What is it?
There has been a major shift in internet data and privacy laws in the European Union over the last few years. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the collection and use of personal data outside the EU.
In most normal cases, why would you concern yourself with all this internet hullabaloo when you are in the music business? That only affects ‘other’ organisations in different industries, right? Even more so when you don’t reside in the EU, what’s it to you? To avoid a potential lawsuit in the future, listen up. This may concern you.
What are the changes?
The GDPR requires that organizations obtain explicit consent from consumers before collecting any personal data. “Explicit consent” means that it must be “freely given, specific, informed and unambiguous,” according to Article 4 of the policy.
Any company that does business in the EU or handles the personal data of EU citizens must comply, even if the company does not have a physical office location in the EU. This includes:
- Organizations based in the EU
- Organizations located outside the EU that offer goods or services to EU data subjects
- Organizations that monitor the behavior of EU data subjects
- All companies processing and holding personal data of residents of the EU, regardless of the company’s location
So, if you collect any form of data on your website that can be used to identify an individual or individuals, you are affected. Because the internet is open to everyone and so is your website, chances are some EU citizens will land on your website at some point. It doesn’t really matter if you operate in the EU or not at this point. The most common ways music companies, record labels and musicians collect data online is through mailing lists, forms, surveys and cookies.
Here is the exception:
While GDPR requires compliance from small-to-medium sized enterprises (SMEs) and major enterprises alike, there is an exception for companies with 250 or fewer employees. Smaller companies are less likely to pose a significant privacy risk to data subjects. According to GDPR Article 30, organizations with less than 250 employees are not required to maintain a record of processing activities under its responsibility, “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
What I am yet to determine is if the above means you can ignore everything and go about your merry business if you have less than 250 employees. Safety first, so keep reading.
When do the changes come into effect?
Enforcement date: 25 May 2018
Should you care?
This is an EU thing for now but there is every possibility that the rest of the world will implement similar changes in the coming years and if any of your audience reside in the EU, you are affected.
What should you do?
Here are 5 simple best practices should you want to cover your bases when it comes to data and privacy online with regards to the GDPR changes:
- Make sure any mailing list sign ups on your website have clear opt in and opt out options for users. This covers music pre-order sign ups, order forms, fan lists and more.
- If you already have an existing mailing list, ask them to opt in again. A lot of businesses are doing this already and you would have received quite a few in the last couple of months
- There are many sample templates online to start with.
If in doubt, contact your lawyer and cover your bases!