Professional Documents
Culture Documents
Spektrix GDPR Toolkit 2. Sample Data Processes Audit
Spektrix GDPR Toolkit 2. Sample Data Processes Audit
Guide
Boldly Compliant: A Guide to GDPR for Performing Arts
Marketers & Fundraisers
Tools
1. GDPR Compliance Checklist
2
SAMPLE DATA PROCESSES AUDIT
Disclaimer
3
SAMPLE DATA PROCESSES AUDIT
Sample data process Suggested legal basis for processing Requirements for legal processing PECR considerations
under GDPR
Under GDPR, an organisation should assess all data There are six legal bases for processing. In this guide we will limit We will outline the requirements for using the suggested legal basis for Email, text messaging and telephone communications
processes which use the personally identifiable data our discussion to Contract, Legitimate Interests and Consent. Where processing. For more information, see ‘Boldly Compliant: A Guide to GDPR for are also regulated by PECR. These additional
of individuals and identify a legal basis for that approrpriate we suggest using the Legitimate Interest basis. Performing Arts Marketers & Fundraisers’ considerations will be outlined here when applicable.
processing.
Posting a marketing message to an individual with a Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest No.
relationship to the organisation. under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
E
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
Emailing a marketing message to a current for Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest Yes. The PECR Soft Opt-in rule is suggested.
L
former customer. under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
P
Anonymous analytical purposes such as reporting This process uses anonymised data. If it is not personally N/A No.
on general audience attributes. identifiable, data is not covered under GDPR.
Segmenting data for marketing purposes. Legitimate Interest is expressly allowed for direct marketing Legitimate Interest requires you to carry out a Legitimate Interest No.
under Article 47 of the regulation. assessment, include the processing activity in a clear and accessible privacy
M
policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
Posting a fundraising message. Legitimate Interest is expressly allowed for marketing under Legitimate Interest requires you to carry out a Legitimate Interest No.
A
Article 47 and the ICO defines fundraising messages as a type assessment, include the processing activity in a clear and accessible privacy
of marketing. This means fundraising communications are likely policy and to make sure that the individual can easily opt out of processing
allowed under Legitimate Interest. (usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
S
Emailing a fundraising message. Due to PECR requirements, Consent may be the best basis for GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available
this process. for fundraising messages. Consent may be the best
basis for this process.
Wealth screening and other profiling for The ICO has indicated that profiling is not prohibited. It may be Legitimate Interest requires you to carry out a Legitimate Interest No.
fundraising. allowed under Legitimate Interest provided the requirements assessment, include the processing activity in a clear and accessible privacy
are met. policy and to make sure that the individual can easily opt out of processing
(usually achieved by instructions in the privacy policy). A Sample Legitimate
Interest Assessment is included with this toolkit.
Partner Company emailing a customer. Due to PECR requirements, Consent may be the best basis for GDPR compliant consent is granular, affirmative and demonstrable. Yes. PECR Soft Opt-In is unlikely to be available for
this process. third party email messages. Consent may be the
best basis for this process.
Verifying payment and other activities in the Contract basis is likely best for this process. It’s good practice to document that Contract basis has been chosen for No.
interest of servicing the contract for either ticket this process.
sales or donations.
This is just a sample set of data processes. We Explore the Spektrix GDPR Toolkit for the Performing Art
This document is part of the Spektrix GDPR Toolkit for the Performing Arts which provides guidance to help your arts
recommend a full data processes audit of your
organisation comply with GDPR before 25th May.
organisation's particular activities.
4