Want your personal data to be safe?
“Do as you would be done by” is one way of stating of what is known as the “Golden Rule”.
This instruction most certainly applies to protecting your own personal data, from contact information to bank account details. You want businesses from whom you’ve purchased goods and services to handle your personal info with care and consideration. Now think about it from the other direction: how do YOU respect personal data of others who entrust you with their own sensitive material?
Just the other day, I was delivering a workshop when an artist asked why her gallery can’t share the details of people who buy her works of art. Surely it’s her right to have that information?
Nope. The acquisition of a work of art is a private transaction. Only the seller has access to the contact details of the buyer, unless the collector explicitly gives permission to share details to other parties.
It’s for this reason that if an artist or gallery wants to state a private collector’s name / name of collection under ‘Collections’ on an artist CV, it is essential to get written confirmation from the buyer or his/her representative. (Then if there’s ever any question, you can go back and show that permission was granted.)
The country where you’re living will have its own laws on ‘data protection’, and in this post, I’m referring to the way that businesses are legally obliged to store and treat data on individuals. For example: The USA has the CAN-SPAM Act of 2003. And the UK has been operating according to the Data Protection Act of 1998 for twenty years. As of 25th May 2018, the UK is upgrading to the General Data Protection Regulation (known as GDPR). According to the official website https://www.eugdpr.org/, GDPR “harmonizes privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”
One example of what’s changing is the way that opting-in to email lists works. Instead of being legally obliged to offer an option to opt-out, it's now advisable to be able to show that individuals have opted-in. However, owing to the relationship with GDPR and another set of guidelines called PECR, the Privacy and Electronic Communications Regulations, you'll see that the lines are blurred, depending on an email address being a personal email address versus business identity, not to mention if the associated email is that of a client or even someone who has 'legitimate interests'. See this useful article from the Information Commissioner's Office (ICO), which lays out the relationship between GDPR and PECR, and addresses specific questions - as well as links to other articles and guidance, which you can follow based on your individual circumstances.
Here's a quotation from the ICO:
"Sole traders and some partnerships are treated as individuals so you can only email or text them if they have specifically consented, or if they bought a similar product from you in the past and didn’t opt out from marketing messages when you gave them that chance. You must include an opt-out or unsubscribe option in the message."
It is certainly important to undertand that GDPR applies to EU citizens regardless of their location. That means that if you’re running a business (of any size) in Australia or Nigeria, if you hold information on EU citizens and/or have EU citizens say signing up to your mailing list, you’ll be expected to treat them and their data according to GDPR requirements.
Following on the heels of the big reveal about how Facebook has failed to protect its users’ data, it’s clearly important to do as you would be done by when it comes to handling and holding sensitive data, such as contact info.
Regardless of where you’re located, I urge you to be vigilant about how you add people to your mailing list and how you store and protect data on clients and other contacts. From giving people the option to opt-in to your mailing list to having password-protected computers, smartphones and tablets (with unique passwords), go ahead and become proactive when it comes to managing personal data.
With the recent Facebook scandal, it wouldn’t surprise me in the least if other countries enact stricter legislation in the coming years. You might as well start getting ready, so that when change comes, it doesn’t require a massive overhauling of systems.
Be sure to keep the golden rule in mind. In this digital age, it’s not only a matter of respect, it’s a matter of urgency.