General Data Protection Regulation - A Resource in Progress
​

The General Data Protection Regulation came into effect on 25 May 2018.
It relates to people's PERSONAL DATA - data that helps identify an individual
​
​It affects all businesses (including sole traders) in the EU,
AND
ALL businesses outside the EU
who collect and/or process and/or store personal data relating to EU residents

Below I'm trying to put together a resource for
artists, art societies, art galleries and other organisations who need to make sure they comply.
​

Any business that handles personal data, even micro-businesses with fewer than ten staff, will have to follow new data protection rules from 25 May 2018.

​Index to a resource in progress

My aim is to provide a set of resources for artists and arts organisations to read and reference as they prepare to make sure they comply with this new and more rigorous approach to data protection for people living in the EU

To start with, this is going to be pretty much a list of resources - but I'll aim to extract and organise information as issues that need to be addressed become clearer.

The quotations below (in blue) highlight and focus on key facts and statements made to date.

Topics covered below include:

OFFICIAL SOURCES OF INFORMATION - including enforcement action taken

• The European GDPR Information Portal
• UK - The Information Commissioner
• Ireland - The Irish Data Protection Commissioner

ISSUES FOR ARTISTS & ART ORGANISATIONS

• collection / retention / storage of personal data
• contact marketing lists
• Marketing and fundraising for arts organisations / charities / museums
• implications for artists as sole traders
• data breaches by artists and art organisations
• advice from artists & art organisations

GDPR AND SPECIFIC PERSONAL DATA PROCESSORS 

• Including: Apple; Google; Paypal, Square; 
• Contacts systems including: Mailchimp, AWeber, Feedblitz, Feedburner
• Data: Dropbox, WeTransfer
• 3rd Party Sales: Etsy
• Social Media: Twitter
• Websites: Squarespace; Weebly; Wix

GDPR ADVICE - OTHER SOURCES

• GDPR Facebook Groups
• Advice from Lawyers
• Blogging about GDPR

Does this affect YOU?
Try completing these two quizzes....
​

1. Does data protection law apply to my business?
2. How well do you comply with data protection law: an assessment for small business owners and sole traders

DISCLAIMER: I am NOT an expert on this topic - even if I know more than you!  Nothing stated on this page is legal advice.
Like you I'm just trying to work my way through the maze of online information about GDPR. Hence this resource should NOT be construed or relied upon as legal advice. You are not my client and I do not know your individual circumstances - meaning I have no liability to you in any circumstances should you choose to rely on any of the materials on this page - although whatever is published by the ICO should be more authoritative than most. 
More formally - This is a education portal and the information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

---

Official Sources of Information
​

The General Data Protection Regulation

• adopted by the European Union on 27 April 2016.
• became enforceable as from 25 May 2018.
• It is a REGULATION i.e. directly binding on all concerned (i.e. NOT OPTIONAL!)
• a single set of rules applies to all EU member states.
• It extends the scope of EU data protection law to ALL FOREIGN ENTITIES offering goods or services to EU residents or processing data of EU residents - irrespective of where they are based and irrespective of where the data processing takes place.
• data may not be processed unless there is at least one lawful basis to do so - and it can ONLY be processed for the lawful purpose for which it was collected.
• various sanctions - including fines - can be applied to data breaches

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

---

What is personal data?
Personal data includes:

• anything that identifies an individual - even if you don't know their name
• factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What constitutes personal data? 
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Frequently Asked Questions about the incoming GDPR | EUGDPR.org

---

Guidance from The EU on GDPR 
​

Data protection in the EU
​

Data Protection | EU - the main portal to all relevant information - including 

• The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.

Relevant Legislation including 

• The General Data Protection Regulation (GDPR)Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  
• The Data Protection Law Enforcement Directive Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.
  

