General Data Protection Regulation - A Resource in Progress

The General Data Protection Regulation comes into effect on 25 May 2018.

It relates to people's PERSONAL DATA - data that helps identify an individual

​It affects all businesses (including sole traders) in the EU,
AND businesses outside the EU
who collect and/or process and/or store personal data relating to EU residents

Below I'm trying to put together a resource for artists, art societies, art galleries and other organisations
who need to make sure they comply.
The law on data protection says what you should do when you collect, use, store or do anything else with people’s personal data. This law changes on 25 May 2018. 
Making data protection your business | ICO
Any business that handles personal data, even micro-businesses with fewer than ten staff, will have to follow new data protection rules from 25 May 2018.

​Index to a resource in progress

Topics covered below include:

OFFICIAL SOURCES OF INFORMATION
  • The European GDPR Information Portal
  • UK - The Information Commissioner
  • Ireland - The Irish Data Protection Commissioner
ISSUES FOR ART ORGANISATIONS
  • fundraising
  • contact marketing lists
GDPR AND SPECIFIC PERSONAL DATA PROCESSORS 
  • Paypal,
  • Mailchimp
GDPR FACEBOOK GROUPS
ADVICE FROM LAWYERS
ADVICE FROM ARTS ORGANISATIONS
BLOGGING ABOUT GDPR
My aim is to provide a set of resources for artists and arts organisations to read and reference as they prepare to make sure they comply with this new and more rigorous approach to data protection for people living in the EU

To start with, this is going to be pretty much a list of resources - but I'll aim to extract and organise information as issues that need to be addressed become clearer.

The quotations below (in blue) highlighted focus on key facts and statements made to date.
DISCLAIMER: I am NOT an expert on this topic - even if I know more than you!  Nothing stated on this page is legal advice.
Like you I'm just trying to work my way through the maze of online information about GDPR. Hence this resource should NOT be construed or relied upon as legal advice. You are not my client and I do not know your individual circumstances - meaning I have no liability to you in any circumstances should you choose to rely on any of the materials on this page - although whatever is published by the ICO should be more authoritative than most. 

Official Sources of Information

The General Data Protection Regulation
  • adopted by the European Union on 27 April 2016.
  • becomes enforceable from 25 May 2018.
  • It is a REGULATION i.e. directly binding on all concerned (i.e. NOT OPTIONAL!)
  • a single set of rules applies to all EU member states.
  • It extends the scope of EU data protection law to ALL FOREIGN ENTITIES offering goods or services to EU residents or processing data of EU residents - irrespective of where they are based and irrespective of where the data processing takes place.
  • data may not be processed unless there is at least one lawful basis to do so - and it can ONLY be processed for the lawful purpose for which it was collected.
  • various sanctions can be applied to data breaches
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is personal data?
Personal data includes:
  • anything that identifies an individual - even if you don't know their name
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What constitutes personal data? 
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Frequently Asked Questions about the incoming GDPR | EUGDPR.org

The EU GDPR Portal


EU Justice and Fundamental Rights

  • National Data Protection Authorities - a listing of all the National Data Protection Authorities for each EU Country. These, in turn will have information like that produced by ICO for the UK - see below.

UK - Guidance from The Information Commissioner

The Information Commissioner's website has extensive information about GDPR which is being expanded on a regular basis. Very much worth keeping an eye on.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.​
General Data Protection Regulation (GDPR) FAQs for small organisations
In the recent past the eight principles for processing personal information are that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
The GDPR provides the following rights for individuals:
  • The right to be informed.
  • The right of access.
  • The right to rectification.
  • The right to erasure.
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated decision making and profiling.
Personal data breaches can include:
  • - access by an unauthorised third party;
  • - deliberate or accidental action (or inaction) by a controller or processor;
  • - sending personal data to an incorrect recipient;
  • - computing devices containing personal data being lost or stolen; 
  • - alteration of personal data without permission; and
  • - loss of availability of personal data.

    ICO: Examples of Personal Data Breaches
Extracts from recent blog posts
People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent.
​This is a requirement of the Data Protection Act.
A win for the data protection of UK consumers – WhatsApp signs public commitment not to share personal data with Facebook until data protection concerns are addressed
Hackers should not be getting to core systems in the first place. Privacy by design should be in every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.
Meltdown and Spectre – what should organisations be doing to protect people’s personal data?

