GDPR: what you need to know
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, along with a new Data Protection Act 2018. GDPR creates rules about how our personal information needs to be handled – and how we need to handle the personal information of others.
Does GDPR apply to musicians? The answer is, in many cases, yes, especially if you store lists of current and prospective clients, hold addresses, payment details, send marketing materials and more. Whether you hold data on your computer, on your mobile phone, in the cloud or manually on paper, you will need to comply with GDPR.
This brief overview highlights some key essentials.
What is GDPR?
GDPR gives individuals greater control over their ‘personal data’ and how it is used by organisations or businesses – including sole traders, like many musicians who may teach, perform live, or run workshops and so forth. Much of what is in GDPR is already contained in existing data protection law.
GDPR creates rights for individuals (known as ‘data subjects’) and also creates obligations on those who ‘process’ their personal data (known as ‘data controllers’). If you have spreadsheets, emails, electronic or paper documents, and other sorts of files containing personal information about customers, or pupils and so on – you are a ‘data controller’.
- 'Personal data' means data about a living person who can be identified from the data you hold on them. This can include addresses (including email), telephone numbers, birth dates, academic records, health information, other material such as photographs or videos, and so on.
- A ‘data controller’ is someone who decides what and how any such personal data is ‘processed’. So if you collect any of the data elements above and use them to issue invoices, send contracts, send marketing email, you are likely to be a data controller.
- Data controllers must handle personal data lawfully, fairly, and transparently, for specific, defined and time-limited purposes. Data must be accurate and up to date, and must be processed securely.
- A ‘data processor’ is someone who processes personal data on your behalf – so a direct debit firms handling your customers’ regular payments, a payroll company if you have employees and outsource your pay routines, and so on. You are still responsible for any data you share with another party such as a data controller.
- A ‘data subject’ is a natural person whose personal data is processed by a controller or processor
You must have a lawful basis for processing personal data, of which there are six in GDPR:
- A legal obligation
- Vital interest
- Public task
- Legitimate interest
You need to decide which of these bases applies to the processing you are undertaking. You will also need to note this in a record of your processing activities (sometimes called a ‘data map’) and also within a privacy statement which tells people what you are doing with any of their data that you may collect.
In practice, much of what you are likely to do will arise under the contract basis: you hold the data and process it because it is necessary to fulfil a contract with a client, or a parent of a music student, for example. You may also rely on consent – this is important where you want to do marketing of your services. If you want to send marketing information by email or other electronic means, you will need to get an express consent from your customers or clients before you send them marketing materials. If you do not already hold an express consent, you must not send marketing emails.
The Information Commissioner’s Office (ICO) has produced a detailed guide to GDPR, available online. See this Guide for a full definition of the six legal bases.
The ICO also provides lots of useful guidance on its website, some of this aimed at small organisations and sole traders. The ICO operates a dedicated advice line to help small organisations with GDPR: telephone 0303 123 1113.
The ICO welcomes calls in Welsh – please phone 0330 414 6421 to talk to the ICO team. Rydym yn croesawu galwadau yn Gymraeg – ffoniwch 0330 414 6421 i siarad â’r tîm os gwelwch yn dda.
What does all this mean – and what should you do next?
Much of what is in GDPR is covered by existing data protection legislation but there are some differences and a new emphasis on accountability on the part of those who handle personal data.
You must also tell them about their rights to ask for a copy of any data you hold on them, and how they can get their records corrected or amended, or deleted.
- Auditing your data: Get to know your data and write down what you do with it: is it addresses, telephone numbers, bank details, photographs? Start reviewing what personal data you hold, where it came from and who you share it with. You will need to document this in writing (electronic format is acceptable). You should also record the relevant legal basis for processing the personal data. This is often referred to as a data map.
- A written record of your processing is a legal requirement if you are a data controller.
- Writing your privacy statement or notice. Your statement should include the following:
- who you are
- what information you are collecting
- why you are collecting it
- what you will do with it
- how long you will keep it, and the criteria for deciding these periods
- who you are sharing it with
- what rights your data subjects have, and how they can have access to the data you hold on them, and request that it be corrected, amended, or deleted.
- A clear, accessible and up-to-date privacy statement is a legal requirement if you are a data controller
See the ICO guidance on privacy notices
Your data map and privacy statements are key accountability requirements under GDPR by which you can demonstrate you are meeting the legal obligations to process other people’s data fairly, lawfully and transparently.
Review what consents you hold
You do not need consent to process personal data in every case. But where you do rely on consent for processing data, you should review how you obtain it and record it. Ensure that your consents comply with the higher standard required under the GDPR.
• A GDPR-compliant consent means that you, as a data controller, must be able to demonstrate that your data subject has consented to the processing of their data.
• If you are relying on any consents for your activities, they need to be clear, unambiguous and require a positive opt-in from the data subject.
• This is particularly important for electronic communications of marketing information: an express consent is already required under existing regulations, and you cannot infer consent from circumstance.
• GDPR also requires that you have a mechanism by which people can withdraw consent as easily as they give it. If you have a website through which individuals manage their accounts, you may already have user-preference tools which can be used to track consents and withdrawals.
Check to see if you need to pay a data controller fee
Data controllers (individuals and organisations processing personal data as part of their activities) generally need to pay a data controller fee to the ICO, unless an exemption applies.
If you make decisions about what happens to the data of your clients or customers, it is likely you will need to pay the fee. Processing data digitally extends to your mobile devices (such as smartphones on which you access emails or store telephone numbers).
Find out if you need to pay by using the online self-assessment tool at the ICO’s website: ico.org.uk/for-organisations/register/self-assessment/