GDPR For Small Music Organisations
Posted on 28th April 2018 at 15:00
There’s a big change imminent in data law that’s been putting big business in a spin for months. However, many small organisations and individuals may not even be aware of it.
On May 25th, the EU General Data Protection Regulation (GDPR) will replace existing data laws. The GDPR is largely designed to bring data protection up to date with advances in data analysis and storage and the way that technology is used to sell us things. It’s designed to protect the rights and privacy of internet users in a much more relevant way, given advances in the integration of ‘online’ into every day life.
It’s easy to see how this doesn’t apply to your UK based music education organisation. Firstly, it’s an EU regulation, and we’re leaving the EU, right?
Wrong. The UK government has made it clear that the GDPR will be enforced, despite Brexit.
But you have a relatively small mailing list of members and you’re not sending constant sales emails or selling your list of email addresses to other companies. You don’t even keep it online, it’s filed in a cabinet.
It doesn’t matter!
If you hold a mailing list of any kind, the law applies to you.
"The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data." ICO website
Should I panic?
This is a serious piece of legislation. The consequences for non-compliance are serious, ranging from compensation claims to fines of up to €20million and a ban from storing and processing data.
No. Don’t panic.
What do I need to do?
One of the biggest changes from previous data law is the emphasis on consent. You can now only add someone to your mailing list if you have their direct consent, which means they must opt in to receive your news rather than opting out of not receiving it.
In order to make sure your mailing list is compliant, you should either ensure you have opt-in records for everyone on the list, or ask people to opt in again. You can offer an incentive for them to confirm opt-in, such as entry into a prize draw.
It’s also a good time to reaffirm your privacy policy. Let people know what you use their data for, and that they can remove consent by unsubscribing at any time.
This is a good opportunity to reconnect with your mailing list, and to let them know their data is safe and that you are taking the new laws seriously.
Email privacy
It’s very common to see organisations emailing their members with all of the email addresses visible in the CC bar. It’s a convenient way to make sure members can contact each other. We’re all friends here, after all.
Wrong. Email addresses stored on your system should be held securely and not shared. To send emails which openly share the data of other members is a breach of privacy law. ALWAYS use the BCC line.
What if I work with children?
The law safeguards children’s data too. Here are the guidelines laid out by the Information Commissioners Office (ICO) with regards to children:
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.
Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.
You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).
For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.
Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.
You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.
You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.
The law comes into force in just under a month. Take the time now to re-engage with your mailing list and assess your data and privacy policies to make sure you comply. There is loads of information on the ICO website, and remember, if unsure about any aspect of data law and how it applies to you, always seek legal advice.
Tagged as: GDPR
Share this post:
