Any business that handles personal data, even micro-businesses with fewer than ten staff, will have to follow new data protection rules from 25 May 2018.
My aim is to provide a set of resources for artists and arts organisations to read and reference as they prepare to make sure they comply with this new and more rigorous approach to data protection for people living in the EU
|
To start with, this is going to be pretty much a list of resources - but I'll aim to extract and organise information as issues that need to be addressed become clearer.
The quotations below (in blue) highlight and focus on key facts and statements made to date. |
Topics covered below include:
OFFICIAL SOURCES OF INFORMATION - including enforcement action taken
|
Does this affect YOU? Try completing these two quizzes.... |
The General Data Protection Regulation
|
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. |
What is personal data?
Personal data includes:
|
What constitutes personal data? |
Data Protection | EU - the main portal to all relevant information - including
|
Paperback: 464 pages
Publisher: John Wiley & Sons Publication date: 23 Jan. 2020 Rated an average out of 5 stars UK: 4.8 by 67 customer reviews USA: 4.7 by 32 customer reviews BUY THIS BOOK GDPR For Dummies from Amazon UK
GDPR For Dummies from Amazon.com
|
The Information Commissioner's website has extensive information about GDPR which is being expanded on a regular basis. Very much worth keeping an eye on.
|
Good information handling makes good business sense. You'll enhance your business's reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money. |
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. |
In the recent past the eight principles for processing personal information are that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
|
The GDPR provides the following rights for individuals:
|
Personal data breaches can include: |
Extracts from recent blog posts
People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent. Hackers should not be getting to core systems in the first place. Privacy by design should be in every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have. |
ICO: General Guidance on GDPRGeneral Guidance
|
You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
The Data Protection Fee
The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
A book about data protection law for anybody doing business in Europe - no matter where you are located.
|
Suzanne Dibble is a very switched on lawyer who specialises in small business issues. She created and led the Facebook Group about GDPR for online entrepreneurs which provided most of the answers while it was being introduced. I was on it every day while everybody had their heads down trying to understand the implications.
I've not read this book (it's not yet published) - but I do know that the author has very many fans for her explanations of what you need to know. I have been one of them! |
Paperback: 464 pages
Publisher: John Wiley & Sons DUE DATE: 19 Feb. 2020 ORDER THIS BOOK GDPR For Dummies (For Dummies (Computer/Tech)) from Amazon UK
GDPR For Dummies (For Dummies (Computer/Tech)) from Amazon.com
|
These include:
Note: There is absolutely no information on the Arts Council website. You can try looking - but for me it gave every appearance of being completely unaware that GDPR is happening and that it has implications for the art sector!
|
Data consent |
Data protection law regulates how colleges, universities and other learning providers collect and use information about students, staff and others. It also provides individuals with the right to access information that is held about them.
If you are employed as an art teacher: your employer will
If you are an independent provider of art tuition - as either a company or sole trader - you have to implement all the protocols and practices yourself. This is particularly important in relation to anybody who has recently moved their teaching online |
REFERENCE:
|
Use of personal data for marketing or not for profit purposes provides an exemption from having to pay the Data Protection Fee.
However volunteers are no different to employees in the eyes of GDPR.
|
....charities can send direct marketing by post or make calls to numbers not registered with the telephone preference service, provided they can satisfy the legitimate interest condition. |
Things an artist / sole trader / freelancer MUST do includes:
|
You MUST include a privacy notice when collecting personal data / on your website / online store
Download the PRIVACY NOTICE TEMPLATE produced by ICO (Word file) REFERENCE
|
It is a criminal offence for anyone to knowingly or recklessly obtain (or disclose) information about someone from a data controller without its consent.
- An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
- Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
- An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
- A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition - distributed without making a note of who gets it.
|
When looking at most normal blogs, personal data will include: |
|
Four questions for you - and your art society and/or art gallery: |
(30):“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them” |
What do we need to do to comply? |
Cookies which identify individuals are considered to be personal data.
