General Data Protection Regulation - A Resource in Progress

The General Data Protection Regulation came into effect on 25 May 2018.
It relates to people's PERSONAL DATA - data that helps identify an individual

​It affects all businesses (including sole traders) in the EU,
AND
ALL businesses outside the EU
who collect and/or process and/or store personal data relating to EU residents

Below I'm trying to put together a resource for
artists, art societies, art galleries and other organisations who need to make sure they comply.
Any business that handles personal data, even micro-businesses with fewer than ten staff, will have to follow new data protection rules from 25 May 2018.

​Index to a resource in progress

My aim is to provide a set of resources for artists and arts organisations to read and reference as they prepare to make sure they comply with this new and more rigorous approach to data protection for people living in the EU
To start with, this is going to be pretty much a list of resources - but I'll aim to extract and organise information as issues that need to be addressed become clearer.
The quotations below (in blue) highlight and focus on key facts and statements made to date.
Topics covered below include:

OFFICIAL SOURCES OF INFORMATION - including enforcement action taken
  • The European GDPR Information Portal
  • UK - The Information Commissioner
  • Ireland - The Irish Data Protection Commissioner
ISSUES FOR ARTISTS & ART ORGANISATIONS
  • collection / retention / storage of personal data
  • contact marketing lists
  • Marketing and fundraising for arts organisations / charities / museums
  • implications for artists as sole traders
  • data breaches by artists and art organisations
  • advice from artists & art organisations
GDPR AND SPECIFIC PERSONAL DATA PROCESSORS 
  • Including: Apple; Google; Paypal, Square; 
  • Contacts systems including: Mailchimp, AWeber, Feedblitz, Feedburner
  • Data: Dropbox, WeTransfer
  • 3rd Party Sales: Etsy
  • Social Media: Twitter
  • Websites: Squarespace; Weebly; Wix
GDPR ADVICE - OTHER SOURCES
  • GDPR Facebook Groups
  • Advice from Lawyers
  • Blogging about GDPR
DISCLAIMER: I am NOT an expert on this topic - even if I know more than you!  Nothing stated on this page is legal advice.
Like you I'm just trying to work my way through the maze of online information about GDPR. Hence this resource should NOT be construed or relied upon as legal advice. You are not my client and I do not know your individual circumstances - meaning I have no liability to you in any circumstances should you choose to rely on any of the materials on this page - although whatever is published by the ICO should be more authoritative than most. 
More formally - This is a education portal and the information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

Official Sources of Information

The General Data Protection Regulation
  • adopted by the European Union on 27 April 2016.
  • became enforceable as from 25 May 2018.
  • It is a REGULATION i.e. directly binding on all concerned (i.e. NOT OPTIONAL!)
  • a single set of rules applies to all EU member states.
  • It extends the scope of EU data protection law to ALL FOREIGN ENTITIES offering goods or services to EU residents or processing data of EU residents - irrespective of where they are based and irrespective of where the data processing takes place.
  • data may not be processed unless there is at least one lawful basis to do so - and it can ONLY be processed for the lawful purpose for which it was collected.
  • various sanctions - including fines - can be applied to data breaches
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is personal data?
Personal data includes:
  • anything that identifies an individual - even if you don't know their name
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What constitutes personal data? 
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Frequently Asked Questions about the incoming GDPR | EUGDPR.org

Guidance from The EU on GDPR 

Data protection in the EU

Data Protection | EU - the main portal to all relevant information - including 
Relevant Legislation including 
  • The General Data Protection Regulation (GDPR)Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • The Data Protection Law Enforcement Directive Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.
National data protection authorities EU countries have set up national bodies responsible for protecting personal data
REFERENCE:

Data transfers outside the EU

EU Justice and Fundamental Rights

  • National Data Protection Authorities - a listing of all the National Data Protection Authorities for each EU Country. These, in turn will have information like that produced by ICO for the UK - see below.

