What is GDPR?
There has been a major shift in internet data and privacy laws in the European Union over the last few years. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the collection and use of personal data outside the EU.
In most normal cases, why would you concern yourself with all this internet hullabaloo when you are in the music business? That only affects ‘other’ organisations in different industries, right? Even more so when you don’t reside in the EU, what’s it to you? To avoid a potential lawsuit in the future, listen up. This may concern you.
What are the changes?
The GDPR requires that organizations obtain explicit consent from consumers before collecting any personal data. “Explicit consent” means that it must be “freely given, specific, informed and unambiguous,” according to Article 4 of the policy.
Any company that does business in the EU or handles the personal data of EU citizens must comply, even if the company does not have a physical office location in the EU. This includes:
- Organizations based in the EU
- Organizations located outside the EU that offer goods or services to EU data subjects
- Organizations that monitor the behavior of EU data subjects
- All companies processing and holding personal data of residents of the EU, regardless of the company’s location
So, if you collect any form of data on your website that can be used to identify an individual or individuals, you are affected. Because the internet is open to everyone and so is your website, chances are some EU citizens will land on your website at some point. It doesn’t really matter if you operate in the EU or not at this point. The most common ways music companies, record labels and musicians collect data online is through mailing lists, forms, surveys and cookies.
If someone whose data you hold requests that part or all of it be deleted, you should be able to do so without issue and in a timely manner. Should they request to get a copy of all the information you hold on them, you should be able to provide this too. For any information you hold, you should be able to provide details on where the information is stored and what it is used for.
Here is the exception:
While GDPR requires compliance from small-to-medium sized enterprises (SMEs) and major enterprises alike, there is an exception for companies with 250 or fewer employees. Smaller companies are less likely to pose a significant privacy risk to data subjects. According to GDPR Article 30, organizations with less than 250 employees are not required to maintain a record of processing activities under its responsibility, “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
What I am yet to determine is if the above means you can ignore everything and go about your merry business if you have less than 250 employees. Safety first, so keep reading.
When do the changes come into effect?
Enforcement date: 25 May 2018
Should you care?
If you have a website or a platform where you collect any form of data that can be used to identify a person, you should care. An example is if you have a contact form on your website requesting that the person filling in the form enter their name, email, phone number etc. The information you are requesting constitutes data that can be used to identify an individual or individuals. These new laws are there to make sure you have a good reason for collecting this data, are storing it securely and using it for legitimate reasons associated with your business. For now this is an EU thing but there is every possibility that the rest of the world will implement similar changes in the coming years and if any of your audience reside in the EU currently, you are affected. Better to be safe than sorry.
What should you do?
Here are 5 simple things to do should you want to cover your bases when it comes to data and privacy online with regards to the GDPR changes:
- Make sure any mailing list sign ups on your website have clear opt in and opt out options for users. This covers music pre-order sign ups, order forms, fan lists and more.
- If you already have an existing mailing list, ask them to opt in again. A lot of businesses are doing this already and you would have received quite a few in the last couple of months
If in doubt, contact your lawyer and cover your bases!