Recording permissions

It is essential that customer records adequately manage the permissions obtained. Returning customers must be recognised at the beginning of a transaction and not taken through the notification and permissions process or duplicate an existing record.

Communication methods change and some are specifically covered by these regulations. This guidance does not cover relationships formed through social media e.g. Facebook and Twitter.

However, marketing messages sent directly to an individual via social networking platforms such as Facebook and Twitter are still “electronic messages” and therefore subject to GDPR and PECR in the same way that SMS and email would be.

The following are current communication methods used by cultural organisations which, by law, require specific permissions according to the circumstances in which the data is captured:

  • Direct mail (individuals should be informed their details will be used for this purpose and, where "consent" is relied upon as the condition for processing, given the choice to ''opt in''. Individuals should be informed that they can opt-out at any time and how to do so.
  • Live telephone call (individuals can be contacted unless they have previously objected to/opted-out of calls being made to their line by that organisation or their number is registered with the Telephone Preference Service (TPS)). Organisations should, therefore, ensure they screen their marketing lists against the TPS and their own internal suppression lists (i.e. lists of individuals who have objected to receiving calls). If a customer’s number is signed up to the TPS, the organisation will need explicit consent to override this.
  • Automated telephone call (opt-in consent legally required)
  • Fax (opt-in consent legally required)
  • E-mail (opt-in consent legally required except where “soft opt-in” criteria have been satisfied)
  • SMS (opt-in legally required except where “soft opt-in” criteria have been satisfied)

Cultural organisations need to select which of these methods of communication they intend to use in future, and then seek the appropriate permissions for each customer and record them accordingly.