National data protection authorities EU countries have set up national bodies responsible for protecting personal data
​

REFERENCE:

• Law: General data protection regulation - (EU) 2016/679
  
• Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data

---

Data transfers outside the EU
​

• Rules on international transfers of personal data
• EU-US Privacy Shield The European Commission is committed to reviewing the arrangement on an annual basis to assess its continued level of adequacy for the protection of personal data.
• Adequacy of the protection of personal data in non-EU countries
• Binding corporate rules
• Model contracts for the transfer of personal data to third countries

EU Justice and Fundamental Rights
​

• National Data Protection Authorities - a listing of all the National Data Protection Authorities for each EU Country. These, in turn will have information like that produced by ICO for the UK - see below.

---

European Union Agency for Fundamental Rights and Council of Europe 
​

​Handbook on European data protection law by the European Union Agency for Fundamental Rights (PDF)

• The manuscript for this handbook was completed in April 2018.
• Updates will become available in future on the FRA website at fra.europa.eu, the Council of Europe website at coe.int/dataprotection, on the European Court of Human Rights website under the Case Law menu at echr.coe.int, and on the European Data Protection Supervisor website at edps.europa.eu. 

GDPR for Dummies
by Suzanne Dibble

HIGHLY RATED: Has been #1 Best Seller in Business Law / In the Top 10 Business Law Books on Amazon.
An ideal reference book for any business owner anywhere in the world who needs to deal with GDPR if transacting any business with anybody in the UK

Sets out in simple steps

• how small business owners can comply with the complex General Data Protection Regulations (GDPR)
• what constitutes personal data and special category data
• how to avoid fines, regulatory investigations and customer complaints
• how to gain consent for online and offline marketing
• and much more!

• The scope of GDPR
• How GDPR affects your business
• Consequences of non- compliance
• What personal data includes
• What special category data is
• Implementing a privacy policy
• Essential data security practices
• How to report a data breach
  

Paperback: 464 pages
Publisher: John Wiley & Sons
Publication date: 23 Jan. 2020

Rated an average out of 5 stars
UK: 4.8 by 67 customer reviews
USA: 4.7 by 32 customer reviews

BUY THIS BOOK

GDPR For Dummies from Amazon UK

GDPR For Dummies from Amazon.com

---

UK - Guidance from The Information Commissioner
​

The Information Commissioner's website has extensive information about GDPR which is being expanded on a regular basis. Very much worth keeping an eye on.

Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.
​​How well do you comply with data protection law: an assessment for small business owners and sole traders​ | ICO

The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.​
General Data Protection Regulation (GDPR) FAQs for small organisations

In the recent past the eight principles for processing personal information are that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection​

The GDPR provides the following rights for individuals:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.

Personal data breaches can include:

• - access by an unauthorised third party;
• - deliberate or accidental action (or inaction) by a controller or processor;
• - sending personal data to an incorrect recipient;
• - computing devices containing personal data being lost or stolen; 
• - alteration of personal data without permission; and
• - loss of availability of personal data.
  
  ICO: Examples of Personal Data Breaches

Extracts from recent blog posts

People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent.
​This is a requirement of the Data Protection Act.
A win for the data protection of UK consumers – WhatsApp signs public commitment not to share personal data with Facebook until data protection concerns are addressed

Hackers should not be getting to core systems in the first place. Privacy by design should be in every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.
Meltdown and Spectre – what should organisations be doing to protect people’s personal data?

ICO: General Guidance on GDPR

​General Guidance

• General Guide: Guide to the General Data Protection Regulation (GDPR)
  • click the link to go to the page where it can be downloaded 
  • click the download option (this gives you options)
  • download the entire guide
• Data Sharing Code of Practice - this is a link to the DRAFT CODE for the Data sharing code of practice document. This is a link to the Data sharing code consultation survey - PDF version(317.05K)
• Basic Guidance: Review their basic guidance on how to prepare Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now
• Definitions: Read the key definitions section of our Guide to the GDPR.
• Self-Assessment - to see whether it applies to you - check out the link to Data Protection self assessment and  Making data protection your business self assessment 
• Registration:  Read Register (notify) under the Data Protection Act. You can Take the quick self-assessment to find out if you need to register
• The Data Protection Fee: (Feb 2018) New guidance on who has to pay a fee and how it is calculated - see The Data Protection Fee. Note the exemptions (see quote).​
• Data Protection Officers: It's very unlikely that any arts organisation will need to appoint a Data Protection Officer - unless engaged in regular and systematic monitoring of data subjects on a large scale. Read the guidance Data Protection Officers
• ​Consent: The consent checklist sets out the steps you should take to seek valid consent under the GDPR.
• Privacy Notices: You will need to rethink and revise - see Privacy notices under the EU General Data Protection Regulation
• Legitimate Interests: you are recommended to read:
  • Legitimate interests
  • When can we rely on legitimate interests?
• The Information Rights Strategy – a blueprint for the Information Commissioner's five-year term in office

