ISM GDPR template privacy statement and advice
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, along with a new Data Protection Act 2018. GDPR creates rules about how our personal information needs to be handled – and how we need to handle the personal information of others.
Does GDPR apply to musicians? The answer is, in many cases, yes, especially if you store lists of current and prospective clients, hold addresses, payment details, send marketing materials and more. Whether you hold data on your computer, on your mobile phone, in the cloud or manually on paper, you will need to comply with GDPR.
This brief overview highlights some key essentials.
GDPR gives individuals greater control over their ‘personal data’ and how it is used by organisations or businesses – including sole traders, like many musicians who may teach, perform live, or run workshops and so forth. Much of what is in GDPR is already contained in existing data protection law.
GDPR creates rights for individuals (known as ‘data subjects’) and also creates obligations on those who ‘process’ their personal data (known as ‘data controllers’). If you have spreadsheets, emails, electronic or paper documents, and other sorts of files containing personal information about customers, or pupils and so on – you are a ‘data controller’.
You must have a lawful basis for processing personal data, of which there are six in GDPR:
You need to decide which of these bases applies to the processing you are undertaking. You will also need to note this in a record of your processing activities (sometimes called a ‘data map’) and also within a privacy statement which tells people what you are doing with any of their data that you may collect.
In practice, much of what you are likely to do will arise under the contract basis: you hold the data and process it because it is necessary to fulfil a contract with a client, or a parent of a music student, for example. You may also rely on consent – this is important where you want to do marketing of your services. If you want to send marketing information by email or other electronic means, you will need to get an express consent from your customers or clients before you send them marketing materials. If you do not already hold an express consent, you must not send marketing emails.
The Information Commissioner’s Office (ICO) has produced a detailed guide to GDPR, available online. See this Guide for a full definition of the six legal bases.
The ICO also provides lots of useful guidance on its website, some of this aimed at small organisations and sole traders. The ICO operates a dedicated advice line to help small organisations with GDPR: telephone 0303 123 1113.
The ICO welcomes calls in Welsh – please phone 0330 414 6421 to talk to the ICO team. Rydym yn croesawu galwadau yn Gymraeg – ffoniwch 0330 414 6421 i siarad â’r tîm os gwelwch yn dda.
Much of what is in GDPR is covered by existing data protection legislation but there are some differences and a new emphasis on accountability on the part of those who handle personal data.
You must also tell them about their rights to ask for a copy of any data you hold on them, and how they can get their records corrected or amended, or deleted.
See the ICO guidance on privacy notices
Your data map and privacy statements are key accountability requirements under GDPR by which you can demonstrate you are meeting the legal obligations to process other people’s data fairly, lawfully and transparently.
You do not need consent to process personal data in every case. But where you do rely on consent for processing data, you should review how you obtain it and record it. Ensure that your consents comply with the higher standard required under the GDPR.
• A GDPR-compliant consent means that you, as a data controller, must be able to demonstrate that your data subject has consented to the processing of their data.
• If you are relying on any consents for your activities, they need to be clear, unambiguous and require a positive opt-in from the data subject.
• This is particularly important for electronic communications of marketing information: an express consent is already required under existing regulations, and you cannot infer consent from circumstance.
• GDPR also requires that you have a mechanism by which people can withdraw consent as easily as they give it. If you have a website through which individuals manage their accounts, you may already have user-preference tools which can be used to track consents and withdrawals.
Check to see if you need to pay a data controller fee
Data controllers (individuals and organisations processing personal data as part of their activities) generally need to pay a data controller fee to the ICO, unless an exemption applies.
If you make decisions about what happens to the data of your clients or customers, it is likely you will need to pay the fee. Processing data digitally extends to your mobile devices (such as smartphones on which you access emails or store telephone numbers).
Find out if you need to pay by using the online self-assessment tool at the ICO’s website: ico.org.uk/for-organisations/register/self-assessment/