Managing your data
This guide gives an insight into GDPR regulations and when you are required to gain consent before sending a mailing campaign.
Receiving data
How most galleries receive data
- Face to face
- Over the phone
- Via websites
Your reasons for collecting data
Often, data subjects will give you their data expressly to receive details about artworks, artists or the gallery. You need to consider that the lawful basis for processing personal data is that you are pursuing your legitimate interests in operating a marketing list, where the purpose for you keeping it has been explained to the data subjects and their rights are not infringed.
Ensure you are not infringing on users' rights
You might be collecting data illegally if users:
- Have not given you their data themselves.
- They do not fully understand what you are going to do with it.
- You keep it longer than you have to.
- You do not keep it as accurate as you can.
- You collect unnecessary data.
- You collect special category data (political affiliations, religion, sexual behaviour, sexual orientation, health details, criminal convictions, or details about children).
- You do not have adequate security in place
- Do not have the opportunity to opt-out from receiving communications
- Request that you delete their data, which you fail to act on straight away.
Recording GDPR consent
You do not need to obtain and record GDPR compliant consent to operate a marketing list. This has been a common misunderstanding among many galleries who have received poor advice or who have observed the behaviours of other companies.
GDPR sets a very high bar for consent. If the process for obtaining consent does not follow strict rules it is worthless. If you use consent as the legal basis for keeping their data, you may have to delete many of your contacts as you cannot process data without consent (a non-response is the same as a refusal). If you market to people who have withheld their consent when that is the legal basis that you are using, you could face regulatory fines if anyone objects.
When to seek legal advice
You may need legal advice and need to act differently if any of the following is true:
- If you did not receive personal data from the data subjects themselves.
- You are using personal data for profiling in a wider way.
- If you are collecting data in a way that makes your company name or the purpose for collecting it obscure.
- Processing data in ways that they would not know about or understand, for instance passing data to other companies without their knowledge.
More things to consider
A privacy policy
You do need a privacy policy on your website and you do need to ensure that you are meticulous about documenting everything. Apart from that, it is pretty much business as usual.