New data protection regulations come into force next May, and while some may see this as a burden, Live Music Now is seizing the opportunity to renew contact with its supporters. Evan Dawson and Emily Roberts explain how they are ensuring compliance.
The General Data Protection Regulation (GDPR) is an EU regulation coming into force in May next year, replacing the current Data Protection Act. Among various changes, it clarifies and increases the levels of consent that must be sought, recorded and maintained in order to hold data about individuals.
Non-response is now no longer accepted as an excuse to keep someone’s data
People will be able to request details of the data held about them at any time, and can require its removal in a wide range of circumstances. This is not only fundraising data but information held about everyone in an arts organisation’s database, from audiences and artists to volunteers.
In order for Live Music Now to be ready in time, we are reviewing all the personal data we hold, how it was obtained, and why.
Live Music Now provides interactive music programmes in special schools, care homes and hospitals, and in a range of community and healthcare settings throughout the UK. The programmes are delivered by young professional musicians, who are trained and supported to deliver this work based on the latest research. Since our founding in 1977, we have given over 70,000 sessions, reaching over 2.5 million people.
In our database we have information about supporters and musicians, as well as administrative contacts in hospitals, care homes, schools and community organisations around the UK.
The first step was to nominate a data controller, with overall responsibility for data protection matters. This requirement may only apply to larger organisations, but it’s far from clear, so we nominated ourselves.
We then segmented our database as follows:
- Project outcomes: All personal data is anonymised and used for reporting and evaluating.
- Funders, partners and supporters: Enables us to track grants received, reporting requirements and prompts us when we might make new approaches.
- Venues: Enables us to track numbers of attenders and geographical and sector reach of our sessions in any one year.
- Current and past musicians: Enables us to keep in contact with our musicians to track their training progression and book them for sessions.
These areas are in line with our charitable objectives. We do not hold any information on attenders to our sessions or performances. We also do not share any personal data with anyone or any outside organisation unless we have express prior permission and ethics approval.
Due to our workforce being remote and office-based, we have a secure cloud-based database and filing system held by our IT support providers, and the security checks and certificates are kept under review and updated as necessary. One requirement is that we will need to show how we would contact relevant data ‘subjects’ should our security be breached and personal data unlawfully accessed. This is an area where we will revise our policies and procedures to achieve compliance.
Under the new legislation, organisations will need to be able to demonstrate that any data subject has given their explicit consent for their data to be held, or that holding the data is necessary for the following reasons:
- Performance of a contract to which the subject is party.
- Compliance with a legal obligation.
- To protect the vital interests of the data subject or of another natural person.
- For the performance of a task carried out in the public interest or in the exercise of official authority.
- For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In line with current legislation, we already request specific permission from anyone signing up to our newsletter, and for photographic and video sharing. All our musicians agree in their contract that we will hold and share certain personal information on our website.
We will be reviewing our musicians’ contracts over the summer to develop a log that records exactly the permissions given by each musician. We will also be reviewing our privacy notices to make sure that anyone giving consent is completely clear about what we will be using their information for.
We will then review the personal data on our database. Initially, we will cleanse the data to remove empty, incomplete and duplicate data. We will then contact everyone to explain the changes to consent and ask them to respond in the affirmative or negative to stay in our database.
Non-response is now no longer accepted as an excuse to keep someone’s data. If you don’t hear from them, you must delete them from your records. We will split our data into two different consent categories:
- Consented: Specific permissions for specific things, such as newsletters and updates.
- Legitimate interest: Use of personal data for ongoing charity-specific objectives, but which could evolve in ways we can’t anticipate over the years, such as alumni contacts and those who have agreed to support us on a broader basis.
Once we have these responses, or have determined there will be no response forthcoming, we will cleanse the data again to reflect the current situation. We will also be addressing our data inputting policies and procedures to make sure our personal data remains compliant, current and correct.
So, we have a busy time ahead of us to make sure we have the processes in place in plenty of time for the May 2018 compliance deadline, and that we have time to test our new procedures to make sure they are compliant and that all staff are using them. But we are also excited by the prospect of re-engaging with all our contacts, to understand how they view our work, and what different things they might like from us. By the end of this process, we anticipate having a smaller group of supporters and contacts, but also a group with much closer engagement with us.