GDPR for Creative Organisations
A Quick Guide To GDPR
It’s been months since GDPR came into force; and for most of us this will only have been marked by the onslaught of newsletters asking for our permission to continue emailing us. Thank goodness that’s over – but now the work begins in being compliant with the new European laws.
This guide was compiled to give you a quick overview of GDPR, keeping it as simple and relevant to you as possible. It’s worth highlighting, we’re not lawyers, so these are just guidelines, if you have any doubts it’s best to get proper legal counsel.
As the web evolved our ability to store and process data has become increasingly sophisticated – the last 3 decades have led to a gold rush on our personal data; without us even being aware of the data being stored about us. To protect citizen rights, the EU modernized its data laws creating transparency for users and giving them more rights over their data.
Do I need to worry?
Any company hosting personal data of EU citizens (that includes the UK at time of writing). The ICO has created a quick form to establish your obligations based on the data you hold – this should help you clarify your obligations quickly.
What information is protected?
If you store any information that can identify an individual, either directly (e.g. name, email, address), or indirectly, then it’s protected.
There are also special restrictions on sensitive data, which will most likely include any data you need as part of an equal opportunities form. These include:
- Racial or ethnic origin
- Political opinions
- Religious / philosophical beliefs
- Union memberships
- Genetic / Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health or a natural person’s sex life and/or sexual orientation
What are my obligations?
Register with the ICO
If you process personal information, you must be registered with the ICO – it’s not too expensive for small businesses (£35 a year).
Question your data
It’s important to know what data you need and why you need it. To make sure you’re only getting the necessary data, ask yourself some of the questions below about the data you hold.
Questions to ask
• What personal data do I hold and why? (that includes clients, audiences, HR…)
e.g. where did I put that Zealous submissions report with 2,000 email addresses in it?
• Who has access to it?
e.g. should your accountant have access to all candidates contact information who submitted to your competition?
• Do I need this data for the sake of the services I supply?
e.g. holding next of kin information may be of relevance to a hospital, but not for a cinema
• How long do I need the data for? What is in place to remove that data when it is no longer useful?
e.g. is it valuable to have emails for audience members that haven’t visited in 5 years?
• Did I get permission to hold that data from users/clients?
e.g. if they didn’t check that box to sign up to your newsletter themselves – then they didn’t agree to receive it in the first place.
• Do users/clients know what I hold about them?
The whole purpose of the change in the law is to allow individuals to be able to control their data and be aware of what data you hold about them at any time.
Your data must:
- have a purpose
- the individuals you are holding information must be “legitimately interested”
- only be kept for the length of time it is necessary to keep it for.
- only be accessible by people who need that data in your organisation
If you’re ethical with your users, you don’t spam them, misplace 1,000’s of email addresses on the train, or surprise them with data they don’t think you should have about them (e.g. an automated entitled “Hi Dave, I noticed you visited Starbucks yesterday, why don’t you come visit us today since you’re in town”)– there should be no reason to worry.
React to queries quickly, let people know what you hold about them from the onset, and don’t hold data you don’t need.