The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018 across all EU member states. And before you stop reading this thinking that it only applies to commercial businesses – GDPR is for choirs as well, whether amateur or professional.
If you saw the phrase “EU member states” and thought “It won’t apply to me because of Brexit" - you are also mistaken. The UK Government's Data Protection Bill 2017 brings GDPR into UK law and this will not be affected by Brexit.
There are things you have to get done urgently to ensure that your choir GDPR compliance is in order. For the most part, in small and amateur choirs, it is not a huge task – but a necessary one all the same. In actual fact, it can present an opportunity to ‘clean up’ your marketing lists and data that will make life easier for you in the future.
How relevant is GDPR for choirs?
GDPR is basically an updated set of regulations designed to protect the data and privacy of EU citizens. It applies to any organisation that stores and/or processes ‘Personal Data’. Personal Data is anything that can identify or be associated with an individual. This includes name, address, email address, telephone number and photographs – all of which probably apply in some way to information held by someone in your choir.
Any arts organisation, charity, community group or membership organisation has a legal duty to follow these laws when gathering, storing, sharing or processing this data.
I don’t intend to provide a very detailed description of the regulations in this post, but to focus in on the information that is important in GDPR for choirs. It is intended to highlight some key actions you should take as a matter of urgency. There are some good reference sources, such as the Information Commissioner’s Office (ICO) website that I would recommend you look through to understand more about the regulations and your responsibilities.
Basic concepts of GDPR for choirs
GDPR legislation defines 6 principles for processing of personal data:
Lawfulness, fairness and transparency
Data must be gathered and used in a way that is legal, fair and understandable. An individual must have a clear understanding of how their personal data will be held and how it will be used. Where consent is requested this must be provided as a positive action (i.e. no ready-ticked boxes or assumptions of acceptance) There are a number of rights that the individual has with regard to their data (see separate box).
Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.
The data collected by organisations should be limited only to what is required for the purpose stated.
The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future.
Integrity and confidentiality
Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.
There are special rules that apply to more sensitive data (called “special category data”), such as medical information, religion, race, ethnicity, political allegiance, sexuality, etc and also about data on children. If you hold or process such information your choir GDPR compliance is a little more complex and I would recommend studying the ICO site and perhaps getting expert advice.
Rights of the Individual in GDPR for choirs
Individuals should be informed of how their data is collected, stored and processed in a clear, accessible way.
You should provide this in your Privacy Statements and by request
GDPR for choirs is not just about digital information
I should also make it clear that, although much of the discussion is about the electronic storage and processing of data GDPR applies just as much to those lists on sheets of paper you have lurking in a drawer somewhere!
One area that has been significantly tightened up under GDPR is the reporting of personal data breaches.
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk, then you must notify the individuals concerned as soon as possible and the ICO within 72 hours; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
The legal bases for holding and processing personal data
Under GDPR You must have a valid lawful basis in order to process personal data. There are actually six available lawful bases for processing (see side panel), but for choirs I would expect that you would primarily be using ‘consent’.
There is justification for using ‘legitimate interest’ for data held about choir members themselves and only used for administration, but as that is a group for whom it will be easiest to capture consent you might as well use ‘consent’ throughout. After all, emailing the members about a social event could be seen as marketing rather than essential choir administration.
You can use ‘legitimate interest’ as the legal basis for postal mailings (these are treated differently to electronic mailings), so that means you would not need to gain consent to mail. However, you do need to document how you are considering and protecting people’s rights and interests. To do that you have to fulfil a three-part test. You need to:
• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual’s interests, rights and freedoms.
To help you with this I have created a spreadsheet form to complete based on the detailed tests created by the Data Protection Network. You can download my spreadsheet here.
The legal bases for processing
At least one of these must apply whenever you process personal data:
The individual has given clear consent for you to process their personal data for a specific purpose.
Under GDPR, consent from individuals must be affirmative, freely given, specific, informed and unambiguous. This means that they must actively give consent for their data to be processed and clearly understand what they are consenting to. You need to specifically state what you will do with their data. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent.
