to emphasise that I still haven't got my head around all of the published information on GDPR - by a long way - so any information below is given without any liability to the reader.

You need to do your reading just as much as me!

ONE - just to get your attention....

Breaches of GDPR can lead to FINES of up to 4% of annual global turnover or €20 Million (whichever is greater).

Just think - that could be 4% of Facebook Income or 4% of Google Income - or 4% of your turnover - BEFORE expenses!  Which is why they are taking this seriously!

Now I've got your attention I can tell you that the Information Commissioner's Office in the UK have also said
Monetary penalties have been and will continue to be a last resort of our regulatory action – our primary aim is to support businesses to get things right and improve their practices where required.

TWO - this one concentrates the mind wonderfully!

There are just 62 days left until the new Regulation (that means NOT OPTIONAL) becomes operational.

THREE - why this applies to YOU

The General Data Protection Regulation (GDPR) applies to applies to every person and every organisation processing personal data about anybody living in the EU.

That means for those in the art world, it's anybody who collects personal data about other individuals who live and/or work in the EU.

This includes:
  • ALL sole traders (i.e. artists who sell their work to people; art tutors who educate people), 
  • ALL Charities and not-for-profit organisations - such as Art Societies that have marketing email lists and membership lists
  • ALL Art Schools - which maintain personal information on their students
  • ALL Art Galleries - which maintain personal information about buyers and artists
Basically it means ANYBODY who records and processes personal data MUST comply with the regulation.

FOUR - Help is available for sole traders and micro businesses

The Information Commissioner's Office has videos and guides. There is a page for micro-enterprises called Making data your business.

Here's some extracts - a video and a set of steps

1. Know the law is changing – which you now do, so that’s one thing you’ve done already!
2. Make sure you have a record of the personal data you hold and why.
3. Identify why you have personal data and how you use it.
4. Have a plan in case people ask about their rights regarding the personal information you hold about them.
5. Ask yourself: before I collect their data, do I clearly tell people why I need it and how I will use it?
6. Check your security. This can include locking filing cabinets and password-protecting any of your devices and cloud storage that hold your staff or customers’ personal data.
7. Develop a process to make sure you know what to do if you breach data protection rules.
8. Don’t panic: we’re here to help. For example, you can click here to see some frequently asked questions and their answers for several different business sectors.


They also have a Guide for how to get ready for GDPR called Eight practical steps for micro business owners and sole traders (PDF file). This expands on the 8 steps identified above.

This is the best succinct summary I have seen so far!

FIVE - You can do a self-assessment of whether it affects you

This is the link to Making data protection your business self assessment - and it takes just five minutes.

These are the self-assessment questions
  1. Do you collect, use, store or do anything else with the personal information of employees, customers or both?
  2. How many employees do you have in your organisation?
  3. Do you work with sensitive personal information?
  4. Do you think your business is following data protection law now, ie the Data Protection Act 1998?
On that basis I need to make sure I am compliant with GDPR (I answered Yes, 1-50, No and Yes)
Any business that handles personal data, even micro-businesses with fewer than ten staff, will have to follow new data protection rules from 25 May 2018.
The ICO Guide suggests
If your sector has a professional association or trade body you should look at what information they’re producing about the new law.
The problem is that I suspect many art societies are probably also unaware or floundering and may well not be in any sort of position to offer advice to their members who may also need to comply.

SIX - definitions have changed - it's NOT just more of the same

The concept of personal data has been widened  this is the definition

What constitutes personal data? 
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Frequently Asked Questions about the incoming GDPR |
a very large and important quotation written on the walls of the Information Commissioner
Source: Grace Hopper Quotes

SEVEN - Security is more important than ever

It's never been OK to share people's personal data without asking - eg circulating lists of people's addresses and telephone numbers and email addresses - but it happens, despite the fact this has been outlawed for the last 20 years (i.e. since 1998!).

Many people are unaware how routine practices they've been following for years are not allowed now - and not allowed in the future.

In future, some people will find that a failure to maintain patches for security flaws is likely to generate fines

People will remember the NHS data meltdown in 2017 - when NHS front-line services had to be closed down because computers had to be switched off - was caused in part by the failure of some NTS Trusts to update their systems and devices for known security issues.

In future, very serious breaches of personal data security like this will almost certainly involve a major fine.

EIGHT - there are major implications for marketing your art

You MUST ensure that your processing for marketing or fundraising purposes is compliant with the GDPR by 25 May 2018.

