GDPR compliance and what does it entail?
What type of audience data are cultural organisations allowed to collect? How are you allowed to use audience data to reach an audience? How can you do this securely and in compliance with the GDPR? Are all the employees aware of the guidelines? There are lots of questions around GDPR. Where do you start? DEN is here to help you!
Why is GDPR important?
More and more data are generated in a society that is increasingly online. Data that can be stored, analysed with the right tools and algorithms, and used to reach an audience with a targeted message. These developments come with certain benefits, for example the ability to use audience data to target existing and new audiences with personalised messages. However, this data can also be misused in breach of visitors’ privacy.
The GDPR came into force throughout the EU in 2018 to protect people’s privacy and to ensure that organisations handle sensitive personal data in a secure manner. This law (Opent een externe link) gives data subjects (individuals) certain rights and assigns the responsibility for the secure handling of (digital) personal data to organisations. This concerns data such as names and email addresses as well as medical or educational data.
What does this mean for your organisation?
Briefly, GDPR means that every organisation must respect and guarantee the privacy of their customers and relations. This means that organisations must have the relevant responsibilities, systems and processes in place. It is important that organisations are aware of the regulations and it is a good idea to let an expert look at any existing and new processes that involve the use of audience data. It may be helpful for smaller organisations to do this in collaboration with a number of other organisations.
Saving personal data in Excel files has actually become a no-no in today’s digital world.
How do you incorporate GDPR in your work?
To handle data in a responsible manner, it is important to have a privacy policy in place. This privacy policy should describe how your organisation collects and processes personal data and could include the following information:
- How personal data is processed
- Transparency concerning data processing
- The way that data is stored
- Direct marketing: when is this allowed and when is it not?
- Description of procedures to minimise data processing
- Safeguarding data quality
- Organisational and technical security measures
The Cultural Segmentation model
Many organisations, cities and regions work with the Cultural Segmentation model (Opent een externe link), developed by Rotterdam Festivals. Does this apply to your organisation as well? If so, we recommend you read the following document in which a legal expert takes a closer look at GDPR aspects concerning the use of this model (Opent een externe link) (available in Dutch only).