Specific Granularity of Consent

GDPR requires a higher standard for consent than under the previous legislation, and that this means providing audiences with greater control over, and clearer information about, the intended uses of personal information, communication channels, and who data will be shared with. Practically this means that some options for collecting consent that were formerly acceptable under the old laws are no longer valid under GDPR.

Prior to GDPR is was acceptable to use the wording in notifications, "keep you informed about events and other developments" such that this would encompass permission to contact about, for example, education and outreach work, membership schemes or fundraising. The ICO now advises that these are all specific activities that should be separately consented. It is up to the data controller whether you state all of the relevant intended uses in a single phrase and get consent for all in one go, or whether you choose to provide a more granular opportunity to consent (or not) each use individually. Bear in mind, however, that if you bundle the uses together, then if the customer objects only to one use, that they only have the option to reject all. Good practice and good audience relationship building suggest that giving audiences the more flexible, granular choice to accept or reject specific uses individually is likely to yield the best outcomes for both audiences and organisations alike.

The same is true of the choice as to whether or not to bundle together permission notification statements so that permissions are obtained for both the touring company and the presenting venue in one step. Again, doing so means that if the customer wishes to only permit one, then they have no option but to reject (or, less likely, accept) both. The granular approach of seeking to obtain consent separately for both venue and company might provide a slightly less streamlined process, but it does provide the better practice and customer service solution.

Another change from guidance under the former legislation is that it was deemed acceptable to ask a fairly generic question as to whether customers would wish their details to be shared with “other arts and entertainment organisations which we think you will be interested in”. Under GDPR this is no longer acceptable. Specific consent must be given for named organisations with which personal information is to be shared for contact purposes.

Organisations should note that, after 25th May 2018, where consent is relied upon as the condition for processing, personal information cannot be further processed unless the consent that has been obtained meets the standards required under GDPR. Until that point, organisations that believe they have legitimate permissions/bases for contacting individuals under DPA or PECR may contact those individuals to further clarify consent in line with the requirements of GDPR. In effect, for example, if consents do not name specific organisations, then beyond May 2018 that data may no longer be shared.

With specific venues it has been agreed in the past with the ICO that in practice notification statements could be made with large notices behind the counter, recorded messages on the phone, reinforced with reproduction of the text in brochures and programmes, and these are all still valid.

The key is that there is dialogue in which the customer shows their understanding and gives permission.

To avoid continual repetition, and the potential for duplication or confusion of customer data, all customers should be asked if they have purchased tickets before and their existing record looked up. It is now also a requirement under GDPR, (and in any case to be encouraged) that customers should periodically be asked if they want to update their record/revise their permissions. For arts organisations, a pragmatic approach might be to ensure that patrons are prompted or given the opportunity to refresh their permissions every two years. There should also be reminded in all communications that they are entitled to withdraw their consent to direct marketing at any time.