You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:

- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
​- Processing personal information without an automated system such as a computer 
​The Data Protection Fee

ICO: GDPR Guidance for different organisations

• ​Small organisations - General Data Protection Regulation (GDPR) FAQs for small organisations
• Micro-business Owners -  a dedicated page on the website - Making data your business PLUS a practical guide (pdf file) to download Eight practical steps for micro business owners and sole traders
• Charities: General Data Protection Regulation (GDPR) FAQs for charities There is also a dedicated advice line for small organisations

A good starting place for small businesses - "Eight practical steps for micro business owners and sole traders" pdf file

ICO: Blog posts about GDPR

This is the ICO News Blog - https://iconewsblog.org.uk/​
Key blog posts include:

• GDPR – sorting the fact from the fiction
• Consent is not the ‘silver bullet’ for GDPR compliance
• GDPR – setting the record straight on data breach reporting
• ICO fee and registration changes next year - read the comments too!

ICO: Enforcement Action

• Enforcement action lists the variety of actions taken by ICO in relation to inappropriate use of personal data by various organisations - including charities and individuals - in relation to non-compliance with the laws that protect privacy and prevent nuisance phone calls. 

Enforcement action was taken - and fines levied - for one or more of the following reasons:

• Finding information about you, that you didn’t provide
• Ranking you based on your wealth
• Sharing your data with other charities, no matter what the cause

---

ADVERT

---

Ireland - Guidance from Irish Data Protection Commissioner
​

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.

​Guidance from the Irish Data Protection Commissioner about GDPR specifically includes:

• Data Protection and Brexit – Frequently Asked Questions
• Quick Guide to GDPR Breach Notifications
• A Practical Guide to Personal Data Breach Notifications under the GDPR
• Data Breach Trends from the First Year of the GDPR
• Guide to Data Protection Impact Assessments (DPIAs)
• Transfers of Personal Data from Ireland to the UK in the Event of a 'No-Deal' Brexit
• Transfers of Personal Data to Third Countries or International Organisations
• Limiting Data Subject Rights and the Application of Article 23 of the GDPR
• Anonymisation and pseudonymisation
• Guidance on qualifications for DPOs (GDPR)
• Data Processing Operations that require a Data Protection Impact Assessment
• Guidance for Controllers on Data Security
• GDPR Guidance for SMEs
• Data Security Guidance for Microenterprises
• A Practical Guide to Controller-Processor Contracts
• Guidance on Legal Bases for Processing Personal Data

Guidance from the Irish Data Protection Commissioner about Data Protection in general includes:

• Data Protection Basics
• Data Subject Access Requests - FAQ
• Guidance on the Principles of Data Protection
• Guidance on Cookies and Similar Technologies

• a dedicated website http://gdprandyou.ie/
• The GDPR and Microenterprises – A Readiness Guide

---

GDPR for Dummies by Suzanne Dibble
​

A book about data protection law for anybody doing business in Europe - no matter where you are located.

Suzanne Dibble is a very switched on lawyer who specialises in small business issues. She created and led the Facebook Group about GDPR for online entrepreneurs which provided most of the answers while it was being introduced. I was on it every day while everybody had their heads down trying to understand the implications.

I've not read this book (it's not yet published) - but I do know that the author has very many fans for her explanations of what you need to know. I have been one of them!

