Compliance checklists
help you comply with both GDPR and PECR in a way that will help you gain and maintain the right to contact customers and donors
See typical data processes in the industry and how our sample data processes audit can help your arts organisation start assessing the best legal basis for processing individuals’ data under GDPR.
Lorem ipsum dolor amet food truck affogato cronut freegan skateboard photo booth, tousled pickled 90's wayfarers retro succulents hoodie edison bulb ramps. XOXO seitan tote bag, offal vape air plant disrupt chia plaid taxidermy cloud bread microdosing 8-bit.
We’re here to help you prepare for GDPR as much as possible, but we can’t offer legal advice and none of the information in the following document should be taken as such. We strongly recommend taking your own legal advice before committing to any decision regarding GDPR. As the data controller, it is your responsibility to design an appropriate approach to data privacy. Neither Spektrix nor any other data processor can make you GDPR compliant without your own processes in place.
© Spektrix Ltd, February 2018
This is just a sample set of data processes, we recommend a full data processes audit of each organisation's particular activities.
Sample data process | Suggested legal basis for processing under GDPR | Requirements for legal processing | PECR considerations |
---|---|---|---|
Under GDPR, an organisation is required to assess all data processes which use the personally identifiable data of individuals and identify a legal basis for that processing. |
There are seven legal bases for processing. In this guide we will limit our discussion to Contract, Legitimate Interests and Consent. Where possible we suggest using Legitimate Interest basis. |
We will outline the requirements for using the suggested legal basis for processing. For more information please see WHITE PAPER NAME. |
Email, text messaging and telephone communications are also regulated by PECR. These additional considerations will be outlined here when applicable. |
Posting a marketing message to an individual with a relationship to the organisation. |
Legitimate Interest is expressly allowed for direct marketing under article 47 of the regulation. |
Legitimate Interest requires a legitimate interest assessment be undertaken, that the process is included in a clear and accessible privacy policy and that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). Sample legitimate interest assessments are included with this toolkit. |
No. |
Emailing a marketing message to a current for former customer |
Legitimate Interest is expressly allowed for direct marketing under article 47 of the regulation. |
Legitimate Interest requires a legitimate interest assessment be undertaken, that the process is included in a clear and accessible privacy policy and that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). Sample legitimate interest assessments are included with this toolkit. |
Yes. The PECR Soft Opt-in approach is suggested. |
Anonymous analytical purposes such as reporting on general audience attributes |
No basis is necessary. This process uses anonymised data. If it is not personally identifiable, data is not covered under GDPR. |
N/A |
No. |
Segmenting data for marketing purposes |
Legitimate Interest is expressly allowed for direct marketing under article 47 of the regulation. |
Legitimate Interest requires a legitimate interest assessment be undertaken, that the process is included in a clear and accessible privacy policy and that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). Sample legitimate interest assessments are included with this toolkit. |
No. |
Posting a fundraising message |
Legitimate Interest is expressly allowed for marketing underarticle 47 and the ICO defines fundraising messages as a type of marketing. This means fundraising communications are likely allowed under Legitimate Interest. |
Legitimate Interest requires a legitimate interest assessment be undertaken, that the process is included in a clear and accessible privacy policy and that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). Sample legitimate interest assessments are included with this toolkit. |
No. |
Emailing a fundraising message |
Due to PECR requirements, Consent may be the best basis for this process. |
GDPR compliant consent is granular, affirmative and demonstrable. |
Yes. PECR Soft Opt-In is unlikely to be available for fundraising messages. Consent may be the best basis for this process. |
Wealth screening and other profiling for fundraising |
The ICO has indicated that profiling is not prohibited. It may be allowed under Legitimate Interest provided the requirements are met. |
Legitimate Interest requires a legitimate interest assessment be undertaken, that the process is included in a clear and accessible privacy policy and that the individual can easily opt out of processing (usually achieved by instructions in the privacy policy). Sample legitimate interest assessments are included with this toolkit. |
No. |
Partner Company emailing a customer |
Due to PECR requirements, Consent may be the best basis for this process |
GDPR compliant consent is granular, affirmative and demonstrable. |
Yes. PECR Soft Opt-In is unlikely to be available for 3rd party email messages. Consent may be the best basis for this process. |
Verifying payment and other activities in the interest of servicing the contract for either ticket sales or donations |
Contract basis is likely best for this process |
It is good to document that Contract basis has been chosen for this process. |
No. |
You can also download a PDF of the sample data process audit here.
Get in touch to discover how our technology and consultancy could transform your audience and donor relationships.
Connect With UsLearn how you can use more Spektrix features to increase efficiency and income.
Your business strategy is a tech strategy. And with the right pieces in place, your technology can transform your revenue, relationships and the role of your team.