ICO: General Guidance on GDPR

​General Guidance
You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:

- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
​- Processing personal information without an automated system such as a computer 
The Data Protection Fee

ICO: GDPR Guidance for different organisations

Picture
A good starting place for small businesses - "Eight practical steps for micro business owners and sole traders" pdf file

ICO: Blog posts about GDPR

ICO: Enforcement Action
This is the ICO News Blog - https://iconewsblog.org.uk/​
Key blog posts include:
  • Charity fundraising enforcement action lists actions taken by ICO in relation to inappropriate use of personal data by charities and charities’ non-compliance with the laws that protect privacy and prevent nuisance phone calls. 11 charities were fined in April 2017
Enforcement action was taken - and fines levied - for one or more of the following reasons:

Ireland - Guidance from Irish Data Protection Commissioner

Wiki Sources

NOT OFFICIAL - but still a good place to start for an overview
ADVERT

Issues for Artists and Art Organisations

What is the General Data Protection Regulation and what does it mean for your business as an artist?

This section is by no means definitive - however I'm trying to find relevant articles by people who have looked at GDPR in terms of its impact on the arts sector - and in particular for artists (as sole traders), art societies, art galleries and other art organisations.​

Issues for artists and arts organisations

These include:
  • how long should personal data be kept in relation to marketing lists, past collectors, exhibition visitors etc
  • what are the specific issues facing artists et al as sole traders?
  • Is wealth screening banned?
  • what information is it permissible to share?
  • can artists and organisations continue to use existing marketing lists?
Note: There is absolutely no information on the Arts Council website. You can try looking - but for me it gave every appearance of being completely unaware that GDPR is happening and that it has implications for the art sector!
Data consent
Under the new legislation, organisations will need to be able to demonstrate that any data subject has given their explicit consent for their data to be held, or that holding the data is necessary for the following reasons:
  • - Performance of a contract to which the subject is party.
  • - Compliance with a legal obligation.
  • - To protect the vital interests of the data subject or of another natural person.
  • - For the performance of a task carried out in the public interest or in the exercise of official authority. 
  • - For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • A burden and an opportunity | Arts Professional

Marketing and fundraising for arts organisations / charities / museums

Use of personal data for marketing or not for profit purposes provides an exemption from having to pay the Data Protection Fee. However volunteers are no different to employees in the eyes of GDPR.
....charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition.
GDPR: how charities should prepare for data protection changes 

Implications for Sole Traders

Things an artist / sole trader / freelancer MUST do includes:
REFERENCE​
Art Galleries and Art Dealers
Data Breaches

It is a criminal offence for anyone to knowingly or recklessly obtain (or disclose) information about someone from a data controller without its consent. 
Some examples of what art organisations (art societies and art galleries do) - without thinking first!
  • An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
  • Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
  • An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
  • A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition - distributed without making a note of who gets it.

Art Bloggers
​The Blogger’s Guide to GDPR 

Articles / Advice ​from Art People
Four questions for you - and your art society and/or art gallery:

1. Does your art society and/or art gallery understand that it has to protect personal data relating to individuals?

2. Are the administrators 'data protection aware'?

3. Do they process personal information about individuals in a secure way?

4. Are the officers of your art society / managers of your art gallery aware of their legal responsibilities under data protection legislation?
ADVERT

GDPR and Specific Personal Data Processors

All agencies which you transact with and which processes personal data of EU residents MUST be compliant with GDPR - or else you should NOT use them.

Artists and art organisations rely on third parties to help them with specific functions eg receiving/making payments; sending emails and newsletters, marketing and promoting their art.  All of these third parties must also comply with ALL the GDPR requirements relevant to them. If their business is data processing then they may have additional requirements.

APPLE

This is

Google

Google has a website related to Businesses and Data Protection and Privacy which makes various commitments
Google states that it is committed to complying with applicable data protection laws
Learn more about Google's commitment to GDPR here.
This covers:
  • ISO 27001 (Information security management)
  • ISO 27017 (Cloud security)
  • ISO 27018 (Cloud privacy)
  • SSAE16/ISAE 3402
  • Privacy Shield
  • FedRAMP
  • PCI DSS (Payment Card Industry Data Security Standard)
GOOGLE'S STATEMENT RE.
Our commitment to GDPR
We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.
  • Updated terms
  • CMO checklist
  • Robust safeguards
  • Incident response
  • User transparency
  • International transfers
  • Privacy practices
Google is committed to complying with the EU General Data Protection Regulation (GDPR) for G Suite and Google Cloud Platform services.

