Spektrix GDPR Toolkit 2. Sample Data Processes Audit

The Spektrix GDPR Toolkit for the Performing Arts2. Sample Data Processes Audit This is a sample data processes audit to help performing arts organisations assess the best legal basis for processing individuals’ data under GDPR. It includes some typical data processes in the industry as examples but isn’t meant to be comprehensive. We suggest an organisation audit their own processes and determine the best basis for each process. Where necessary, you should also address the requirements under PECR. SAMPLE DATA PROCESSES AUDIT 3. Sample Legitimate Interest Assessment About this document Use this to create and document your Legitimate Interest We at Spektrix provide ticketing, marketing and fundraising assessments for the data processes that you’re taking a Legitimate software to over 270 arts organisations in the UK. But for our Interest approach to. software to really make a difference to our clients, we also 4. Sample Privacy Policy provide support and consultancy, and produce resources like this Provides copy to guide your own privacy policy. one to equip them for industry change. This guide is part of the Spektrix GDPR Toolkit for the Performing Arts which helps our clients prepare for upcoming data protection regulation changes. Here’s more information about how you can use these resources to prepare. Guide Boldly Compliant: A Guide to GDPR for Performing Arts Marketers & Fundraisers An overview of GDPR that explains why we recommend a Legitimate Interest-based approach. Tools 1. GDPR Compliance Checklist When you’re ready to take action, these checklists contain recommended steps. Get a free 20-minute GDPR consultation. 2. Sample Data Processes Audit (this document) We’re offering free GDPR consultation to the first people to Carry out your own data processes audit to determine which legal get in touch. Contact [email protected]. bases you’re using for each data processing activity. 2 SAMPLE DATA PROCESSES AUDIT Disclaimer We’re here to help you prepare for GDPR as much as possible, but we can’t offer legal advice and none of the information in the following document should be taken as such. We strongly recommend taking your own legal advice before committing to any decision regarding GDPR. As the data controller, it is your responsibility to design an appropriate approach to data privacy. Neither Spektrix nor any other data processor can make you GDPR compliant without your own processes in place. © Spektrix Ltd, February 2018 3 SAMPLE DATA PROCESSES AUDIT Sample data process Suggested legal basis for processing Requirements for legal processing PECR considerations under GDPR Under GDPR, an organisation should assess all data There are six legal bases for processing. In this guide we will limit We will outline the requirements for using the suggested legal basis for Email, text messaging and telephone communications processes which use the personally identifiable data our discussion to Contract, Legitimate Interests and Consent. Where processing. For more information, see ‘Boldly Compliant: A Guide to GDPR for are also regulated by PECR. These additional of individuals and identify a legal basis for that approrpriate we suggest using the Legitimate Interest basis. Performing Arts Marketers & Fundraisers’ considerations will be outlined here when applicable. processing. Posting a marketing message to an individual with a Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest No. relationship to the organisation. under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy policy and to make sure that the individual can easily opt out of processing E (usually achieved by instructions in the privacy policy). A Sample Legitimate Interest Assessment is included with this toolkit. Emailing a marketing message to a current for Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest Yes. The PECR Soft Opt-in rule is suggested. L former customer. under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy policy and to make sure that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). A Sample Legitimate Interest Assessment is included with this toolkit. P Anonymous analytical purposes such as reporting This process uses anonymised data. If it is not personally N/A No. on general audience attributes. identifiable, data is not covered under GDPR. Segmenting data for marketing purposes. Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest No. under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy M policy and to make sure that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). A Sample Legitimate Interest Assessment is included with this toolkit. Posting a fundraising message. Legitimate Interest is expressly allowed for marketing under Legitimate Interest requires you to carry out a Legitimate Interest No. A Article 47 and the ICO defines fundraising messages as a type assessment, include the processing activity in a clear and accessible privacy of marketing. This means fundraising communications are likely policy and to make sure that the individual can easily opt out of processing allowed under Legitimate Interest. (usually achieved by instructions in the privacy policy). A Sample Legitimate Interest Assessment is included with this toolkit. S Emailing a fundraising message. Due to PECR requirements, Consent may be the best basis for GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available this process. for fundraising messages. Consent may be the best basis for this process. Wealth screening and other profiling for The ICO has indicated that profiling is not prohibited. It may be Legitimate Interest requires you to carry out a Legitimate Interest No. fundraising. allowed under Legitimate Interest provided the requirements assessment, include the processing activity in a clear and accessible privacy are met. policy and to make sure that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). A Sample Legitimate Interest Assessment is included with this toolkit. Partner Company emailing a customer. Due to PECR requirements, Consent may be the best basis for GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available for this process. third party email messages. Consent may be the best basis for this process. Verifying payment and other activities in the Contract basis is likely best for this process. It’s good practice to document that Contract basis has been chosen for No. interest of servicing the contract for either ticket this process. sales or donations. This is just a sample set of data processes. We Explore the Spektrix GDPR Toolkit for the Performing Art This document is part of the Spektrix GDPR Toolkit for the Performing Arts which provides guidance to help your arts recommend a full data processes audit of your organisation comply with GDPR before 25th May. organisation's particular activities. 4