Skip to main content
Logo of the website, go to the homepage
Door double exposure onherkenbaar persoon, het lijkt een soort schim.

Working GDPR-compliantly: what does it involve?

What audience data are cultural institutions allowed to collect? How can you use audience data to reach your audience? How can you do this safely and thus GDPR-compliantly? Are all employees aware of the correct guidelines? And there are many more questions surrounding the GDPR. Where do you start? DEN is happy to help you get started!

3 min. reading time28 jan `25
Knowledge & Inspiration

Why is there GDPR legislation?

In a society that is increasingly online, more and more data is being generated. Data that can be stored and analyzed using the right tools and algorithms to reach audiences with a specific message. These developments have positive aspects: audience data can be used to reach existing and new audiences in a personal way. However, misuse can jeopardize the privacy of visitors.

To safeguard this privacy and ensure organizations handle visitors' sensitive data safely, the GDPR (General Data Protection Regulation) has been in effect across the EU since 2018. This law (opens in new tab) grants rights to the public and holds organizations accountable for handling (digital) personal data responsibly. This includes data such as names, email addresses, but also medical or educational information.

What does this mean for your organization?

In short, GDPR means that every organization must respect and safeguard the privacy of customers and relations. This means that responsibilities, systems, and processes must be designed accordingly. It is also important to stay informed about the regulations. For example, by having an expert review existing and new processes that involve the use of audience data. For smaller institutions, it may be beneficial to tackle such a project collectively with several other institutions.

Working with an Excel file where you store personal data is no longer feasible in this digital world

How do you integrate GDPR into your operations?

To handle data responsibly, drafting a privacy policy is an important step. This outlines how your organization intends to manage privacy. Such a policy may include the following components:

  • The way personal data is processed
  • Transparency about data processing in a privacy policy
  • How data is stored
  • Direct marketing: when it is allowed and when it is not
  • Describing methods to minimize data processing
  • Ensuring data quality
  • Organizational and technical security measures

Working GDPR-compliantly

The ‘Step-by-step guide to working GDPR-compliantly’ covers in five clear steps what your organization needs to do to comply with privacy laws and regulations.

Download the guide

The Cultural Target Group Model

Many institutions, cities, and regions use the Cultural Target Group Model (opens in new tab) developed by Rotterdam Festivals. Does this apply to your organization as well? If so, read this document where a lawyer delves into GDPR aspects related to using this model (opens in new tab).

Share this news article

More about data-driven working

PICL visual06

Picl & Film Houses: Hybrid Works!

Powertool Joep Grooteman

Power Tool of the Performing Arts

De doelen website

De Doelen: the Cultural Target Group Model in practice

Maritiem museum

The Maritime Museum: the Cultural Target Group Model in Practice

Everything about data-driven working
Everything about data-driven working

New(s) on DEN

De nachtwacht

How the Design Museum uses data for the ultimate museum experience

  • Article
Jelle Draper DSC 7163

Job Opening: Advisor Digital Innovation & Strategy

  • Vacancy
Schermopname 20 4 2026 135025 www google nl

Digital Sovereignty in Practice: How FOTODOK Gradually Says Goodbye to Big Tech

  • Digital Transformation
  • Interview

Lunch & Learn: Automation and More Visitor Insights Through AI - A Practical Example

  • Artificial Intelligence (AI)
  • Lunch & Learn
View all posts
View all posts