Paperback: 464 pages
Publisher: John Wiley & Sons
DUE DATE: 19 Feb. 2020

ORDER THIS BOOK

GDPR For Dummies (For Dummies (Computer/Tech)) from Amazon UK

GDPR For Dummies (For Dummies (Computer/Tech)) from Amazon.com

---

Issues for Artists and Art Organisations
​

What is the General Data Protection Regulation?
What does it mean for your business as an artist?
​

This section is by no means definitive
What I've tried to do is find relevant articles by people who have looked at GDPR in terms of

• its impact on the arts sector
• in relation to artists (as sole traders), art societies, art galleries and other art organisations.​

---

Issues for artists and arts organisations
​

These include:

• how long should personal data be kept in relation to marketing lists, past collectors, exhibition visitors etc
• what are the specific issues facing artists et al as sole traders?
• Is wealth screening banned?
• what information is it permissible to share?
• can artists and organisations continue to use existing marketing lists?

Note: There is absolutely no information on the Arts Council website. You can try looking - but for me it gave every appearance of being completely unaware that GDPR is happening and that it has implications for the art sector!

Data consent
Under the new legislation, organisations will need to be able to demonstrate that any data subject has given their explicit consent for their data to be held, or that holding the data is necessary for the following reasons:
​

• - Performance of a contract to which the subject is party.
• - Compliance with a legal obligation.
• - To protect the vital interests of the data subject or of another natural person.
• - For the performance of a task carried out in the public interest or in the exercise of official authority. 
• - For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
• A burden and an opportunity | Arts Professional

---

Marketing and fundraising for arts organisations / charities / museums
​

Use of personal data for marketing or not for profit purposes provides an exemption from having to pay the Data Protection Fee. However volunteers are no different to employees in the eyes of GDPR.

• Data Protection and Art & Cultural Heritage | Collyer Bristow LLP - This article sets out some of the main points for those working in the sector to consider in order to comply with the new regime.
• GDPR Advice for Areas and Societies (PDF) | The Arts Society (via South West Area) - Unlike most legislation GDPR is “principles based” meaning that interpreting the rules to fit the special circumstances of your own organisation is vital. 
• GDPR: How to get the job done | Arts Professional - While we may end up having smaller mailing lists, they will be built up of people who are very likely to be the most responsive
• GDPR and fundraising: Everything you need to know | Arts Professional - Under GDPR, all fundraising is deemed ‘direct marketing’ and charities will require an ‘opt in’ consent for most forms of communication where named individuals are involved.
• GDPR: how charities should prepare for data protection changes | The Guardian - New regulations affecting fundraising, campaigning and volunteer management come into effect in 2018. Here’s how you can be ready
• Success Guide - Successfully managing privacy and data regulations in small museums | The  Association of Independent Museums - This guide is for trustees, senior staff and members of staff and volunteers involved in fundraising or marketing. However, it would be useful to share the key points with all staff and volunteers since so many of them will come into contact with data collection and processing in the course of their working week.

....charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition.
GDPR: how charities should prepare for data protection changes ​

---

Implications for Sole Traders
​

Things an artist / sole trader / freelancer MUST do includes:

• know and understand the data protection regulations relating to sole traders
• know and understand whether or not you need to pay the Data Protection Fee
• ​know why you collect every aspect personal data - and that you have a legitimate reason for doing so
• get consent for the use of people's personal data for reasons other than that for which it was collected
• make sure you only keep all personal data for as long as it is needed (but remember tax records have to be kept for six years in the UK)
• keep all personal data secure
• never ever share or publicise personal data (e.g. by sharing emails using the cc box) except with those who have a legal and legitimate "need to know"
• make sure that people can find out what personal data you hold about them

You MUST include a privacy notice when collecting personal data / on your website / online store

Download the PRIVACY NOTICE TEMPLATE produced by ICO (Word file)



REFERENCE​

• What GDPR means for Photographers, Illustrators, Reps and Stock Agencies | bikinilists​
• GDPR: how can I email data securely to comply with the new regulations? | The Guardian - list of things sole traders need to make sure they do

Do people know you have their personal data and understand how you use it?
ICO Self assessment questions quiz 
​

• Do you tell people how you use their personal data? 
• Do you tell people if you’re sharing their data?
• Do you tell people what you plan to do with their data either in paper form, such as using leaflets or posters, or online through a privacy notice or statement?

