With one week to go before the EU General Data Protection Regulation come into effect, we are confident you are aware of GDPR! Who hasn’t had a couple of emails a day asking them to read updated privacy policies and update their subscription and marketing permissions to keep hearing from organisations and individuals? Yes the emails are seemingly endless; however for some they are necessary, and it does mean those contacting you are aware of GDPR and taking action.
GDPR replaces the 1995 Data Protection Directive and applies EU wide. Essentially it provides individuals with greater control over how others collect, use and process their personal information and if it will be shared.
This means, organisations and individuals who collect and process the personal information of others need to take notice and action. Amongst a whole host of changes (we do not claim to be experts!) those who collect, process and use your personal information need to be transparent with you about the personal information they will reasonably collect from you, how they will use and process it fairly, how they will securely store it and how long for, how you can correct, update and request it is deleted, and when they will lawfully share or disclose it. Plus, they need to demonstrate you have clearly and affirmatively opted to give them this personal information. There is also a requirement of organisations and individuals who hold personal information to have a lawful basis to process your data. This should be explicitly explored in an inventory and audit of the data held.
Here at Applied Arts Scotland we have taken the opportunity to ‘embrace’ GDPR and take a thorough look at the personal data we hold, why we hold it, what we use it for, when, how often and how we will securely store it. As a voluntary run organisation established in 1990, getting our data ducks in order has been a tough yet rewarding process. Tough because we have an extensive archive of members, projects, events and activities, etc. Yet rewarding because at a time when we are experiencing swift development and are about to embark on communicating more widely and frequently with makers in Scotland, we feel we are on top of things. So for us the timing has been good.
How have we done it? Here are some suggestions based on the key steps we have taken:
• Research and read up about GDPR on websites of trusted others in the creative industries who use clear and plain language to explain things relevant to your sector
• Attend events and workshops, and watch seminars and films
• Talk to other organisations and individuals who are complying with GDPR (a big thank you to all at Fife Contemporary!) and look at the steps they are taking
• Be honest with yourself about the personal information you hold, why and what for, and following an inventory and audit securely delete the personal information you do not need to hold
• Make use of excellent online resources, including Culture Republic’s excellent GDPR Hub, The Design Trust’s Webinar, Voluntary Arts Briefing GDPR: Data Protection, the Crafts Council’s Preparing for GDPR: A Guide for Makers and Designers and (the biggie!) the Information Commissioners’s Office’s (ICO) Guide to the General Data Protection Regulation (GDPR)