Before you use any personal data you or your organisation holds for marketing purposes, you need to be very clear:
  • what lawful basis you have for holding the information
  • whether or not you gained permission to use it for marketing purposes
  • what the source of that permission is
  • whether you have an accurate record of it.
That's because people are going to be told about their rights in relation to personal data. Expect a lot of newspaper articles the nearer we get to 25th May!
The right to object
Individuals have the right to object to the processing of their personal data for several reasons. In particular, you may receive an objection to your business sending direct marketing to a customer. If this happens, you must stop using their personal data for any direct marketing purposes.
Cleaning up marketing databases should have become a major preoccupation of art societies before now (hence my Art Society Treasurer's jitters about using old information for marketing this year's annual exhibition)

In terms of marketing you don't always need consent e.g. for postal marketing. This is if
  • you rely on legitimate interests as the lawful purpose for marketing activities - see the Legitimate Interests Guidance for more detail.
  • AND you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. 
However you will need their informed consent for some calls and for texts and emails. See the Guide to PECR for more on when you need consent for electronic marketing.

In my view, making sure art societies can collect new 'clean' data with relevant permissions completed and recorded may very well become a major preoccupation at the time of exhibitions. (eg when collecting people's data you should indicate what it might be used for).

However there are some "work arounds".  You can utilise social media to 'broadcast' marketing messages
  • make sure your website is up to date and easily accessible via mobile devices - and has a proper privacy policy included on it.
  • create a Facebook Page and use this intelligently to market your art and exhibitions.
  • use Twitter and Instagram to highlight art.

NINE - it applies to YOU even if not based in Europe

What a number of overseas organisations won't have realised is that this Regulation also applies to them too.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
It doesn't matter how big or small you are - if you target people living the EU (eg aim to sell art or other services to them) or your organisation processes any data related to people living in the EU, then GDPR applies to you
  • IRRESPECTIVE of where that company is based - it can be in the USA, Russia or China - and it applies 
  • IRRESPECTIVE of where the data processing takes place - it can be in Iceland or Korea or Siberia and it applies
It applies to you or your organisation if the personal data relates to or includes ANYBODY living and/or working within the EU

PS. It's clear that Google and Facebook and Amazon will have had to get to grips with this (I got my email from Google this morning telling me about changes it will be making - I think Google has learned from the last time it got a very hefty fine from the EU for ignoring regulations re. data protection).

But how about everybody else?

Do you live outside Europe and trade/transact with anybody in the EU - which involves you in recording and processing their personal data?

TEN - it's personal data on paper as well as on a computer

Just in case you were thinking you can get out of all of this by keeping everything on paper!
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Official Guidance

Below I'm going to highlight the production of guidance that's been issued since I last wrote on this topic back in August last year Is your art organisation or business ready for GDPR - the replacement of the Data Protection Act?

Guidance from the EU GDPR Portal

Guidance from the (UK) Information Commissioner

I RECOMMEND that you:

Guidance from Irish Data Protection Commissioner

If you struggle with any of the UK explanations I suggest you take a look at what the irish have to say. They should be both be explaining the same things - they just do it a bit differently.

They have:

For example - they have a a simple and easy to understand video for individuals (rather than organisations)

This is a rather nice Irish video about the new EU Regulation which explains which organisations need to be concerned. Again, it misses out sole traders despite the fact that it's relevant to them too.

General Data Protection Regulation from Data Protection Commissioner on Vimeo.

The GDPR for Individuals - What does it mean for you? from Data Protection Commissioner on Vimeo.


  1. This is very unclear! Is it necessary to send an email to everyone in your database to reconfirm their consent to receive e.g. gallery newsletters? And otherwise to delete their data from the list?

  2. It depends on how you obtained the email in the first place.

    Sounds to me like you need to reread the guidance again and think about how you have accumulated emails over time.

  3. So, just to be clear:

    If I am an artist in the US, and want to send an email announcement where some precipitants are in the EU but I did not get opt-in or explicit consent, i.e., I found a curator's or galleriest's email address online (or elsewhere), I am in violation of GDPR, is that correct?

    Thanks, Steve


COMMENTS HAVE BEEN CLOSED AGAIN because of too much spam.
My blog posts are always posted to my Making A Mark Facebook Page and you can comment there if you wish.

Note: only a member of this blog may post a comment.