GDPR in practice: 5 steps to properly use personal data

Cultural organizations frequently encounter the question in daily practice of whether something is ‘allowed under the GDPR.’ Whether it involves collecting audience data, publishing photos online taken during an event, or sending newsletters, the rules surrounding personal data often raise questions.

The GDPR is often seen as a law that primarily restricts organizations in their activities. But this is not always the case. Much is indeed possible, as long as you handle personal data carefully, protect the privacy of individuals, and can explain why you process certain data.

Under the GDPR, ‘processing’ means everything you do with personal data, such as collecting, storing, sharing, or deleting them.

Wondering what your organization is actually allowed to do with personal data? If you follow these five steps, you will have your GDPR basics in order.

1. Identify which personal data you process and why

Determine which personal data you use and for what purpose you use them. 

This could be, for example, for services or marketing, but also for statistical research or the recruitment and selection process of the organization. 

The purpose must be clear and specific. You must also be able to justify why the processing is necessary for the established purposes. Are there no other, less intrusive ways for those involved to achieve your goal? 

It is important to use only the data that is truly necessary (data minimization) and to ensure that the data is well secured. 

2. Determine whether you are allowed to use this data 

After defining your purposes for use, you must be able to justify each processing activity based on one of the legal reasons (legal bases) under the GDPR. The GDPR recognizes six legal bases that may apply: 

• Consent from the person concerned;  
• necessity for the performance of a contract;  
• a legal obligation;  
• protection of vital interests (e.g., in emergencies);  
• performance of a task carried out in the public interest or in the exercise of official authority;  
• pursuit of a legitimate interest: a legitimate interest of your organization.  

For cultural organizations, the legal bases of contract, consent, and legitimate interest are particularly relevant. Ensure that you can substantiate why you have chosen a particular legal basis. 

Contract 

Often, you need certain personal data to perform a contract. For example, when visitors to a performance receive their ticket via email. You then need the visitor's email address. 

Consent 

You may process someone's personal data if they have given their consent. People always have the right to withdraw their consent. You must ensure that they can do so easily. For children under 16, parents or guardians must give consent. 

Legitimate interest 

In many cases, the legal basis for processing is the legitimate interest of the cultural institution. For example, for statistical research on visitors, which can help improve your programming and marketing policies or provide accountability to subsidy providers. Processing personal data may also be necessary for certain marketing purposes. 

The condition is that the processing is genuinely necessary for the interest of your organization én that you carefully weigh the interests of those involved against your own interest.

3. Record all processing activities in a processing register 

A processing register is an overview of the personal data you use and why. In most cases, it is mandatory to maintain such a register. Include not only the processing activities but also the associated legal bases. 

4. Publish an (online) privacy statement 

It is important to inform people about what you do with their personal data and why. This means you are obligated to clearly inform people about this. 

The most practical way to document this is in a privacy statement on your website. Include in it, among other things, the legal basis or bases on which you process personal data. 

5. Delete data when it is no longer needed 

You must delete personal data as soon as they are no longer needed for the original purpose for which you collected them. This means you may only retain data for a limited period. 

The GDPR does not provide fixed retention periods. Therefore, you can determine these periods yourself, provided you can explain why you chose that period. Document these in your privacy statement and processing register. And just as importantly: adhere to the established retention periods. 

With these five steps, you establish a strong GDPR foundation

The GDPR does not have to hinder cultural organizations. Much is possible as long as you handle personal data consciously and carefully. By clearly documenting which data you use, why you do so, and how long you retain them, you not only reduce risks but also build trust with visitors, participants, employees, and partners.

With these five steps, you lay a solid foundation for a privacy-conscious organization én can better justify why certain processing activities are necessary.