We recently hosted a free session detailing how arts, culture, and heritage organisations can get ready for new data protection regulations. Here is a quick and easy guide to what you need to know, and some free resources to help you on the way.
What is it?
GDPR (General DATA Protection Regulation) comes into force on 25th May 2018.
- Enhanced personal privacy – more rights for your customer or visitor.
- Organisations will have to have more defined processes in place for dealing with data.
- You must be more transparent as to why and how you use personal data.
- All staff need to be up to speed on the new regulations.
- Financial Penalties can be imposed for breaches.
How does it affect my Organisation?
If your organisation collects or stores any type of personal data from people in the EU – you will need to comply with GDPR. This could include email addresses, names, contact details, addresses etc.
If you don’t comply – there can be financial penalties.
However, there are some positives – being compliant shows your audience that you are a trustworthy organisation that respects their privacy and personal information.
Where do I go from here?
Take stock of what information you have already, where it is stored, and what processes you have for data protection already. Who is responsible for data protection in your organisation?
Do you need all of the information you collect? –Why collect someone’s date of birth if you never segment marketing by age or offer a birthday discount?
Could you store it all in one place? This makes it easier to fully delete information once it is no longer needed.
Ensure passwords and protection are in place – Password protect documents and databases which hold personal data. Ensure that the password for this is kept elsewhere. If sending this document via email, send the password in a different method e.g. text or in person.
Let your audience know why you are collecting their data, and what you will do with it.
Some free resources to get started:
Note: This is intended to provide an overview of GDPR and is not a definitive statement of the law.
For a definitive guide, check out the Information Commisioner’s Office website.