Data protection laws are changing. To find out in more detail how these will affect museums and galleries, we asked the people with all the know-how, the Information Commissioner’s Office (ICO). In this blog, David Freeland, Senior Policy Officer, gives us a quick overview of the changes that are coming and how they’ll impact your museum or gallery.
If your organisation uses personal data at all, whether it’s about individual donors, visitors, staff or volunteers, then you need to know that the law governing the use of personal information is changing. On 25 May 2018, the new EU General Data Protection Regulation (GDPR) will take over from the Data Protection Act 1998 (DPA 1998). It will update data protection law to make organisations more transparent and accountable for how they use personal information.
A lot has been written about the GDPR, and we at the Information Commissioner’s Office (ICO) have had to bust some of the myths that have been building up.
The good news is…
The fundamentals of data protection are generally staying the same. The law still only applies to living individuals, and they continue to have rights although some of them have been considerably strengthened. The data protection principles are very similar to what’s been in place since 1984. You still have an obligation to keep personal data secure and you must ensure that any personal data you send abroad has equivalent protection, which includes the use of any online services or cloud computing software.
There are changes coming…
There is a new principle in town which is accountability, and it drives most of the changes. All organisations must be able to demonstrate their compliance with the GDPR. There are some key questions you need to ask when preparing for the new legislation:
- Do you need to have a register of processing activities?
- Have you got robust contracts with anyone who processes personal data on your behalf?
- Have you conducted a Data Protection Impact Assessment on new uses of personal data?
- Does your organisation need a Data Protection Officer?
- Are you prepared to respond to a data breach, and do you know you will need to report serious breaches to us within 72 hours of becoming aware?
While these are new legal requirements, we have been promoting many of them as good practice in recent years. So if you’ve been keeping on top of developments in data protection, these will be familiar to you.
GDPR is not the only new law on the block
There will be a new UK Data Protection Act as well. It will exercise some of the flexibility left to member states in the GDPR. The Data Protection Bill is currently being debated and amended in the UK Parliament.
For public sector museums and galleries, we expect the Bill will, when passed, modify the personal data exemption in the Freedom of Information Acts.
We also expect another new EU regulation later in 2018 which will update the rules on direct marketing by electronic means.
Specifics rules for archives and historical research
There will be provisions in the Data Protection Bill that modify the application of the GDPR for archiving in the public interest, scientific, historical research or statistical purposes. The Government proposed maintaining the existing exemption under the DPA 1998. This is an area that has attracted debate in Parliament so keep an eye out for changes during the legislative process.
It’s time to get ready
If you haven’t already started to prepare for the GDPR, now is the time to set wheels in motion by using our 12 steps guide and checklist . We’ve also published FAQs for charities based on enquiries we’ve received over the last few months.
And check with any industry or professional bodies if they have sector-specific resources you can use. They may also be reporting on what Parliament does with the Data Protection Bill.
If you would like to find out more about the upcoming changes and get yourself prepared for them, MGS have organised a fantastic training bundle on the topic of Digital, Data and Marketing. Read more on our previous blog.