In any investigation you will be asked to show how and when consent was granted, so it is vital that you record this and can provide evidence. This might be as simple as holding copies of forms where a box has been ticked or having digital records of when the user opted in to share their data.
What you should do now
The ICO provides a handy 12-step guide to what organisations need to be doing before 25th May 2018 (and beyond) and I recommend you follow it – click here to download a copy.
I would suggest your immediate top priorities should be:
1. Audit the data you are storing and processing
Carry out an audit of all personal data being held and/or processed by your choir. Define what data is held and why, how it was/is collected, how and where it is stored, how it is processed and how long you keep it for.
You might like to use a spreadsheet model like this one that I use to document audits.
The most common areas to investigate in GDPR for choirs will probably be:
• Choir member databases
• Choir supporter and mailing lists
• Photographs used for publicity
There may well be others – take a poll around all committee members and ask what information they are holding on their PCs or on paper.
Use this opportunity to have a ‘clean out’ Get rid of data that you don’t need to hold or use.
Also ensure that you review the security of the information stored. The Making Music guide has more detailed advice about what you need to do with various data records – download a copy here.
2. Ensure your consent records are GDPR compliant
As you are probably going to be using ‘consent’ as your legal basis for processing – can you prove that you have that consent? If not, you may need to re-obtain it, and in a way that is verifiable.
For your choir members that could be simply by getting them to sign a new consent form (which must be clear, specific, unambiguous etc etc).
For your supporters mailing list, if you are using an emailing service such as Mailchimp it may well have recorded how the emails were added. If you have records with no such information you may well have to go back to them and request that they reconsent. Mailchimp provides an email template to do this.
If you are just using email lists on a spreadsheet I would suggest that this is the time to move across to Mailchimp, or equivalent. It provides the ability for you to maintain consent records in a GDPR compliant way. It is free (for fewer than 2,000 addressees) and has the added benefit of helping you create more professional looking email newsletters plus it automatically adds such features as an ‘unsubscribe’ button which is required by GDPR.
According to ICO guidelines if you have postal mailing lists, you can use ‘Legitimate Interest’ as your legal basis for processing so you do not require proof of consent. However, you will need to document your decision reasoning as I described earlier. You might just like to take the opportunity to reduce your postal costs by undergoing a cleansing exercise anyway.
Getting new consent from mailing lists of any sort is bound to result in the loss of some (or even many) names from your list. View this as an opportunity to make your mailing list more effective. In marketing it is not the size of your mailing list that matters but the quality. Are you communicating with people who are wanting to hear what you are saying? If not – then why annoy them with mailings? For postal mailing lists it is also an opportunity to reduce your mailing costs.
3. Review and rewrite your privacy notice(s)
The Privacy Notice(s) you provide on your website and on sign-up and membership forms are an essential way that you can communicate your GDPR compliant approach. The ICO provides explicit guidance on what should be included in your privacy notices here.
4. Ensure your ability to honour individual’s rights and requests
Make sure you know how you be would be able to respond to requests from individuals with respect to their legal rights. Document the processes that would support this.
GDPR for choirs – the work will not finish on 25th May!
As well as completing any work you have not finished before 25th May, it doesn’t end there.
GDPR compliance is not a one-off exercise. You will need to ensure you maintain the records and follow GDPR best practice in your day-to-day activities as you go forward.
Image courtesy of Blake Imeson
ICO 12 Step GDPR Prep Guide
12 steps that the Information Commissioner's Office recommend to complete before 25th May 2018. Download the Guide >
Making Music Data Guide
A helpful guide to what to do with various data types in a typical music group Download the Guide >
GDPR Data Audit Template
Spreadsheet template for you to audit your data Download the template >
Legitimate Interest Test Template
Spreadsheet form to test the applicability of Legitimate Interest as a processing basis Download the template >
ICO Guide to Privacy Statements
Guidance from the Information Commissioner's Office on Privacy Statement contents Access the page >