European Union Agency for Fundamental Rights and Council of Europe 

Handbook on European data protection law by the European Union Agency for Fundamental Rights (PDF)
  • The manuscript for this handbook was completed in April 2018.
  • Updates will become available in future on the FRA website at fra.europa.eu, the Council of Europe website at coe.int/dataprotection, on the European Court of Human Rights website under the Case Law menu at echr.coe.int, and on the European Data Protection Supervisor website at edps.europa.eu

UK - Guidance from The Information Commissioner

The Information Commissioner's website has extensive information about GDPR which is being expanded on a regular basis. Very much worth keeping an eye on.
The law on data protection says what you should do when you collect, use, store or do anything else with people’s personal data. This law changes on 25 May 2018. 
Making data protection your business | ICO
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.​
General Data Protection Regulation (GDPR) FAQs for small organisations
In the recent past the eight principles for processing personal information are that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
The GDPR provides the following rights for individuals:
  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision making and profiling.
Personal data breaches can include:
  • - access by an unauthorised third party;
  • - deliberate or accidental action (or inaction) by a controller or processor;
  • - sending personal data to an incorrect recipient;
  • - computing devices containing personal data being lost or stolen; 
  • - alteration of personal data without permission; and
  • - loss of availability of personal data.

    ICO: Examples of Personal Data Breaches
Extracts from recent blog posts
People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent.
​This is a requirement of the Data Protection Act.
A win for the data protection of UK consumers – WhatsApp signs public commitment not to share personal data with Facebook until data protection concerns are addressed
Hackers should not be getting to core systems in the first place. Privacy by design should be in every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.
Meltdown and Spectre – what should organisations be doing to protect people’s personal data?

ICO: General Guidance on GDPR

​General Guidance
You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:

- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
​- Processing personal information without an automated system such as a computer 
The Data Protection Fee

ICO: GDPR Guidance for different organisations

Picture
A good starting place for small businesses - "Eight practical steps for micro business owners and sole traders" pdf file

ICO: Blog posts about GDPR

This is the ICO News Blog - https://iconewsblog.org.uk/​
Key blog posts include:

ICO: Enforcement Action

  • Charity fundraising enforcement action lists actions taken by ICO in relation to inappropriate use of personal data by charities and charities’ non-compliance with the laws that protect privacy and prevent nuisance phone calls. 11 charities were fined in April 2017
Enforcement action was taken - and fines levied - for one or more of the following reasons:

Ireland - Guidance from Irish Data Protection Commissioner

ADVERT

Issues for Artists and Art Organisations

What is the General Data Protection Regulation?
What does it mean for your business as an artist?
This section is by no means definitive
What I've tried to do is find relevant articles by people who have looked at GDPR in terms of
  • its impact on the arts sector
  • in relation to artists (as sole traders), art societies, art galleries and other art organisations.​

Issues for artists and arts organisations

These include:
  • how long should personal data be kept in relation to marketing lists, past collectors, exhibition visitors etc
  • what are the specific issues facing artists et al as sole traders?
  • Is wealth screening banned?
  • what information is it permissible to share?
  • can artists and organisations continue to use existing marketing lists?
Note: There is absolutely no information on the Arts Council website. You can try looking - but for me it gave every appearance of being completely unaware that GDPR is happening and that it has implications for the art sector!
Data consent
Under the new legislation, organisations will need to be able to demonstrate that any data subject has given their explicit consent for their data to be held, or that holding the data is necessary for the following reasons:
  • - Performance of a contract to which the subject is party.
  • - Compliance with a legal obligation.
  • - To protect the vital interests of the data subject or of another natural person.
  • - For the performance of a task carried out in the public interest or in the exercise of official authority. 
  • - For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • A burden and an opportunity | Arts Professional

Marketing and fundraising for arts organisations / charities / museums

Use of personal data for marketing or not for profit purposes provides an exemption from having to pay the Data Protection Fee. However volunteers are no different to employees in the eyes of GDPR.
....charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition.
GDPR: how charities should prepare for data protection changes 

