Be Smart About Art

Want your personal data to be safe?

written by: Susan Mumford March 25, 2018 1) RECOMMENDED-> Susan's weekly blog post 1764 views

Want your personal data to be safe?

“Do as you would be done by” is one way of stating of what is known as the “Golden Rule”.

This instruction most certainly applies to protecting your own personal data, from contact information to bank account details. You want businesses from whom you’ve purchased goods and services to handle your personal info with care and consideration. Now think about it from the other direction: how do YOU respect personal data of others who entrust you with their own sensitive material?

Just the other day, I was delivering a workshop when an artist asked why her gallery can’t share the details of people who buy her works of art. Surely it’s her right to have that information?

Nope. The acquisition of a work of art is a private transaction. Only the seller has access to the contact details of the buyer, unless the collector explicitly gives permission to share details to other parties.

It’s for this reason that if an artist or gallery wants to state a private collector’s name / name of collection under ‘Collections’ on an artist CV, it is essential to get written confirmation from the buyer or his/her representative. (Then if there’s ever any question, you can go back and show that permission was granted.)

The country where you’re living will have its own laws on ‘data protection’, and in this post, I’m referring to the way that businesses are legally obliged to store and treat data on individuals. For example: The USA has the CAN-SPAM Act of 2003. And the UK has been operating according to the Data Protection Act of 1998 for twenty years. As of 25th May 2018, the UK is upgrading to the General Data Protection Regulation (known as GDPR). According to the official website, GDPR “harmonizes privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”

One example of what’s changing is the way that opting-in to email lists works. Instead of being legally obliged to offer an option to opt-out, it's now advisable to be able to show that individuals have opted-in. However, owing to the relationship with GDPR and another set of guidelines called PECR, the Privacy and Electronic Communications Regulations, you'll see that the lines are blurred, depending on an email address being a personal email address versus business identity, not to mention if the associated email is that of a client or even someone who has 'legitimate interests'. See this useful article from the Information Commissioner's Office (ICO), which lays out the relationship between GDPR and PECR, and addresses specific questions - as well as links to other articles and guidance, which you can follow based on your individual circumstances. 

Here's a quotation from the ICO: 
"Sole traders and some partnerships are treated as individuals so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. You must include an opt-out or unsubscribe option in the message."

It is certainly important to undertand that GDPR applies to EU citizens regardless of their location. That means that if you’re running a business (of any size) in Australia or Nigeria, if you hold information on EU citizens and/or have EU citizens say signing up to your mailing list, you’ll be expected to treat them and their data according to GDPR requirements.

Following on the heels of the big reveal about how Facebook has failed to protect its users’ data, it’s clearly important to do as you would be done by when it comes to handling and holding sensitive data, such as contact info.

Regardless of where you’re located, I urge you to be vigilant about how you add people to your mailing list and how you store and protect data on clients and other contacts. From giving people the option to opt-in to your mailing list to having password-protected computers, smartphones and tablets (with unique passwords), go ahead and become proactive when it comes to managing personal data.

With the recent Facebook scandal, it wouldn’t surprise me in the least if other countries enact stricter legislation in the coming years. You might as well start getting ready, so that when change comes, it doesn’t require a massive overhauling of systems.

Be sure to keep the golden rule in mind. In this digital age, it’s not only a matter of respect, it’s a matter of urgency.


Not yet on the mailing list? Come on board and receive pearls of wisdom directly into your inbox! 
This includes our weekly Sunday reading blog and tips that are only available to email subscribers. 


user name
Posted by : Nicola Anthony 10/05/2018 00:45

Hi Susan, Thanks for the article! What do you recommend is the best option for artists mailing lists and gdpr? I think that a lot of eg mailchimp lists have stored opt in information if people signed up, so perhaps we just need to tackle the ones which we added individually or using their proffered business card? In this case, is it really needed to say 'opt in' again and never email those who dont? I think I will be loosing my whole list in this case :(

user name

Hello Jennifer!

Thank you for your contribution.

Whatever anyone thinks of this matter, the seller (in this case, the gallery) is not legally allowed to share personal data of art buyers unless they explicitly give consent. While the arrangement might be consignment of works as you suggest, the seller is the gallery, who is acting on your behalf. An exception could be, for example, if you're directly raising the sales invoice to the client and taking payment from the client (and only then issuing commission to the gallery or agent), in which case the client is one of your own.

The idea of offering an invitation to register the work with you is interesting. Do let us know, when you propose this, how galleries respond. One of their biggest challenges today is collectors discovering artists through galleries (at fairs and other shows), and then directly contacting artists to buy direct. The result can be detrimental to a gallery's livelihood if artists don't know to send clients back to galleries (or if collectors don't disclose how they discovered the artist). So in our experience, galleries are cautious of collectors and buyers being directly in touch. In the end, so much of this is about having strong working relationships that entail excellent communication and clear, written working parameters.

user name

The issue of galleries not sharing details of buyers bugs me. I wouldn't mind if the gallery purchased my works, I can see that, but if the work is still under my ownership surely I am the seller? Or at least a party to the sale. The gallery takes a commission, not a profit, because they don't own the art.
It's another reason to work on owning your own list, so you are not beholden to any one gallery. I am going to be adding an invitation ( stuck on the back of the work and on the certificate of authenticity) to register the sold work with me, for the purpose of provenance, and offering access to advice on post-care and varnishing and cleaning of the work as an incentive.