Are you on top of the new regulations of the GDPR (The General Data Protection Regulation)? If you currently have, or may have in the future, clients or prospects on your mailing list that reside in the European Union, you need to be ready for May 25th, 2018. That is when this new regulation takes effect. The GDPR was led by the UK and the government will adopt this legislation even after they leave the EU. If you are not ready, it could mean a monetary fine to your business of 4% of your annual revenue.
Here I’m going to share what the regulation mandates, things you need to think about to be compliant and some resources to learn more.
The goal of the GDPR is to improve the transparency and effectiveness of data protection activities. It will affect how your art gallery business explains and obtains consent for both new and existing prospects and clients who subscribe to your gallery mailing list. This also applies to how subscriber’s personal data is stored within contact databases and other systems and/or vendors. These might include credit card processors, shippers, artists who receive collectors information, cloud-based data storage such as backup systems or contact databases.
What is Defined as “Personal Data”
Personal data is any information relating to an identified or identifiable individual. This means information that could be used, either on its own or in conjunction with other data, to identify someone.
- social security numbers
- physical addresses
- email addresses
- IP addresses
- behavioral data
- location data
- financial information
Preparation Questions to Ask Now about your Gallery Business
Do you have EU residence on your mailing list? Could you have in the future as a result of participating in art fairs, online art sales platforms or European collaborations?
It is important to review all the different ways contact information gets added to your mailing, i.e. gallery website form, sign up book in the gallery, networking events, art fairs and art sales platforms. If you have artwork on a site like Artnet or askArt and add inquiries to your gallery mailing list, this could take some time to clean up for compliance.
Are you offering double opt-in to mailing list subscribers? Can you prove opt-in for those EU subscribers?
This is a big one. Requiring a double opt-in for mailing list subscribers is just a good idea in general and it can help you be compliant for the GDPR. If you are not familiar, a double opt-in is when someone fills out the form on your gallery website to get your newsletter and receives an email asking them to click a link to confirm they want to be added to your list. All of the major email service providers offer this feature and I’m betting most gallery contact management systems do to. Using this feature enables you to provide proof, should the need arise with these new regulations.
Let’s say for example your gallery is in a country outside of the EU, but you have a lot of European tourists visiting your gallery and they give you their email address in the gallery. They are now on your mailing list. Could you prove they gave you permission to send them your email newsletter? Other scenarios might include contacts provided to you through another party, such as a partnership or new employee who came with a list of collectors from a previous job.
Do you, gallery staff and vendors understand the obligations and impact the GDRP could have on your business? See link below if not.
This is important in order to minimize risks of violations. Everyone in the gallery that deals with contact, shipping and payment information needs to understand what is involved in being compliant. They need understand what third-party vendors do with information, how personal data is deleted, stored or used potentially from vendors they use. Staff training will be critical. Processes need to be put in place to ensure consistency for both current and future gallery employees.
What processes are in place to manage a data breach?
You should review the security measures you placed on your website, contact management system, payment systems, external backup drives and even physical files in a filing cabinet where personal information may reside.
More information about what the regulation requires and steps to prepare
Preparing for the General Data Protection Regulation (PDF whitepaper)
Depending on your business and systems you use, you may be able to use a policy generator such as TermsFeed. It walks you through the process by asking you a series of questions and generates a GDPR compliant policy based on your responses. If you have complicated systems and processes, you should have a lawyer draw one up for you or review your current policy to ensure it is accurate and comprehensive.
The deadline is fast approaching and as the art market becomes more global, the GDPR regulation will be a factor of doing business for your gallery. At the end of the day, the requirements for compliance are all good things that really should be done in a digital age.
The regulation applies to both existing data and new date. If your gallery plans to list inventory on an online art sales site in the future, you need to ensure you are compliant to communicate with sales leads from the European Union. There are many factors to consider and possible changes that need to be made either now or as part of your plan to expand your market opportunities. Do not delay looking into this.
Gallery Fuel is also going through a review of our data collection process to ensure we are compliant. So if your are in the EU and on my mailing list you may be hearing from me….
While I hope this article was informative, please note I am not a lawyer. You should absolutely consult a lawyer to advise you in any area of your business that could be affected by this regulation.