Implications for Sole Traders

Things an artist / sole trader / freelancer MUST do includes:
  • know and understand the data protection regulations relating to sole traders
  • know and understand whether or not you need to pay the Data Protection Fee
  • ​know why you collect every aspect personal data - and that you have a legitimate reason for doing so
  • get consent for the use of people's personal data for reasons other than that for which it was collected
  • make sure you only keep all personal data for as long as it is needed (but remember tax records have to be kept for six years in the UK)
  • keep all personal data secure
  • never ever share or publicise personal data (e.g. by sharing emails using the cc box) except with those who have a legal and legitimate "need to know"
  • make sure that people can find out what personal data you hold about them
You MUST include a privacy notice when collecting personal data / on your website / online store

Download the PRIVACY NOTICE TEMPLATE produced by ICO (Word file)



REFERENCE​
Do people know you have their personal data and understand how you use it?
ICO Self assessment questions quiz 
  • Do you tell people how you use their personal data? 
  • Do you tell people if you’re sharing their data?
  • Do you tell people what you plan to do with their data either in paper form, such as using leaflets or posters, or online through a privacy notice or statement?

If so, does this privacy notice or statement include all the below information: 
  • The name of your business and the person responsible for data protection.
  • Why you hold the personal data (your lawful basis) and what you do with it.
  • Where you got the data from.
  • Who you share the data with and how you do this, including any sharing outside the UK.
  • How long you keep the data for.
  • How people can request access to, or correction or deletion of, their data.
  • How to complain to the ICO.
  • Whether you make automated decisions or do profiling based on the data you hold.
Art Galleries and Art Dealers
Data Breaches

It is a criminal offence for anyone to knowingly or recklessly obtain (or disclose) information about someone from a data controller without its consent. 
Some examples of what art organisations (art societies and art galleries do) - without thinking first!
  • An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
  • Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
  • An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
  • A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition - distributed without making a note of who gets it.

Art Bloggers
​The Blogger’s Guide to GDPR 

Articles / Advice ​from Art People
Four questions for you - and your art society and/or art gallery:

1. Does your art society and/or art gallery understand that it has to protect personal data relating to individuals?

2. Are the administrators 'data protection aware'?

3. Do they process personal information about individuals in a secure way?

4. Are the officers of your art society / managers of your art gallery aware of their legal responsibilities under data protection legislation?
ADVERT

GDPR and Specific Personal Data Processors

All agencies which you transact with and which processes personal data of EU residents MUST be compliant with GDPR - or else you should NOT use them.

Artists and art organisations rely on third parties to help them with specific functions eg receiving/making payments; sending emails and newsletters, marketing and promoting their art.  All of these third parties must also comply with ALL the GDPR requirements relevant to them. If their business is data processing then they may have additional requirements.

Cookies generally

(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Recital 30 of the GDPR
What do we need to do to comply?
The rules on cookies are in regulation 6. The basic rule is that you must:
- tell people the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device.
Cookies which identify individuals are considered to be personal data.

The majority of cookies are used to identify users. These include cookies for analytics, advertising and functional services, such as survey and chat tools. They therefore count as personal data within GDPR - which is why so many people started analysing cookies and then designing precise controls for them. Not that every website has made that clear...

​These sites are helpful in explaining cookies and are included by a number of websites as a way of providing extra information for consumers
REFERENCE:

APPLE

This is

Google

Google has a website related to Businesses and Data Protection and Privacy which makes various commitments
Google states that it is committed to complying with applicable data protection laws
Learn more about Google's commitment to GDPR here.
This covers:
  • ISO 27001 (Information security management)
  • ISO 27017 (Cloud security)
  • ISO 27018 (Cloud privacy)
  • SSAE16/ISAE 3402
  • Privacy Shield
  • FedRAMP
  • PCI DSS (Payment Card Industry Data Security Standard)
GOOGLE'S STATEMENT RE.
Our commitment to GDPR
We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.
  • Updated terms
  • CMO checklist
  • Robust safeguards
  • Incident response
  • User transparency
  • International transfers
  • Privacy practices
Google is committed to complying with the EU General Data Protection Regulation (GDPR) for G Suite and Google Cloud Platform services.

