News

NPO data sharing agreements cancelled amidst GDPR panic

As around 40 arts organisations are told that their agreements with Southbank Centre are being terminated, ACE threatens to withhold funding from NPOs that fail to share their data.

Christy Romer
6 min read

General confusion and a growing state of panic have seen Southbank Centre cancel its data sharing agreements with around 40 arts organisations in a bid to comply with the General Data Protection Regulation (GDPR), which comes into force today (25 May).

Data sharing between NPOs became a condition of Arts Council England (ACE) funding in 2016 and any actions taken to unilaterally curtail or end previously agreed data sharing arrangements could set them at odds with their primary funder.

ACE is clear that its NPOs are contractually obliged to enter into legally compliant data sharing agreements with their partner NPOs, and a deadline is approaching for them to report on the extent of their data sharing to the national funder. An ACE spokesperson told AP that, for those which fail to operate such agreements, “we will withhold payments until they do so”.

Ditched agreements

Most of England’s NPOs drew up their data sharing agreements following advice from the Information Commissioner’s Office (ICO) in 2015, but concerns are circulating in the sector that these agreements may not comply with new GDPR rules.

Southbank Centre told AP it took the decision to cancel its agreements after receiving independent legal advice which said that in order to continue sharing customer details, it would need proactive confirmation from every customer on each transaction involving a third party.

“This would be logistically impossible for the organisation as well as placing a disproportionate administrative burden on audience members,” a spokesperson said. They added that Southbank Centre will continue to share anonymised and aggregated audience data with partners.

Sadler’s Wells – which shared data for eight productions in 2016-17 – told AP that although it only enters into data sharing agreements with NPOs on a production-by-production basis, it is “currently reviewing the nature of the consent and how we obtain it for any future performances, in light of GDPR requirements”.

GDPR concerns

Under the new regulation, passed by the European Parliament in April 2016, arts organisations will need to keep detailed records of which of their customers have consented to be contacted with marketing information, when that consent was given, and what they were told would happen with their data.

Crucially, the organisations must also keep track of the means through which an individual has agreed to be contacted and how this differs at other NPOs with whom they share data.

Ticketing expert Roger Tomlinson explained that this level of detail is not something most arts organisations have had in place, even though it has been best practice since the Data Protection Act of 1998.

He said: “There’s no doubt it will be necessary to revisit sharing agreements and put revised ones in places that comply with GDPR.

“There will need to be interesting conversations about the nature of consent and the granularity of consent that individuals have given.

“But this is all happening as the law is being implemented. The Law was passed in 2016, and all of this should have been sorted last year.”

Legitimate interest?

According to Tomlinson, many arts organisations have until now taken the view that if an individual has purchased a ticket to see an event, this ‘transactional relationship’ means they are probably interested in receiving marketing communications. Under some data sharing agreements, this logic extends to the third parties, with both the performing arts organisation and the presenting venue being entitled to contact them.

Spektrix’s Michael Nabarro argued in AP that where there is a pre-existing relationship between one arts organisation and one customer, “it’s reasonable to expect customers and donors, who have been happily receiving communications from an organisation for months or even years, to be happy to continue receiving these communications.” But he noted third party sharing is different, and in most cases will require customer consent.

Southbank Centre takes the view that a relationship that asks individuals for consent for their information to be shared with ‘relevant third parties’, rather than named arts organisations, is no longer valid.

Its position is supported to an extent by The Audience Agency (TAA), the charity tasked with enabling arts organisations to use data to increase their reach and relevance. TAA says that to be fully compliant with the legislation, “consent must name the 3rd party organisation with which data is to be shared”.

Valid agreements

TAA stressed, however, that previously existing data sharing agreements will not automatically be invalid under GDPR. A spokesperson told AP that data sharing agreements have been locally drafted to suit the specific circumstances of different organisations, and “may or may not contain all the clauses required under GDPR”.

They added: “Also, those NPOs that have prepared for GDPR with due diligence in advance of 25/05/2018, in terms of the agreements that they have in place and the consents for sharing that they collect, will likely have data that they can legitimately share.”

Data agency Purple Seven, which supports data sharing at both Southbank Centre and Sadler’s Wells, told AP that if the process is done transparently and using consents that are in place, GDPR “should not radically change the way in which the industry operates”.

“The implementation of GDPR simply means that the industry will continue to collaborate in ways it has always done – but the regulations now mean that this will be done with much greater transparency and acknowledgement from the customer,” said a spokesperson.

“Of course, there are still some areas of GDPR that have been purposefully left wide open to interpretation and this might impact how the industry operates whilst case law is defined.”

Unlikely to be fined

The regulator has dismissed fears that huge fines could be imposed on small businesses that have failed to comply. Speaking on BBC Radio 4’s Today programme, Information Commissioner Elizabeth Denham stressed that today “is not a deadline” and the ICO would be looking for a commitment to move forward with new obligations, rather than “perfection”.

Whether or not arts organisations have correctly interpreted the GDPR legislation, Information Commissioner Elizabeth Denham has said it is “nonsense to think that the ICO is going to be making early examples of small businesses by levying large fines.”

ICO guidance stresses that a number of criteria need to be assessed before imposing a fine on those who haven’t complied, such as “the number of people affected, any damage to the data subjects, the negligent or international nature of the infringement” and “action taken by the data controller to mitigate the damage”.

Denham added: “We are going to be focused on businesses that deliberately, persistently or negligently misuse data.”

 

This article was amended on 29/05/18 to more accurately reflect Michael Nabarro's position.