Culture Republic on preparing for GDPR

In this guest piece, Culture Republic summarise what you need to know and do in response to 2018’s data protection rule changes. Culture Republic have a range of tools to help organisations prepare to make the necessary changes that will keep you fully compliant and do right by your audiences.

Audiences - Culture Republic

Designed to protect the rights of the public, everyone will need to make sure that the ways they manage personal data is compliant with new General Data Protection Regulations (GDPR).

Even though many people are feeling significant anxiety around the changes, there’s a real opportunity for cultural organisations. Simply put, better data management can bring real benefits to the volume and value of the audiences you attract.

From 25 May 2018, you’ll need to comply with GDPR, the new data protection regulations. There are fundamental changes that will impact upon all areas of your work across the company. Though they are European regulations, they will still be implemented in the UK despite Brexit.

If you are willing to use this policy change as the catalyst for internal review and adjustments, you will be building a stronger organisation for the long term. Better processes will help avoid complaints and prevent a crisis, which could cause reputational damage. Cleaner, more accurate data reveals insights about audiences’ motivations and barriers to attending. Better data means stronger, more cost-effective marketing lists, messages that matter to the recipient and an increase in audience trust so audiences and stakeholders are more likely to engage with you.

Rights and responsibilities

As a rule of thumb, rights belong to individuals and responsibilities belong to organisations. It’s their personal data after all. The direction of change is that individuals’ rights are getting more robust and our responsibilities are getting more demanding.

Data protection is organised around eight core rights that individuals should be able to count on. GDPR strengthens all of them but, in particular, how their data is used, stored, shared and deleted. For example, if individuals ask for it then you will need to give them a copy of the data you hold about them and you have to share the legal basis under which you hold it. If the information you hold is inaccurate you will have to correct it.

What do your new responsibilities mean?

In the new system we all have to meet a higher bar around accountability and governance. You want to have evidence of your compliance with GDPR, in particular:

  • Have a written internal policy committing your organisation to handling personal data responsibly and for a good reason.
  • Write your privacy policies succinctly in language that everyone can easily understand.
  • You and your team members are trained in data management good practice.
  • Every time you capture data, whether you collected it in person or online, your privacy statements are clear about what the data is for and how it will be used.
  • A higher bar for consent means you need to make sure your opt-in boxes aren’t pre-ticked yes and that it is as easy to opt-out as it is to opt-in.
  • Keep a record ofwhen/how individuals consented to receive information from you, including what they agreed to (in the privacy statement) and when consent was given.
  • Provide extra safeguards to protect sensitive personal data (especially for young people or around protected characteristics).

If you discover you’ve had a data protection breach you’ll have to disclose it. You will have a legal obligation to report the breach within 72 hours of discovering that it has happened. When you report, you have to inform both the ICO and individuals who are affected by the breach. People’s right to rectification is getting more robust. Under GDPR the Information Commissioner’s Office (ICO) will be the enforcers and they’re going to be able to levy significantly larger fines (up to 4% of annual global turnover or €20 million, whichever is greater).

What’s the current situation in the cultural sector?

Our November event, ‘Don’t get left behind or fined’ (in partnership with the ICO) was filled to capacity. It was clear many people are concerned about the coming changes and their impact on their ability to communicate with their audiences. Our research in advance of the event showed that there are high levels of awareness within cultural organisations about the fact that GDPR changes are coming. While a few organisationsare ahead in their preparations, many still have a lot to do to get ready. In particular,we could seethat there are real gaps around managing the consent that is needed to continue to use the customer data that you already have and confusion around when you have a ‘legitimate interest’ to do so.

Why start now?

It’s not too late! You’ve still got almost six months to bring your policies and procedures up to date. The best way to start is to get to the bottom of where things stand in your organisation right now. To help you do this, Culture Republic has launched a new GDPR resource hub specifically for Scotland’s cultural sector.

Three steps to getting GDPR-ready

There's practical guidance for artists, producers and cultural organisations of any scale or art form. Follow the three step journey, which will help you to access where you are, what you need to do and how to turn your audience data into a powerful asset to understand who your audiences are, who they could be and how to reach them.

  1. Start by taking stock. Use the GDPR readiness test to get a feel for how much work you have to do and where your areas of uncertainty are. Then dig into the details of your data management.
  2. Use our free data audit workbook and templates to get a clear inventory of your current data, people and processes in order to make improvements.
  3. As you begin to make changes or when need more detail, the GDPR resource hub has a series of articles to ground you in the basics (e.g.What’s a ‘data processor’? What does the ‘right to be forgotten’ mean?) and the details (from the international data shield agreement to where personal data might be hiding within your organisation).

As the deadline approaches, we will continue to keep you up to date on what you need to be aware of.

Finally, if you like the sound of our GDPR workshop in partnership with the ICO you haven’t missed the boat. We’re offering it again in February. Registration will open in the New Year but drop us an email at if you’d like us to hold you a place.

154 days and counting…

The General Data Protection Regulation (GDPR) is a new legislation which will replace the UK’s Data Protection Act 1998 (DPA) from 25 May 2018. This article does not constitute formal guidance from Creative Scotland. It has been written by Culture Republic to help organisations understand the new legislative changes and prepare for the GDPR. Organisations are ultimately responsible for ensuring their compliance with the current DPA and forthcoming GDPR.