Personal data protection compliance

General data protection regulation - 25 May 2018

You will probably be aware already that GDPR marks a big change in the law and you are probably already working towards compliance in other areas of your business. If you are not aware of GDPR or how it affects your business, you will need to find out more about this and develop a plan, even if you are not based in the EU. This legislation applies to any company that offers goods and services to citizens (of any nationality) resident in the European Economic Area, so this applies to all of our clients. 

 

Our aim is to help you make the changes to your Artlogic data and to measure and manage your compliance status. This does not need to be a daunting prospect and we are working hard to make it as simple as possible. Your first concern might be your marketing list so we will start there. 

 

Marketing list

The advice we have received about marketing lists runs as follows:

 

  • Do not seek to obtain or renew consent to be on the mailing list for your existing contacts. If your valuable contacts do not provide consent, you would definitely break the law if you continue to market to them and you may lose a high proportion of contacts from your list. Furthermore, if it appears that you are attempting to secure consent which is not fully compliant, you will be breaking the law to seek consent by email. So what should you do instead? 
  • As the basis for any action, you should get to know who your contacts are and why they are on your database and classify them using the new tools in Artlogic. If you identify your existing customers, your suppliers and your professional contacts, then pretty much everyone else is going to be a marketing lead and, providing they supplied their personal details (business card, visitors' book, website sign up, enquiry form) they are a soft opt-in to your marketing list. Most of the focus of your energy is on this group of records. As private individuals rather than representatives of a company, GDPR gives them enhanced rights but you have a right to market to people who have provided their details, know why you are processing them and have the means to opt out. To help you identify them, we automatically flag a contact as a client if they have been invoiced via Artlogic but there may be many reasons why you want to flag them yourselves (historic sales data, multiple contact records for the same person, etc.) The new standard flags for 'supplier' and 'professional contacts', etc. are added at the foot of the first (main) tab of the contact edit screen.
    Reasons for processing data
    Statistics about these groups and a link to find each group will show on the GDPR dashboard. 
  • You may want to delete any information about data subjects that you do not need or that might be out of date and, at your discretion, delete any records that you do not need - for instance people on your database who have been there for years but have never been in touch or made a purchase. 
  • Make sure that you have a well written Privacy policy on your website as soon as possible that fully and clearly explains the purpose/s for which you keep data, what data you keep and how it is collected and the retention period (until they opt out). You should warn people that you may process their details outside the EU but will ensure that you have made adequate operational and technological provision to ensure that their data is held securely. You need to do this because of the way Artlogic processes your data with multinational service providers and so you can access Artlogic data from offices outside the EU or when you are travelling. 
  • Your system administrator needs to add the address of your privacy notice web page to the preferences using the field for this in Admin > Preferences to make it appear in your mailings. 
  • Send a mailing to your entire list to inform them of the new privacy policy with a link to read it. For clients, suppliers and professional contacts, you should ensure that they have the option to stop receiving marketing communications. Luckily the Artlogic mailing system adds links in the footer of every message and these enable recipients to read the privacy policy and change their communication preferences. We have changed the links to include 'update my preferences' and this enables recipients to choose between different types of communications. They can choose to receive sales emails (offers), more personal invitation messages and the less personal blasts about exhibitions, art fairs, newsletters, etc. 
  • We adapted all website enquiry and mailing list sign up forms to display the name of your business and a link to your privacy policy if you have one, in April, in plenty of time for the May deadline. 

  

What we HAVE BEEN doing to help

Here are the free tools we are developing for Artlogic:

 

  • New parameters for client, supplier and professional contact on the Categories & Interests part of each contact record will help you identify the reason people are in your contacts database from a data protection point of view. For marketing leads, it will identify how they came to be on your database. You will also be able to record and track the detail of permission or soft opt-in given. 
  • Artlogic database offers a dashboard view of compliance across your contact database. Follow the main menu from CONTACTS > Data Protection > Dashboard. This will give you insights about the people on your database and those groups where you need to be most concerned, i.e. records containing personal data for subjects who are not clients, suppliers or professional contacts. We automatically flag contacts as customers if they have any purchase history. We automatically flag someone as 'supplied their details through the website' if they sign up via a web form. 
  • We have created a compliance statement showing the locations and security measures of the Artlogic serving operation. There is a link to this from the Data Protection Compliance Dashboard. This document will be updated from time to time. 
  • One of the key steps you need to take is to develop a Privacy Notice that everyone can see. We are devising a method to automatically display a page in the footer of all our template websites if they have the URL /privacy/ and we are thinking of how we can prompt clients to make this page without being bossy. All bespoke clients need to contact us to implement a new page linked from the footer. 
  • If you want to ask people about accepting Cookies and you have a template website, we can switch that on for you. 
  • All our mass communications have always showed a link to your privacy notice (if you had let us know the address of put in the setting yourself) and opt-out option at the foot of every email which is considered best practice. 
  • Make sure that you enter the link to this into the Privacy Policy URL field in your database. This link will be presented in the footer of all your marketing emails. Use the field for this in Admin > Preferences. You will need admin privileges to view and edit this address. 
  • Using the mailing system, you will of course be able you to send notification of a revised privacy notice, which most lawyers recommend that you do. It is part of GDPR to ensure that everyone has access to the information about the purposes for which data is held. 
  • You will be able to create a report on the data held on an individual to respond to subject access requests.
  • Changes to the unsubscribe process. New marketing preferences will enable your contacts to opt-out of mass communication but remain on your database for more personal invitations and sales (offer) emails. 

 

Resources

GDPR Roadmap - If you know something of the law already but you are not clear what to do, Artlogic has created this to help you get started. 

ICO 12 steps guide - From the UK Information Commissioners' Office

ICO – detailed guidance

How we deliver Artlogic Services - locations, suppliers, infrastructure

List of Subprocessors  - A list of suppliers used by Artlogic, acting as a Data Processor

 

New paperwork 

In addition to the above items to help our clients with their own data:

  • We are rewriting our own terms and conditions so we can issue fresh contracts with all our clients. In the first instance, we will issue a Data Protection Addendum which you can sign and return and keep a copy on file. This information will help you demonstrate your own compliance with regard to Artlogic as your data processor for the personal data inside your system. 
  • We re-examined all our vendor contracts to ensure our suppliers are GDPR compliant and we have made a list of sub-processors
  • We are undergoing a full audit of our own information (where, what, who has access, retention period), including a full list of all the clients for whom we process data and the contact details of who to contact in case of a suspected breach. We need night and day contact details for the person in charge of personal data compliance at every client.  Please contact us to supply these details. 
  • We will issue revised information about security.