LAST MINUTE MUSICIANS BLOG
Last Minute Musicians » Blog » GDPR: A guide for musicians

GDPR: A guide for musicians

You might have noticed a recent increase in the number of emails you are getting from companies talking about changes to their privacy policy – they could be asking you to “opt in” to receiving further updates, or simply letting you know that there is an option to “opt out”. This is all down to a change in European data regulations known as the General Data Protection Regulation. In this blog, we discuss what GDPR is and how it might affect musicians.

Data protection is a hot topic right now; with the recent revelations surrounding the alleged misuse of data by firms like Cambridge Analytica (and Facebook’s failure to adequately protect the information of it’s users) the media spotlight has not just been focused on Mark Zuckerburg testifying on Capitol Hill, but on the issue as a whole.

Indeed, the whole culture of “who gets to know what”, and what they do with it, is now the subject of a very contentious debate.

As such, the new regulations are not simply reactionary – they are very precedent. Now is as good a time as any to consider what information your business holds about its customers and how you utilise it.

Even huge companies like Apple have been looking at the way 3rd parties, like Facebook, utilise their platform user’s information, the BBC reports.

Important! The following is not written by lawyers or legal specialists, but by music industry professionals. While every effort is made to make sure our blogs are accurate and information interpreted correctly, always seek specific legal advice from a professional, where possible. Feel free to contact us with any suggested corrections.

What is GDPR?

The General Data Protection Regulation (or GDPR for short) is an update to European-wide laws surrounding the handling of data, replacing The Data Protection Act of 1998.

When the original act was written, technology had not made quite the level of progress it has now and so there was little regulation on things like the location data of smart phones, for instance.

GDPR is designed to give you much more control of your personal information (as well as how and when it is collected) and forces companies to justify why they need the information they gather, while providing a framework for what they can and cannot do with it.

The new regulation also quantifies what personal information is, and highlights several topics that it deems as “special category data” (broadly similar to the concept of sensitive personal data under the 1998 Act) and requiring additional protections.

Examples of “personal data”

  • Name
  • Age
  • Location/IP address
  • Phone number

Examples of “special category data”

  • Sexual orientation
  • Health information
  • Political beliefs

GDPR in practice

GDPR means there will be fewer “pre-ticked” boxes when companies ask for your information and the law compels whatever company it is to use clearer language in their descriptions of privacy policy.

You may also be required to “opt in” to allowing a company to use your data. The law change has lead to many companies needing to rewrite their privacy policy, and subsequently inform their customers.

Should you want, you also have the right to request whatever data a company holds on you. If you don’t like what you hear, you also have to right to request that that information is deleted, although there are some limits to this right, such as information held by hospitals or journalists.

phone use

There are harsh new fines involved for large companies that are found not to be following these laws and they can reach up to €20 million, or even 4% of annual turnover.

They will also be required to notify you if they have any kind of data breach or hack where your information might have been vulnerable.

Although this is a EU regulation, the UK government has said it will write it into UK law, post-Brexit.

How does GDPR affect musicians?

Data protection law is not an easy subject to get your head around and it is often unclear how any regulation change might specifically affect your business. The first thing to remember is that ALL business (including sole traders) is compelled to abide by GDPR.

If you wish to get into more specifics, you can read the Information Commissioner’s Office guide to GDPR for more information on specific subjects.

Bands often hold more personal information on people than they think that they do. For example, it would be highly unlikely for you to take a booking for a birthday party without needing to know the name, location and (ofcourse!) the age of the client.

How you store and use this information would almost certainly be subject to GDPR. You may also collect other information, such as financial and banking details.

The ICO (Information Commissioner’s Office) lists 7 key principles which “should lie at the heart of your approach to processing personal data.”
  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability
More information on these principles can be found on the ICO’s website.

The Musicians’ Union also has information for staying on the right side of GDPR regulations which can be found on the dedicated page of their website.

If you have an online store or an email list for keeping fans up to date, Cyberprmusic.com also has some suggestions for how to best comply:

  • If you have one on your site, update the privacy policy for your webstore / email list so it is compliant. Disclaimer: We are not lawyers.
  • Ensure that every EU citizen has the choice to opt-in. Create a “required” checkbox which requires the recipient or viewer to read your privacy policy & link to the privacy policy you created above. The easiest way to make sure that you’ve covered all of your EU subscribers
  • Send an email to all of your subscribers which prompts them to re-confirm their subscription or makes it very obvious that they can unsubscribe. You are asking them to confirm that they really want to receive emails from your list. Since you followed the rules to begin with and didn’t sign anyone up who didn’t sign themselves up, there’s a good chance they will continue to subscribe. If not, there’s nothing you can do – do not sign anyone up for a list without their proven consent.

If you use a 3rd party service, like MailChimp, they also state:

  • Mailchimp has made it easier for you to set up for compliance, but you’ll still have to log in and 1) create an opt-in form and 2) make sure you understand their privacy policy, and how it applies to your business
  • You can find the instructions for setting up your Opt In form on Mailchimp here
  • If your privacy policy is the same as MailChimp’s privacy policy, you can find that language here

Summary

While it is mainly big business that is likely to feel the biggest effect of GDPR, it is always wise to be cautious when it comes to the handling of data. Interpret laws to the best of your ability and don’t do anything with anyone’s data that you wouldn’t be happy having done to yours.

You may think it’s a great idea to trade email lists with a friend who plays similar music, but if their fans haven’t given their expressed consent, you may fall foul of the law… as well as potentially annoy a large group of people!

How do you ensure you keep your customer’s data safe? Do you have any top tips on following GDPR? Post your advice in the comment box below!

5/5 - (12 votes)

Share this:
Subscribe
Notify of

0 Comments
Inline Feedbacks
View all comments