If so, does this privacy notice or statement include all the below information: 

• The name of your business and the person responsible for data protection.
• Why you hold the personal data (your lawful basis) and what you do with it.
• Where you got the data from.
• Who you share the data with and how you do this, including any sharing outside the UK.
• How long you keep the data for.
• How people can request access to, or correction or deletion of, their data.
• How to complain to the ICO.
• Whether you make automated decisions or do profiling based on the data you hold.

Art Galleries and Art Dealers
​

• ​A secretive art world grapples with data protection legislation | Financial Times

Data Breaches
​

It is a criminal offence for anyone to knowingly or recklessly obtain (or disclose) information about someone from a data controller without its consent. 

Some examples of what art organisations (art societies and art galleries do) - without thinking first!

• An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
• Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
• An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
• A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition - distributed without making a note of who gets it.

---

Advice from Bloggers
​

• What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant) | Smart Blogger
• The Blogger's Guide to GDPR | pipdig

When looking at most normal blogs, personal data will include:

• Blog post comments data (name, email, IP)
• Traffic stats plugins/tools such as Google Analytics
• 3rd party hosted services such as Jetpack, Bloglovin' and Disqus
• Email signup forms such as Mailchimp or FeedBurner
• Contact forms
• Issues relating to the location of your web host. E.g. data is transferred to servers outside the EU
• The Blogger's Guide to GDPR
  

---

Articles / Advice ​from Art People
​

• ​Protecting our members and users data: GDPR and what we are doing | Axis Web - which is making changes to policies, processes, services and systems to ensure that AxisWeb complies with GDPR and continues to put data protection first.
• Got the GDPR Jitters? 10 things you need to know as an artist / art society / art gallery | Making A Mark - an overview of some of the things you need to know
•  Is your art organisation or business ready for GDPR - the replacement of the Data Protection Act? | Making A Mark - 
• Art societies and art galleries - data protection, privacy and you | Making A Mark - a blog post published in 2008 (so predates GDPR) but relevant as to basic concepts re. behaviour - see extract below.
• Want your personal data to be safe? | Be Smart about Art 

Four questions for you - and your art society and/or art gallery:
​
1. Does your art society and/or art gallery understand that it has to protect personal data relating to individuals?

2. Are the administrators 'data protection aware'?

3. Do they process personal information about individuals in a secure way?
​
4. Are the officers of your art society / managers of your art gallery aware of their legal responsibilities under data protection legislation?

---

ADVERT

---

GDPR and Specific Personal Data Processors
​

All agencies which you transact with and which processes personal data of EU residents MUST be compliant with GDPR - or else you should NOT use them.

Artists and art organisations rely on third parties to help them with specific functions eg receiving/making payments; sending emails and newsletters, marketing and promoting their art.  All of these third parties must also comply with ALL the GDPR requirements relevant to them. If their business is data processing then they may have additional requirements.

Cookies generally
​

(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
​Recital 30 of the GDPR

What do we need to do to comply?
The rules on cookies are in regulation 6. The basic rule is that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.

• Cookies and similar technologies | ICO (UK)

Cookies which identify individuals are considered to be personal data.

The majority of cookies are used to identify users. These include cookies for analytics, advertising and functional services, such as survey and chat tools. They therefore count as personal data within GDPR - which is why so many people started analysing cookies and then designing precise controls for them. Not that every website has made that clear...

​These sites are helpful in explaining cookies and are included by a number of websites as a way of providing extra information for consumers

REFERENCE:

• Giving consent to cookies | Cookiepedia
• GDPR and cookies | Cookiebot
• Cookie script
• Cookies and similar technologies | ICO (UK)
• How the GDPR affects cookie policies | IT Governance European Blog

APPLE

This is

• Apple's Privacy section on its website
• the new Apple Privacy Policy

Google

Google has a website related to Businesses and Data Protection and Privacy which makes various commitments

Google states that it is committed to complying with applicable data protection laws
Learn more about Google's commitment to GDPR here.
This covers:

• ISO 27001 (Information security management)
• ISO 27017 (Cloud security)
• ISO 27018 (Cloud privacy)
• SSAE16/ISAE 3402
• Privacy Shield
• FedRAMP
• PCI DSS (Payment Card Industry Data Security Standard)

GOOGLE'S STATEMENT RE.
Our commitment to GDPR
We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.

