How Can We Help?
< All Topics
Print

General Data Protection Regulation (GDPR)

UpdatedJuly 11, 2025

The General Data Protection Regulation (GDPR) became applicable in law in May 2018 and was a major development in the data protection landscape in Europe. It has brought new responsibilities and challenges for organisations that obtain and process personal data. This column is designed to answer some of the questions that artists may have, when trying to get to grips with their GDPR obligations.

Am I a data controller?

The first step is knowing whether you are a “data controller”.  If you obtain personal information from individuals and use this information in the course of your professional activities, you are a data controller. Using people’s personal data is called ‘processing’, which covers a wide range of activities including collection, recording, storage, consultation, disclosure and destruction. For arts organisations, this could include information about studio members, employees, volunteers, event attendees and mailing list subscribers. A useful way to understand your role as a data controller is to conduct a data mapping exercise. This involves examining and documenting the categories of individuals whose data you hold, what particular items of data you process, and for what purposes.

What are my responsibilities?

The responsibilities of data controllers can be broken down into some key areas of data protection:

  • Data processing shall be lawful, fair and transparent – nobody should be surprised to find out what is happening with their data! Transparency means making sure that the people whose data you use understand why.
  • Data shall be processed for specified, explicit and legitimate purposes – before you collect information from people, you understand why and don’t use it for something else after the fact.
  • Only data that is adequate, relevant and necessary shall be processed for a particular purpose – only collect the information that you need; don’t collect extra information because it might be useful in the future.
  • Data must be kept accurate and up to date – holding inaccurate data, such as contact details, creates a risk of disclosing someone’s information to the wrong person. Try to keep all records of personal data up to date.
  • Data should be retained only for as long as is necessary to achieve your purposes – keeping personal data on an indefinite basis is generally not permitted. Consider why you need the data and decide what reasonable timeframe can be put in place.
  • Security measures must be put in place to ensure the confidentiality and integrity of data – this means technical measures (such as email encryption and strong passwords) but also making sure everyone who handles data understands their responsibilities.

Data controllers should also consider the legal basis for the processing they carry out. One of the following must apply to each use of data:

  • Consent – the individual has given you permission to use their data.
  • Contract – you need to use the data to fulfil the terms of a contract. This will apply in particular in employment.
  • Legal obligation – you are obliged by law to process data, for example a reportable accident, to the Health & Safety Authority.
  • Public interest – for public bodies, you need to use data to carry out your public functions.
  • Legitimate interests – for private and not-for-profits, you need to use data to achieve your legitimate goals.

This language can seem quite legal and formal, but in going back to your data mapping exercise, you can begin to understand why you use data and what legal basis applies. Importantly, the principle of accountability underpins all of these responsibilities, as it requires controllers to be compliant with the law and to be able to demonstrate compliance – take the time to document your decision-making about data protection.

What about email lists?

The use of mailing lists is important in a sector like the visual arts, for events promotion, marketing and so on. The best advice is that you make sure to get a clear opt-in from people and that each email has an unsubscribe option. If you use a third-party platform to manage your contacts, make sure that this is built-in to your communications.

Where should we store data?

In smaller and voluntary organisations, people will have to use their own laptops and mobile devices to process data. Make sure that shared email accounts and online databases are password protected and avoid using personal email addresses for organisation business where possible. Using email accounts to store data is not best practice; email is a communication tool not a storage medium.

Data Subject Rights

Data controllers have important obligations around individual’s rights. Primarily, people have a right to clear and transparent information about why you process their data. Where you collect information online, a website privacy notice is the best way to do this. People also have a right to access information that is held about them and you have an obligation to facilitate this. If someone requests a copy of their information, it should be provided within a month.

Do you need a Data Protection Policy?

A data protection policy is considered best practice, in terms of setting out what your organisation does with data and helping staff and volunteers to know what to. It’s also a good way to meet accountability requirements.

The Data Protection Commission provides further guidance on these topics. You can also contact the DPC Voluntary Sector Consultation Team. dataprotection.ie

For artists in Northern Ireland, information on GDPR in the UK can be found on the Information Commissioners’ Office (ICO):

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/

Table of Contents