Understanding the data journey

Data passes through several stages from collection to use

As data is legitimately put to practical use by cultural organisations it passes through several stages of a journey - from collection, to use, via permissions gathering, storage and, potentially, sharing.

The diagram below charts this journey, highlighting at each stage factors which the legislation governing the use of data touches upon. Under GDPR there is a greater onus on organisations to be able to demonstrate their compliance with regulations and, in practical terms, this means documenting the considerations made, and the steps taken to ensure compliance. So organisations should consider the particulars of the data journey in their specific context: the particular uses to which they would like to put personal information to, the legal bases that will be relied upon, the steps taken to meet the obligations in relation to these legal bases, and how the data will be appropriately collected, managed and safeguarded. The considerations at each stage should be reflected in an organisational data management policy document.


Cultural organisations which collect, store, use, or share their customers’ personal information should be familiar with their obligations at each stage.

For example, when collecting data from their patrons, organisations should be aware of what constitutes personal data and therefore, what does and does not fall under the provisions of the regulations that protect the rights of the “data subjects” (i.e. the natural persons to whom that data belongs).

It is of great importance at this stage that the organisations collecting personal information understand clearly what the legal basis is that they rely upon in order to process the personal data legitimately. Often the basis will be with the informed ''consent'' of the data subjects, and where this is the case, it is vital that organisations capture the right permissions from the data subjects for specific uses and communications channels, and in relation to any sharing with third parties. This ensures the data can be processed and put to use legitimately and in compliance with good practice. Under GDPR organisations relying on ''consent'' must be sure to record sufficient information to be able to demonstrate in relation to each individual case, how and when consent was gained and for what purposes and which communications channels. Organisations relying on ''legitimate interests'' as the basis for processing will be able to demonstrate that they have followed a systematic process of weighing the necessity for them to process the personal information, against the rights and freedoms of the individuals, and how these do not outweigh the organisation's legitimate interests. For more information, please see the ICO's guidance on Lawful Bases for Processing.

Irrespective of which legal basis for processing the organisation relies upon, patrons must be adequately informed of the intended uses of their data. The process for providing this information and the content of ‘privacy notices’ will need to change according to the context in which the data is being collected, and in relation to the particular communication channels to be used. Privacy notices should inform patrons not only of intended uses of their data, but also of how their rights can be exercised (for example, the right to access their records, or the right to withdraw consent) and how they can make a complaint if necessary. For more information, please see the ICO’s Privacy Notices code of practice.

It is important to note that there are certain items of information about individuals that constitute special categories of personal information (known under the former legislation as sensitive data) and over which there are specific implications and obligations for Data Controllers.

The regulations also address the manner in which data is stored and maintained to ensure that it is kept securely and that it remains clean and relevant. There are also requirements under GDPR about reporting any breaches of personal data that organisations should be aware of.

The potential to then use or share data is wholly governed by notifications given, where ''consent'' is the legal basis for processing, the permissions obtained.

There is a great deal of additional legal and practical detail associated with the data journey beyond the scope of this guide. Here, we outline the fundamental practical steps you need to consider to share data in full compliance with relevant legislation. However, data controllers in particular should also refer to Data Protection - What The Regulations Say.

In this section the guidance is divided into two parts: