Following recent large fines issued by the UK’s privacy watchdog, Raj Shah offers some tips to avoid falling foul of the regulator.
It’s finally happened, one year and one month after the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 came into force. The UK’s data protection authority, the Information Commissioner’s Office (ICO), recently announced two eye-watering fines. British Airways (BA) faces a £183m penalty following a cybersecurity incident affecting its website and app, while the ICO is proposing to fine Marriott International £99m after hackers stole the guest records of a hotel group that it had acquired. These sanctions signal that organisations that suffer personal data breaches as a result of inadequate security measures can expect to pay the price.
1. Handling data breaches
Both BA and Marriott are sufficiently robust to take these hits, but smaller organisations could find themselves overwhelmed by fines of this scale if they suffer data breaches. When combined with the potential reputational damage, the fall-out could be devastating.
It’s a common misconception that fines under the GDPR may only be imposed in the event of a data breach
Arts organisations should act now to make sure they are sufficiently resourced and streamlined to handle a personal data breach. If one occurs, it must be investigated quickly. If the breach is confirmed as a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours. If it poses a high risk to the rights and freedoms of the affected individuals, they must also be informed.
2. Identifying the right ‘lawful basis’
It’s a common misconception that fines under the GDPR may only be imposed in the event of a data breach. But another crucial issue is having a lawful basis for processing personal data. The lack of this was one reason why Google was fined €50m in January by the French regulator. This underlines how important it is to identify clearly which lawful basis your organisation is relying on when processing a particular data set.
The ICO lists six lawful bases that can be used. The most relevant one for cultural organisations will differ depending on the circumstances. The lawful basis on which a theatre can process personal data to fulfil ticket orders, for example, will be the fulfilment of its contracts with ticket buyers. On the other hand, a national museum processing personal data in order to transfer artworks to another institution might rely on the performance of a public task under the Museums and Galleries Act 1992 as its lawful basis.
A common concern of arts organisations is which lawful basis to rely on when sending fundraising communications. For the purposes of data protection legislation, fundraising constitutes a form of ‘direct marketing’, so consent or the ‘legitimate interests’ ground are the two relevant lawful bases here. (The ICO says that ‘legitimate interests’ “could in principle apply to any type of processing for any reasonable purpose”.)
If you’re relying on consent as a lawful basis, remember it must be freely given, specific, informed, and unambiguous. Before relying on the ‘legitimate interests’ ground, you will first need to identify the relevant interest, demonstrate that the processing is necessary to achieve it and balance it against the data subjects’ interests, rights and freedoms.
Due to additional rules under the Privacy and Electronic Communications Regulations 2003 (PECR), individuals’ consent is generally required if fundraising communications are emailed to them. Since the PECR do not cover postal communications, it may be possible to rely on your organisation’s legitimate interests when sending fundraising or other marketing literature by post. Such postal communications must, however, inform recipients that they have the right to object to receiving direct marketing. The ICO plans to finalise a new direct marketing code of practice to provide practical guidance on this area by the end of the year.
3. Wealth screening
Many arts organisations undertake ‘wealth screening’: analysing data about prospective high net worth donors in order to target their fundraising activities. Following an investigation into this practice between 2015 and 2017, the ICO found that many individuals affected had no knowledge of this processing and used its pre-GDPR powers to fine thirteen charities. If your organisation carries out wealth screening, it must communicate this to individuals concerned – ideally when their details are first collected – through a clear and transparent privacy notice.
It remains uncertain as to whether it is ever possible to rely on ‘legitimate interests’ to process personal data when undertaking wealth screening or whether consent is always required. The ICO considers consent the more appropriate of the two bases. If consent is not viable, you’ll need to balance your organisation’s interests against those of the relevant individuals, taking into account whether the wealth screening activities might be considered to be intrusive and whether the people concerned would expect their data to be processed in this way.
Finally, if you’re responsible for data protection compliance in a museum, gallery or performance venue where CCTV is in operation, check your notices are adequately sized and your CCTV monitoring is reflected in your organisation’s notification details to the ICO.
Embedded across the organisation
The best way to adapt to the new regulatory environment is to embed data protection processes throughout your organisation, rather than simply viewing it as a compliance function for lawyers to deal with. If you get this right, you’ll be rewarded with an improved brand and reputation and the trust and confidence of prospective donors.