• Updated terms
• CMO checklist
• Robust safeguards
• Incident response
• User transparency
• International transfers
• Privacy practices

Google is committed to complying with the EU General Data Protection Regulation (GDPR) for G Suite and Google Cloud Platform services.

Google AdSense

Changes to our ad policies to comply with the GDPR March 22, 2018 - we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users

Google Cloud

• Google Cloud & the General Data Protection Regulation - some aspects you may want to consider when conducting your assessment of G Suite and Google Cloud Platform services.
• GOOGLE CLOUD & THE GDPR WHITEPAPER 
  

Google Blogger

This is the statement which appeared on Google's Blogger blogs on 25th May 2018.
This is the link in the notice to Google's statement on Cookies notification in European Union countries

Google and cookies

Google references this site with respect to cookies ​and Helping publishers and advertisers with consent
http://www.cookiechoices.org/

Google EU Consent Policy

This page is all about the Google EU Consent Policy

---

ONLINE PAYMENTS - PayPal

• What has PayPal done about GDPR? - my blog post starting to take a look at changes made by PayPal
• PayPal has Policy Updates - this covers upcoming changes 
• Notice of amendment to the PayPal User Agreement. Effective Date: May 25, 2018 (i.e. GDPR Implementation date) - this includes changes relevant to the 1. Control and protection of personal data
• Notice of amendment to the PayPal Privacy Policy Effective Date: May 25, 2018 - find the amended PayPal Privacy Policy 

ONLINE PAYMENTS - Square Inc.

• GDPR FAQs | Square - Includes "How Do I Know if the Processing of Personal Data Is GDPR Compliant?"

---

CONTACTS - Mailchimp

• Getting Ready for the GDPR (Oct 2017) - outlines what they are doing
• A GDPR guide for Mailchimp customers
• New MailChimp Tools to Help with the GDPR​

Please note that posts and guide are for informational purposes only, and should not be considered legal advice. 

CONTACTS - AWeber

AWeber does NOT currently recognise the General Data Protection Regulation. When using the term (and GDPR) in its search facility there were no results. My conclusion is AWeber is not GDPR compliant.

• Maybe they read the above? This is their latest blog post ​Your GDPR + Email Marketing Playbook: How to Prepare for the New EU Data Law

CONTACTS - Feedblitz

• FeedBlitz’s GDPR Resources

CONTACTS - (Google) Feedburner

• Absolutely nothing about GDPR! Mind you they made no announcements re. the changes they made re. accepting https feeds....

---

DATA - Dropbox

• Dropbox's GDPR guidance centre - states it will be compliant by due date
• Top 8 Tips for GDPR Compliance
• Feed for Dropbox Blog Posts about GDPR

DATA - WeTransfer

• GDPR Compliance - seem rather more laid back compared to Dropbox but indicate they intend to be compliant by due date
  

---

3rd Party Sales - Etsy

Artists who sell their art via Etsy will be REQUIRED to create and comply with their own GDPR-compliant privacy policy.

• Site Update: Update on the European Union Privacy Regulation and Etsy Policies
• email update notice - updating its policies and rules as from 23rd May 2018

---

SOCIAL MEDIA - Twitter

• Updates to our Terms of Service and Privacy Policy
  
• Privacy Policy - Update as from 25 May 2018

---

WEBSITES - Squarespace

• GDPR and Squarespace | Squarespace Help - constantly updates a blog post about developments on GDPR implemented by Squrespace - PLUS advice for those using Squarespace websites as to what they should be doing. The guide is available as a resource, but should not be construed or relied upon as legal advice.
• Squarespace Privacy Policy - updated 14 May 2018
  

Websites - Weebly

• GDPR - FAQ | Weebly Support Centre - This ONLY addresses the facts of GDPR for the website owner. It makes no statement as to whether or not Weebly is compliant with GDPR. Given that this website is built on Weebly I'm more than a little concerned about this and am sending them regular emails asking for more PUBLIC information re. THEIR compliance.
• Weebly Privacy Policy - updated 23 May 2015

WEBSITES - Wix

• ​General Data Protection Regulation (GDPR) | Wix Help Centre - This is the Wix Statement on how it is addressing GDPR
• Wix Privacy Policy - effective 10 May 2018

---

Data Protection: A Practical Guide to UK and EU law by Peter Carey

An authoritative handbook about the law on data protection in the UK and EU
​- but not cheap!