The majority of cookies are used to identify users. These include cookies for analytics, advertising and functional services, such as survey and chat tools. They therefore count as personal data within GDPR - which is why so many people started analysing cookies and then designing precise controls for them. Not that every website has made that clear... These sites are helpful in explaining cookies and are included by a number of websites as a way of providing extra information for consumers |
Google has a website related to Businesses and Data Protection and Privacy which makes various commitments
Google states that it is committed to complying with applicable data protection laws
Learn more about Google's commitment to GDPR here. This covers:
|
GOOGLE'S STATEMENT RE.
Our commitment to GDPR We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.
|
Google is committed to complying with the EU General Data Protection Regulation (GDPR) for G Suite and Google Cloud Platform services.
Google AdSenseChanges to our ad policies to comply with the GDPR March 22, 2018 - we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users
|
Google Cloud
|
Google and cookiesGoogle references this site with respect to cookies and Helping publishers and advertisers with consent
http://www.cookiechoices.org/ |
Google EU Consent PolicyThis page is all about the Google EU Consent Policy
|
ONLINE PAYMENTS - PayPal
|
ONLINE PAYMENTS - Square Inc.
|
CONTACTS - Mailchimp
|
CONTACTS - AWeberAWeber does NOT currently recognise the General Data Protection Regulation. When using the term (and GDPR) in its search facility there were no results. My conclusion is AWeber is not GDPR compliant.
|
CONTACTS - Feedblitz |
CONTACTS - (Google) Feedburner
|
DATA - Dropbox
|
DATA - WeTransfer
|
3rd Party Sales - EtsyArtists who sell their art via Etsy will be REQUIRED to create and comply with their own GDPR-compliant privacy policy.
|
WEBSITES - Squarespace
|
Websites - Weebly
WEBSITES - Wix
|
An authoritative handbook about the law on data protection in the UK and EU
- but not cheap! |
The guide is a very welcome publication and brings together commentary on data protection legislation from a variety of sources. There are a number of contributors to the guide, all of whom are highly regarded and active in their field and this is apparent through their practical and insightful application of data protection law throughout the guide. The foreword from the information commissioner, Elizabeth Denham, adds further weight to the guide which, as the synopsis suggests, is an invaluable handbook for all data protection practitioners. (David White, New Law Journal) |
Paperback: 410 pages
Publisher: Oxford University Press Edition: 5th Publication date: 1 May 2018 Data Protection: A Practical Guide to UK and EU law from Amazon.co.uk
Data Protection: A Practical Guide to UK and EU Law from Amazon.com
|
The following are Facebook Groups that have been set up to review and address issues associated with GDPR. Bear in mind that the bulk of discussions will of no relevance to art organisations or artists - but many of the issues that other organisations and sole traders face are broadly similar.
|
|
When reviewing advice from lawyers look at what their expertise is to be providing advice about GDPR.
Be mindful of WHEN the advice was produced and whether it has been superseded by any official information which either clarifies or updates official guidance on topics or interpretation. |
|
There is a lot of hype around GDPR and the headline busting €20m fines for business owners that don't comply. Multi-award winning business lawyer and data protection expert Suzanne Dibble busts the myths on GDPR, sets out clearly what you really need to know and shows you the simple steps you need to take for compliance.
Business Bloggers
|
NewspapersWhat is GDPR and how does it affect you? | The Guardian - and article written for the week in which GDPR comes into force
|
Copyright: 2015-2021 Katherine Tyrrell | Making A Mark Publications
- all rights reserved If you've got any suggestions for what you'd like to see on this website please send me your suggestion
|
PLEASE NOTE:
1) Content and the law change all the time. It's impossible to keep up with it if you're not working on the topic full time. 2) I research topics carefully. However, I am totally unable to warrant that ANY and/or ALL information is
|
3) Hence all information I provide comes without any LIABILITY whatsoever to you for any choices you make.
4) This website is FREE FOR YOU but not for me. Links to books are Amazon Affiliate links. Buying a book via this website means I get a very small payment which helps to fund and maintain this website. .I much appreciate any support your provide. Adverts are provided by Google AdSense - but the adverts do not mean I endorse the advertiser. |