The Spektrix GDPR Toolkit for the Performing Arts

2. Sample Data Processes Audit

This is a sample data processes audit to help

performing arts organisations assess the best legal
basis for processing individuals’ data under GDPR. It
includes some typical data processes in the industry
as examples but isn’t meant to be comprehensive. We
suggest an organisation audit their own processes
and determine the best basis for each process. Where
necessary, you should also address the requirements
under PECR.
SAMPLE DATA PROCESSES AUDIT

3. Sample Legitimate Interest Assessment

About this document
Use this to create and document your Legitimate Interest
We at Spektrix provide ticketing, marketing and fundraising assessments for the data processes that you’re taking a Legitimate
software to over 270 arts organisations in the UK. But for our Interest approach to.
software to really make a difference to our clients, we also 4. Sample Privacy Policy
provide support and consultancy, and produce resources like this
Provides copy to guide your own privacy policy.
one to equip them for industry change. This guide is part of the
Spektrix GDPR Toolkit for the Performing Arts which helps our
clients prepare for upcoming data protection regulation changes.
Here’s more information about how you can use these resources
to prepare.

Guide
Boldly Compliant: A Guide to GDPR for Performing Arts
Marketers & Fundraisers

An overview of GDPR that explains why we recommend a

Legitimate Interest-based approach.

Tools
1. GDPR Compliance Checklist

When you’re ready to take action, these checklists contain

recommended steps.
Get a free 20-minute GDPR consultation.
2. Sample Data Processes Audit (this document)
We’re offering free GDPR consultation to the first people to
Carry out your own data processes audit to determine which legal get in touch. Contact consultancy@spektrix.com.
bases you’re using for each data processing activity.

2
SAMPLE DATA PROCESSES AUDIT

Disclaimer

We’re here to help you prepare for GDPR as much as possible,

but we can’t offer legal advice and none of the information in
the following document should be taken as such. We strongly
recommend taking your own legal advice before committing
to any decision regarding GDPR. As the data controller, it is
your responsibility to design an appropriate approach to data
privacy. Neither Spektrix nor any other data processor can make
you GDPR compliant without your own processes in place.

© Spektrix Ltd, February 2018

3
 SAMPLE DATA PROCESSES AUDIT
Sample data process
Under GDPR, an organisation should assess all data
processes which use the personally identifiable data
of individuals and identify a legal basis for that
processing.
Posting a marketing message to an individual with a
relationship to the organisation.
Emailing a marketing message to a current for
former customer.
Anonymous analytical purposes such as reporting
on general audience attributes.
Segmenting data for marketing purposes.
Posting a fundraising message.
Emailing a fundraising message.
Wealth screening and other profiling for
fundraising.
Partner Company emailing a customer.
Verifying payment and other activities in the
interest of servicing the contract for either ticket
sales or donations.
This is just a sample set of data processes. We
recommend a full data processes audit of your
organisation's particular activities.
Suggested legal basis for processing
under GDPR
There are six legal bases for processing. In this guide we will limit
our discussion to Contract, Legitimate Interests and Consent. Where
approrpriate we suggest using the Legitimate Interest basis.
Legitimate Interest is expressly allowed for direct marketing
under Article 47 of the regulation.
Legitimate Interest is expressly allowed for direct marketing
under Article 47 of the regulation.
This process uses anonymised data. If it is not personally
identifiable, data is not covered under GDPR.
Legitimate Interest is expressly allowed for direct marketing
under Article 47 of the regulation.
M
Legitimate Interest is expressly allowed for marketing under
A
Article 47 and the ICO defines fundraising messages as a type
of marketing. This means fundraising communications are likely
allowed under Legitimate Interest.
S
Due to PECR requirements, Consent may be the best basis for
this process.
The ICO has indicated that profiling is not prohibited. It may be
allowed under Legitimate Interest provided the requirements
are met.
Due to PECR requirements, Consent may be the best basis for
this process.
Contract basis is likely best for this process.
Requirements for legal processing PECR considerations
We will outline the requirements for using the suggested legal basis for Email, text messaging and telephone communications
processing. For more information, see ‘Boldly Compliant: A Guide to GDPR for are also regulated by PECR. These additional
Performing Arts Marketers & Fundraisers’ considerations will be outlined here when applicable.
Legitimate Interest requires you to carry out a Legitimate Interest No.
assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
E
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
Legitimate Interest requires you to carry out a Legitimate Interest Yes. The PECR Soft Opt-in rule is suggested.
L
assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
P
N/A No.
Legitimate Interest requires you to carry out a Legitimate Interest No.
assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
Legitimate Interest requires you to carry out a Legitimate Interest No.
assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available
for fundraising messages. Consent may be the best
basis for this process.
Legitimate Interest requires you to carry out a Legitimate Interest No.
assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available for
third party email messages. Consent may be the
best basis for this process.
It’s good practice to document that Contract basis has been chosen for No.
this process.
Explore the Spektrix GDPR Toolkit for the Performing Art
This document is part of the Spektrix GDPR Toolkit for the Performing Arts which provides guidance to help your arts
organisation comply with GDPR before 25th May.
4