Google AdSense

Changes to our ad policies to comply with the GDPR March 22, 2018 - we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users

Google Cloud

Google Blogger

This is the statement which appeared on Google's Blogger blogs on 25th May 2018.
This is the link in the notice to Google's statement on Cookies notification in European Union countries

Google and cookies

Google references this site with respect to cookies ​and Helping publishers and advertisers with consent
http://www.cookiechoices.org/

Google EU Consent Policy

This page is all about the Google EU Consent Policy

ONLINE PAYMENTS - PayPal

  • What has PayPal done about GDPR? - my blog post starting to take a look at changes made by PayPal
  • PayPal has Policy Updates - this covers upcoming changes 
  • Notice of amendment to the PayPal User Agreement. Effective Date: May 25, 2018 (i.e. GDPR Implementation date) - this includes changes relevant to the 1. Control and protection of personal data
  • Notice of amendment to the PayPal Privacy Policy Effective Date: May 25, 2018 - find the amended PayPal Privacy Policy 

ONLINE PAYMENTS - Square Inc.

  • GDPR FAQs | Square - Includes "How Do I Know if the Processing of Personal Data Is GDPR Compliant?"

CONTACTS - Mailchimp

Please note that posts and guide are for informational purposes only, and should not be considered legal advice. 

CONTACTS - AWeber

AWeber does NOT currently recognise the General Data Protection Regulation. When using the term (and GDPR) in its search facility there were no results. My conclusion is AWeber is not GDPR compliant.
  • Maybe they read the above? This is their latest blog post ​Your GDPR + Email Marketing Playbook: How to Prepare for the New EU Data Law

CONTACTS - Feedblitz

CONTACTS - (Google) Feedburner

  • Absolutely nothing about GDPR! Mind you they made no announcements re. the changes they made re. accepting https feeds....

DATA - Dropbox

DATA - WeTransfer

  • GDPR Compliance - seem rather more laid back compared to Dropbox but indicate they intend to be compliant by due date

3rd Party Sales - Etsy

Artists who sell their art via Etsy will be REQUIRED to create and comply with their own GDPR-compliant privacy policy.

WEBSITES - Squarespace

  • GDPR and Squarespace | Squarespace Help - constantly updates a blog post about developments on GDPR implemented by Squrespace - PLUS advice for those using Squarespace websites as to what they should be doing. The guide is available as a resource, but should not be construed or relied upon as legal advice.
  • Squarespace Privacy Policy - updated 14 May 2018

Websites - Weebly

  • GDPR - FAQ | Weebly Support Centre - This ONLY addresses the facts of GDPR for the website owner. It makes no statement as to whether or not Weebly is compliant with GDPR. Given that this website is built on Weebly I'm more than a little concerned about this and am sending them regular emails asking for more PUBLIC information re. THEIR compliance.
  • Weebly Privacy Policy - updated 23 May 2015

WEBSITES - Wix

GDPR Advice - Other Sources

GDPR Facebook Groups

The following are Facebook Groups that have been set up to review and address issues associated with GDPR. Bear in mind that the bulk of discussions will of no relevance to art organisations or artists - but many of the issues that other organisations and sole traders face are broadly similar.

Advice from Lawyers

When reviewing advice from lawyers look at what their expertise is to be providing advice about GDPR.

Be mindful of WHEN the advice was produced and whether it has been superseded by any official information which either clarifies or updates official guidance on topics or interpretation.

GDPR for online entrepreneurs - busting the myths, the sensible approach

The video below provides a two hour training session - one for those who need to focus on what GDPR means
There is a lot of hype around GDPR and the headline busting €20m fines for business owners that don't comply. Multi-award winning business lawyer and data protection expert Suzanne Dibble busts the myths on GDPR, sets out clearly what you really need to know and shows you the simple steps you need to take for compliance.

GDPR FAQs

Articles / Advice / Blogging about GDPR from Generic Sources

Blog posts can be very useful sources of alternative perspectives and information tailored to specific circumstances rather than reiterations of the official guidance.

Business Bloggers

Newspapers

What is GDPR and how does it affect you? | The Guardian - and article written for the week in which GDPR comes into force