The General Data Protection Regulation (GDPR) has been a fraught topic of conversation since it was announced in 2016. It introduces new and more rigorous obligations, which many organisations are hastily seeking to implement in time for the 25 May deadline later this year. One sector which is particularly struggling to prepare is the arts, with museums and public art galleries fearing that the bureaucratic burden of the new legislation will mean that many institutions will be unable to comply. In particular, there are concerns that the financial implications of ensuring compliance and the new increased fines for failure to do so could ultimately result in many being forced to close. Several of these institutions, including the National Portrait Gallery and the Natural History Museum have contacted the Department for Digital, Culture, Media and Sport seeking further guidance on many of the issues discussed below, and also requesting that museums and art galleries be exempted from some of the GDPR’s more onerous obligations.
This article sets out some of the main points for those working in the sector to consider in order to comply with the new regime.
There is no significant museum/charity exemption to data protection or marketing law so one source of particular concern for both galleries and museums is how the new data protection regime will affect their ability to engage with individuals who support of their organisations. These institutions commonly seek to supplement any public and corporate funding they receive with donations from individuals, whether through regular, one-off or legacy gifts or through friends and/or members groups.
Any advertising or marketing material (including material relating to the institution’s aims or requesting financial support) sent to individuals will constitute direct marketing, and as such can only be sent where permitted under the GDPR. There are six lawful bases on which an individual’s personal data can be processed under the GDPR, but the principal two for electing to send direct marketing materials are consent and legitimate interests.
Institutions will be free to contact individuals with marketing materials where the individuals in question have given their clear consent. This consent must be active, meaning that galleries and museums cannot merely require individuals to “opt-out” of giving their consent or use pre-ticked check boxes which the individuals must de-select to refuse consent. Instead, the GDPR requires that ‘consent’ means individuals must now make a conscious choice to “opt-in”, for example, by choosing to select a box in an online form which permits the museum or gallery to contact them. Consent must also be linked to a specified purpose. There is guidance indicating that consent for the purpose of making a donation to an organisation is separate from consenting to be contacted by that organisation about events, for example.
Going forward, museums and galleries must keep a record of the date on which an individual gives or withdraws their consent for each purpose, and any preferences given as to which types of communications they wish to receive. The ICO has also indicated that consent does not last indefinitely, but should be revisited periodically. There is no fixed timescale for this process; the ICO has suggested every two years depending on what would be reasonable in the circumstances.
2. Legitimate interests
An institution which can demonstrate that the processing (contacting individuals with marketing material) is necessary for its legitimate interests or the legitimate interests of a third party is permitted to do so unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Subject to certain exceptions, legitimate interests can only be relied on for communication by post or by live – as opposed to automated – telephone calls. In such instances, the organisation is not required to have the consent of the individual in order to make contact with them. However, the individual must be given the option to opt-out of receiving such communications, since the organisation’s legitimate interest in contacting the individual must always be balanced against that individual’s rights.
Simply put, the gallery or museum must consider whether the individual in question would have reasonably expected their personal data to be used in this manner at the time of providing it. In order to ensure that it would be within the reasonable expectation of individuals, museums and galleries are advised to provide clear information in their privacy notices as to how any personal data will be used and to give careful consideration as to what would be reasonable given the organisation’s size, who their supporters are and their overall fundraising strategy, amongst other factors. It is also essential that a record is kept of all decisions made and the basis on which they are taken. Local authority and university museums cannot rely on legitimate interest as a basis for processing personal data. As it currently stands, this would include institutions defined as public bodies under the Freedom of Information Act 2000. However, under the Data Protection Bill introduced by the Government in 2017, there is scope for the Secretary of State to provide that certain public authorities would not be treated as such for the purposes of the GDPR. The Government has also yet to provide guidance on the extent to which this restriction would apply to those tasks which institutions which do not fall within their operations as a public body, for example running a shop.
It should be noted that all organisations which seek to fundraise must also comply with the fundraising requirements, such as compliance with the Code of Fundraising Practice. Additionally, any electronic communications will be subject to the requirements of the ePrivacy/PECR regimes, however this article does not address these specifically.
Where a museum or gallery has any membership groups, it will need to provide a sufficiently detailed privacy notice to enable the individuals to be contacted for the various purposes required within the group. In particular, if the membership group is a separate entity to the museum or gallery, they will need to obtain the individual’s consent to share their personal data with the museum or gallery itself.
Profiling in the form of ‘wealth Screening’ and research into high value donors has long been an established practice in order to tailor the communications sent to those individuals and/or assess their ‘cross-sell potential’ to other charities. Since this kind of profiling is processing that individuals are unlikely to expect as a result of their charitable donations, the ICO has stated that it now considers this to be intrusive data processing, which will therefore require the individual’s consent, even where the research materials already exist in the public domain. Institutions will therefore need to provide individuals with sufficient information to give them a reasonable understanding of what wealth screening is and also how the institution plans to use their personal information before they can undertake this kind of data processing. However, as yet, no further guidance has been provided as to what, if any, research the ICO considers to be acceptable prior to an individual giving their consent.
Collections and exhibitions
Beyond fundraising, most museums and art galleries hold copious amounts of personal data attached to the artworks and/or artefacts in their collections, including those in temporary exhibitions or on loan elsewhere. The burden of working back through this data to ensure that the requisite consents are in place will incur significant additional time and cost, which in turn may impact that entity’s core activities. While the GDPR does not provide for any exemptions in relation to historical or cultural works, the new Data Protection Bill provides for exemptions to the requirements of the GDPR on the grounds of archiving purposes in the public interest or historical research (though this will only be relevant where the personal data in question relates to living individuals). While the law is still in a state of change as the implementation date approaches and it is not yet clear how these exemptions will operate, it is advisable for organisations to continue to prepare for the GDPR until further guidance is published.