The Data Protection Bill has received a cautious welcome from museums after indications from the Department for Digital, Culture, Media & Sport (DCMS) that there would be a “good outcome” for the heritage sector.
The bill, published on 14 September, will bring the European General Data Protection Regulation (GDPR) into effect from 25 May 2018. The legislation is the biggest overhaul of data protection rules for 25 years, and heralds rigorous new requirements for any organisation that processes personal data.
Several museums had flagged concerns during the consultation process about what the new regulations mean for personal data that relate to museum collections and archives.
There have been calls for the sector to obtain a “hybrid” status that would allow some exemption from the GDPR around their work. In its submission to the DCMS, London’s Natural History Museum warned that institutions would be forced to close if they were faced with fines for non-compliance. Under the GDPR, fines can be up to 4% of an organisation’s turnover.
The National Museum Directors’ Council (NMDC) was awaiting clarification as Museums Journal went to press.
Suzie Tucker, the head of strategy and communications at the NMDC, says: “A group of national museums has been working on behalf of the sector with the bill team, and we are hopeful of getting a good result.”
She points to forthcoming sector-specific guidelines from the Information Commissioner’s Office, which will be “crucial”. But it is not yet known when the guidance will be published.
The bill will require significant administrative changes at most museums, galleries and heritage sites. The new rules will have an impact on all activities that involve processing an individual’s personal data, including fundraising, marketing, volunteering and information about service users, as well as staff records.
Transparency is the key to the new regulations, says Ian De Freitas, a partner at law firm Farrer & Co, which works with charitable organisations.
“The GDPR requires organisations to go back and look at the data they hold regarding individuals, and look at the reasons why they are processing that information,” he says.
“They will need to be much more transparent about what they are doing with that data. Woolly, catch-all privacy notices won’t work any more. They need to be specific, so individuals can object if they wish.”
Many believe that all organisations – including museums, galleries and cultural and heritage sites – should carry out an audit of the personal data held. This will show what the data is, where it came from and with whom it is shared. Once this is known, an organisation can then decide what needs to be done to comply with the new regulations
Paulina Jedwabska, the records and freedom of information manager at the National Portrait Gallery, London, says even though the sector is still waiting for the Information Commissioner’s Office guidance, museums should start working on compliance and begin the mapping process now. “Be pragmatic – it is better to have something in place,” she says.
Under the GDPR, consent must be explicitly obtained on the basis that the individual knows what their data will be used for. This means the end of devices such as pre-ticked boxes that rely on implied consent.
The GDPR will allow individuals to request to check the data an organisation holds on them and find out what it is being used for. People will also have the “right to be forgotten”, meaning their personal data will have to be removed if they no longer want to be contacted or if the use of their data has changed.
There are also new rules on reporting data breaches, meaning it is essential to have the right procedures in place to detect and report incidents. Failure to do so will result in higher fines, particularly if breaches are not reported within 72 hours.
De Freitas says 25 May should be considered “zero day”, as there is no grace period, and organisations must be compliant by then.
“It will take a considerable amount of time to put the GDPR rules in place and to engage with individuals regarding consent,” he says. “If you haven’t started, you are running out of time.”
The bill, published on 14 September, will bring the European General Data Protection Regulation (GDPR) into effect from 25 May 2018. The legislation is the biggest overhaul of data protection rules for 25 years, and heralds rigorous new requirements for any organisation that processes personal data.
Several museums had flagged concerns during the consultation process about what the new regulations mean for personal data that relate to museum collections and archives.
There have been calls for the sector to obtain a “hybrid” status that would allow some exemption from the GDPR around their work. In its submission to the DCMS, London’s Natural History Museum warned that institutions would be forced to close if they were faced with fines for non-compliance. Under the GDPR, fines can be up to 4% of an organisation’s turnover.
The National Museum Directors’ Council (NMDC) was awaiting clarification as Museums Journal went to press.
Suzie Tucker, the head of strategy and communications at the NMDC, says: “A group of national museums has been working on behalf of the sector with the bill team, and we are hopeful of getting a good result.”
She points to forthcoming sector-specific guidelines from the Information Commissioner’s Office, which will be “crucial”. But it is not yet known when the guidance will be published.
The bill will require significant administrative changes at most museums, galleries and heritage sites. The new rules will have an impact on all activities that involve processing an individual’s personal data, including fundraising, marketing, volunteering and information about service users, as well as staff records.
Transparency is the key to the new regulations, says Ian De Freitas, a partner at law firm Farrer & Co, which works with charitable organisations.
“The GDPR requires organisations to go back and look at the data they hold regarding individuals, and look at the reasons why they are processing that information,” he says.
“They will need to be much more transparent about what they are doing with that data. Woolly, catch-all privacy notices won’t work any more. They need to be specific, so individuals can object if they wish.”
Many believe that all organisations – including museums, galleries and cultural and heritage sites – should carry out an audit of the personal data held. This will show what the data is, where it came from and with whom it is shared. Once this is known, an organisation can then decide what needs to be done to comply with the new regulations
No time to waste
Paulina Jedwabska, the records and freedom of information manager at the National Portrait Gallery, London, says even though the sector is still waiting for the Information Commissioner’s Office guidance, museums should start working on compliance and begin the mapping process now. “Be pragmatic – it is better to have something in place,” she says.
Under the GDPR, consent must be explicitly obtained on the basis that the individual knows what their data will be used for. This means the end of devices such as pre-ticked boxes that rely on implied consent.
The GDPR will allow individuals to request to check the data an organisation holds on them and find out what it is being used for. People will also have the “right to be forgotten”, meaning their personal data will have to be removed if they no longer want to be contacted or if the use of their data has changed.
There are also new rules on reporting data breaches, meaning it is essential to have the right procedures in place to detect and report incidents. Failure to do so will result in higher fines, particularly if breaches are not reported within 72 hours.
De Freitas says 25 May should be considered “zero day”, as there is no grace period, and organisations must be compliant by then.
“It will take a considerable amount of time to put the GDPR rules in place and to engage with individuals regarding consent,” he says. “If you haven’t started, you are running out of time.”
The Museums Association is holding a one-day conference on new data protection regulations on 8 December in London.