GDPR: When someone thinks they need consent

Last edited:

This guide gives an insight into GDPR regulations and when you are required to gain consent before sending a mailing campaign.

Warning: The information here has been written to provide some clarity over GDPR compliance. This is not legal advice, we are not lawyers and if you are in any doubt about what to do, you should speak to a lawyer.

Receiving data

How most galleries receive data

  • Face to face
  • Over the phone
  • Via websites

Your reasons for collecting data

Often, data subjects will give you their data expressly to receive details about artworks, artists or the gallery. You need to consider that the lawful basis for processing personal data is that you are pursuing your legitimate interests in operating a marketing list, where the purpose for you keeping it has been explained to the data subjects and their rights are not infringed.

Ensure you are not infringing on users' rights

You might be collecting data illegally if users:

  • Have not given you their data themselves.
  • They do not fully understand what you are going to do with it.
  • You keep it longer than you have to.
  • You do not keep it as accurate as you can.
  • You collect unnecessary data.
  • You collect special category data (political affiliations, religion, sexual behaviour, sexual orientation, health details, criminal convictions, or details about children).
  • You do not have adequate security in place
  • Do not have the opportunity to opt-out from receiving communications
  • Request that you delete their data, which you fail to act on straight away.

 

Recording GDPR consent

You do not need to obtain and record GDPR compliant consent to operate a marketing list. This has been a common misunderstanding among many galleries who have received poor advice or who have observed the behaviours of other companies.

GDPR sets a very high bar for consent. If the process for obtaining consent does not follow strict rules it is worthless. If you use consent as the legal basis for keeping their data, you may have to delete many of your contacts as you cannot process data without consent (a non-response is the same as a refusal). If you market to people who have withheld their consent when that is the legal basis that you are using, you could face regulatory fines if anyone objects. 

When to seek legal advice

You may need legal advice and need to act differently if any of the following is true:

  • If you did not receive personal data from the data subjects themselves.
  • You are using personal data for profiling in a wider way.
  • If you are collecting data in a way that makes your company name or the purpose for collecting it obscure.
  • Processing data in ways that they would not know about or understand, for instance passing data to other companies without their knowledge.

More things to consider

A privacy policy

You do need a privacy policy on your website and you do need to ensure that you are meticulous about documenting everything. 

Related Articles

Was this article helpful?
0 out of 0 found this helpful

Related articles