The guide is a very welcome publication and brings together commentary on data protection legislation from a variety of sources. There are a number of contributors to the guide, all of whom are highly regarded and active in their field and this is apparent through their practical and insightful application of data protection law throughout the guide. The foreword from the information commissioner, Elizabeth Denham, adds further weight to the guide which, as the synopsis suggests, is an invaluable handbook for all data protection practitioners. (David White, New Law Journal)

Paperback: 410 pages
Publisher: Oxford University Press
Edition: 5th 
Publication date: 1 May 2018

Data Protection: A Practical Guide to UK and EU law from Amazon.co.uk

Data Protection: A Practical Guide to UK and EU Law from Amazon.com

---

GDPR Advice - Other Sources
​

GDPR Facebook Groups

The following are Facebook Groups that have been set up to review and address issues associated with GDPR. Bear in mind that the bulk of discussions will of no relevance to art organisations or artists - but many of the issues that other organisations and sole traders face are broadly similar.

• EU GDPR (General Data Protection Regulation) & E-Privacy Regulation​ (Closed Group) - you MUST respond to the three joining questions to gain membership; it's clear they are very anti-spam!
• GDPR For Online Entrepreneurs (UK, US, CN, AU)  (Closed Group) -  RECOMMENDED set up by Suzanne Dibble, the Small Business Law Expert. It collected 7,000 members in just 4 weeks!
• GDPR - shared resources (Public Group)

---

Advice from Lawyers

When reviewing advice from lawyers look at what their expertise is to be providing advice about GDPR.

Be mindful of WHEN the advice was produced and whether it has been superseded by any official information which either clarifies or updates official guidance on topics or interpretation.

• ​Don’t Be Afraid of the GDPR Wolf – What is GDPR? | Suzanne Dibble (The Small Business Law Expert) - a UK trained/based lawyer who is attuned to the online business world.  She also set up one of the Facebook Groups. When not doing GDPR her legal practice niche is mums in business
• GDPR legal advice: lawyers give their top tips for GDPR preparation | Computer World UK (magazine) a round-up of tips from lawyers
• Enforcement and sanctions under the GDPR | Taylor Wessing - sets out the powers, including issuing fines, of the Supervisory Authorities under the GDPR

GDPR for online entrepreneurs - busting the myths, the sensible approach

The video below provides a two hour training session - one for those who need to focus on what GDPR means

There is a lot of hype around GDPR and the headline busting €20m fines for business owners that don't comply. Multi-award winning business lawyer and data protection expert Suzanne Dibble busts the myths on GDPR, sets out clearly what you really need to know and shows you the simple steps you need to take for compliance.

---

GDPR FAQs

• General Data Protection Regulation | Wikipedia
• GDPR Summary of Key Changes - An overview of the main changes under GPDR and how they differ from the previous directive
• GDPR FAQS: Frequently Asked Questions about the incoming GDPR. This is a good place to start
• What is GDPR? | Thorntons (lawyers) ​​

---

Articles / Advice / Blogging about GDPR from Generic Sources
​

Blog posts can be very useful sources of alternative perspectives and information tailored to specific circumstances rather than reiterations of the official guidance.

Business Bloggers

• GDPR What You Need To Know For Your Small Business | Yvonne Radley's Big Me Up Media - looks to me like she's feeling her way along with the rest of us! 

Newspapers

What is GDPR and how does it affect you? | The Guardian - and article written for the week in which GDPR comes into force

---

HOME

PRACTICE

Office Practices
Starting Out - Tips for Emerging Artists
Learning Opportunities

ADVERT