Vital advice on GDPR and how it affects musicians

New data protection laws to comply with the General Data Protection Regulation (GDPR) came into force on 25 May 2018. Although GDPR is a European Regulation, the new legislation will mean that the provisions of GDPR within the new data protection law in the UK will continue after Brexit has happened.

Does it apply to musicians? The answer is, in many cases, yes, especially if you store lists of clients, hold addresses, payment details, send marketing materials and more. Whether you hold data on your computer, on your mobile phone, in the cloud or manually, it makes no difference.

In this article we provide a brief overview of the GDPR.

The Information Commissioner’s Office (ICO) also provides lots of useful guidance on its website (ico.org.uk), some of this aimed at small organisations. In addition, the ICO operates a dedicated advice line to help small organisations prepare for the new data protection laws (T: 0303 123 1113 and select option 4).

See in particular the ICO’s Guide to GDPR online and also the guide Preparing for the General Data Protection Regulation: 12 steps to take now.

GDPR — what does it mean?

GDPR gives individuals greater control over their ‘personal data’ and how it is used by organisations or businesses – including sole traders, like many musicians who may teach, perform live, or run workshops and so forth. Much of what is in GDPR is already contained in existing data protection law.

GDPR creates rights for individuals (known as ‘data subjects’) and also creates obligations on those who ‘process’ their personal data (known as ‘data controllers’). If you have spreadsheets and other sorts of files containing personal information about customers, or pupils and so on – you are a ‘data controller’.

  • ‘Personal data’ means data about a living person who can be identified from the data you hold on them. This can include addresses (including email), telephone numbers, birth dates, academic records, health information, other material such as photographs or videos, and so on.
  • A ‘data controller’ is someone who decides what and how any such personal data is ‘processed’. So if you collect any of the data elements above and use them to issue invoices, send contracts, send marketing email, you are likely to be a data controller.
  • Data controllers must handle personal data lawfully, fairly, and transparently, for specific, defined and time-limited purposes. Data must be accurate and up to date, and must be processed securely.
  • A ‘data processor’ is someone who processes personal data on your behalf – so a direct debit firms handling your customers’ regular payments, a payroll company if you have employees and outsource your pay routines, and so on. You are still responsible for any data you share with another party such as a data controller.
  • A ‘data subject’ is a natural person whose personal data is processed by a controller or processor

You must have a lawful basis for processing personal data, of which there are six in GDPR:

  • Consent
  • Contract
  • A legal obligation
  • Vital interest
  • Public task
  • Legitimate interest

See the ICO’s Guide to GDPR for full definition of these terms. In practice, most of what you are likely to do will arise under the contract basis: you hold the data and process it because it is necessary to fulfil a contract with a client, or a parent of a music student, for example. You may also rely on consent – this is important where you want to do marketing of your services. If you want to send marketing information by email or other electronic means, you will need to get an express consent from your customers or clients before you send the marketing materials. If you do not already hold an express consent, you must not send marketing emails.

So what does all this mean – and what should you do next?

Much of what is in GDPR is covered by existing data protection legislation but there are some significant differences and a new emphasis on accountability on the part of those who handle personal data.

What this means is that you will need to write a data privacy policy which your clients and customers can access easily (for example on your website or as an additional document issued with any contracts you issue), which tells them who you are, what data on them you collect, and why, and what you are going to do with it.

You must also tell them about their rights to ask for a copy of any data you hold on them, and how they can get their records corrected or amended, or deleted. See below for further information on privacy policies.

  • Get to know your data: is it addresses, telephone numbers, bank details, photographs? Start reviewing what personal data you hold, where it came from and who you share it with. You will need to document this in writing (electronic format is acceptable). You should also record the relevant legal basis for processing the personal data.
  • Check to see if you should register as a data controller
  • Review what consents you hold
  • Write or update your privacy notice
  • who you are
  • who you are sharing it with

Find out by using the online self-assessment tool at the Information Commissioner’s Office website.

If you make decisions about what happens to the data of your clients or customers, it is likely you need to register. Processing data digitally extends to your mobile devices (such as smartphones on which you access emails or store telephone numbers) Individuals and organisations processing personal data may need to register with the ICO, where they process personal data as part of their activities.

You also need to review how you obtain and record consent where you rely on this as a legal basis for processing data. Ensure that your consents comply with the higher standard required under the GDPR.

If you are relying on any consents for your activities they need to be clear, unambiguous and require a positive opt-in from the data subject. This is particularly important for electronic communications of marketing information: an express consent is already required under existing regulations. GDPR also means that you must have a mechanism by which people can withdraw consent as easily as they give it. If you have a website through which individuals manage their accounts, you may already have user-preference tools which can be used to track consents and withdrawals.

Getting a privacy statement (sometimes referred to as a ‘fair processing’ statement’) in place is really important. Review or update the privacy information you give to individuals (e.g. on your website). Your notice should include the following:

  • what information you are collecting
  • why you are collecting it
  • what you will do with it
  • how long you will keep it, and the criteria for deciding these periods

It should also include a reference to the rights individuals have as data subjects, and tell them how they can have their data corrected, amended, or deleted.

See the ICO guidance on privacy notices

Further GDPR advice for ISM members