Google AdSense

Changes to our ad policies to comply with the GDPR March 22, 2018 - we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users

Google Cloud

Google Blogger

This is the statement which appeared on Google's Blogger blogs on 25th May 2018.
This is the link in the notice to Google's statement on Cookies notification in European Union countries

Google and cookies

Google references this site with respect to cookies ​and Helping publishers and advertisers with consent
http://www.cookiechoices.org/

Google EU Consent Policy

This page is all about the Google EU Consent Policy

ONLINE PAYMENTS - PayPal

  • What has PayPal done about GDPR? - my blog post starting to take a look at changes made by PayPal
  • PayPal has Policy Updates - this covers upcoming changes 
  • Notice of amendment to the PayPal User Agreement. Effective Date: May 25, 2018 (i.e. GDPR Implementation date) - this includes changes relevant to the 1. Control and protection of personal data
  • Notice of amendment to the PayPal Privacy Policy Effective Date: May 25, 2018 - find the amended PayPal Privacy Policy 

ONLINE PAYMENTS - Square Inc.

  • GDPR FAQs | Square - Includes "How Do I Know if the Processing of Personal Data Is GDPR Compliant?"

CONTACTS - Mailchimp

Please note that posts and guide are for informational purposes only, and should not be considered legal advice. 

CONTACTS - AWeber

AWeber does NOT currently recognise the General Data Protection Regulation. When using the term (and GDPR) in its search facility there were no results. My conclusion is AWeber is not GDPR compliant.
  • Maybe they read the above? This is their latest blog post ​Your GDPR + Email Marketing Playbook: How to Prepare for the New EU Data Law

CONTACTS - Feedblitz

CONTACTS - (Google) Feedburner

  • Absolutely nothing about GDPR! Mind you they made no announcements re. the changes they made re. accepting https feeds....

DATA - Dropbox

DATA - WeTransfer

  • GDPR Compliance - seem rather more laid back compared to Dropbox but indicate they intend to be compliant by due date

3rd Party Sales - Etsy

Artists who sell their art via Etsy will be REQUIRED to create and comply with their own GDPR-compliant privacy policy.

WEBSITES - Squarespace

  • GDPR and Squarespace | Squarespace Help - constantly updates a blog post about developments on GDPR implemented by Squrespace - PLUS advice for those using Squarespace websites as to what they should be doing. The guide is available as a resource, but should not be construed or relied upon as legal advice.
  • Squarespace Privacy Policy - updated 14 May 2018

Websites - Weebly

  • GDPR - FAQ | Weebly Support Centre - This ONLY addresses the facts of GDPR for the website owner. It makes no statement as to whether or not Weebly is compliant with GDPR. Given that this website is built on Weebly I'm more than a little concerned about this and am sending them regular emails asking for more PUBLIC information re. THEIR compliance.
  • Weebly Privacy Policy - updated 23 May 2015

WEBSITES - Wix

GDPR Facebook Groups

The following are Facebook Groups that have been set up to review and address issues associated with GDPR. Bear in mind that the bulk of discussions will of no relevance to art organisations or artists - but many of the issues that other organisations and sole traders face are broadly similar.

Advice from Lawyers

When reviewing advice from lawyers look at what their expertise is to be providing advice about GDPR.

Be mindful of WHEN the advice was produced and whether it has been superseded by any official information which either clarifies or updates official guidance on topics or interpretation.

GDPR for online entrepreneurs - busting the myths, the sensible approach

The video below provides a two hour training session - one for those who need to focus on what GDPR means
There is a lot of hype around GDPR and the headline busting €20m fines for business owners that don't comply. Multi-award winning business lawyer and data protection expert Suzanne Dibble busts the myths on GDPR, sets out clearly what you really need to know and shows you the simple steps you need to take for compliance.

GDPR FAQs

Articles / Advice / Blogging about GDPR from Generic Sources

Blog posts can be very useful sources of alternative perspectives and information tailored to specific circumstances rather than reiterations of the official guidance.

Business Bloggers

Newspapers

What is GDPR and how does it affect you? | The Guardian - and article written for the week in which GDPR comes into force