Issue 118/03, p15, 01.03.2018
Are museums sufficiently prepared for the GDPR?
Sarah Burry-Hayes, Marketing manager, Museums Galleries Scotland

“The general data protection regulation (GDPR) has been widely discussed in the sector and should be on every museum’s radar by now. Is everyone absolutely prepared for 25 May, though? Probably not. For any museums that aren’t feeling quite ready, it’s not too late to get your data in order. There’s so much help and guidance available through blogs, webinars and training courses. But if you’re feeling overwhelmed, the Information Commissioner’s Office has some great self-assessment tools to identify any weak areas in your museum’s data processing and storage.”

01032018-naomi-kornNaomi Korn, Managing director of NKCC, a copyright consultancy firm

“You will be almost there if you have been compliant with the Data Protection Act 1998. GDPR is an evolution not a revolution, so museums that haven’t considered data protection and the processing of personal data before will have further to go – but their documentation expertise will put them in good stead. Realistically, few museums will be completely ready by May, but they need to start reviewing what personal data they collect and why, where they store data and who they share it with. Museums need to understand that the Data Protection Act 2018 will require long-term organisational commitment to legal compliance.”

01032018-kevin-goslingKevin Gosling, Chief executive, Collections Trust

“We’ve had lots of enquiries from museums concerned about the personal data in collections documentation, which may go back many decades.

We’re keen to get and share legal advice on this point, but need to wait until the data protection bill, which is before parliament, completes its passage and puts GDPR into UK law.

We hope that personal information associated with museum collections will fall within the scope of exemptions like those in GDPR, but it would be good to know for sure. So when will parliament be ready?”

01032018-owen-ororkeOwen O’Rorke, Associate at Farrer & Co, an independent law firm

“The concept of achieving ‘sufficiency’ – as an alternative to perfect compliance – does seem to be creeping into GDPR preparation projects. This is understandable for complex organisations such as museums with tighter budgets than their range of data issues would ideally require. But for any risk-based approach to be justifiable, museums need to be targeted about mission-critical areas of risk (visitor interaction, fundraising, research etc), methodical in documenting their thinking, and careful to ensure the compliance journey continues past 25 May.”