As part of your journey to GDPR compliance, you’ll need to get your privacy notice updated. Thankfully, this isn’t a complex process and we have put together a guide to help you do this.
You’ll need to think about:
- What information you collect.
- Why you do this – what you use it for.
How to use this guide
We’ll run through all some of the most common parts of a GDPR compliant privacy notice. Most are relevant to every organisation, but others (such as guest wifi and ticketing data) may not apply to you).
We’ll provide a real-life example for each one so that it can give you an idea.
The Component Parts
Who we are
After you introduce yourself (your company name), let the reader know how seriously you take their privacy and why you’ve put this privacy notice in place.
Make this friendly and welcoming. The ICO says that you should “align to your house style”. So, use the same writing style as you do in your other copy. A great example of this is innocent drinks’ privacy notice.
Types of data we collect
If you offer guest wifi in your venue, add in how you monitor this and take care of the data. Here’s how Odeon cinemas worded this:
When you use ODEON Wi-Fi we may collect data about:
- a) your device;
- b) the volume of data which you use;
- c) the websites and applications which you access; and
- d) your usage by access time, frequency and location.
Here’s how we let visitors to our website know about our email mailing list:
As part of the registration process for our monthly e-newsletter, we collect personal information. We use that information for a couple of reasons: to tell you about stuff you’ve asked us to tell you about; to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.
We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice. You can unsubscribe to general mailings at any time of the day or night by clicking the unsubscribe link at the bottom of any of our emails or by emailing our data protection officer firstname.lastname@example.org
When a customer buys tickets or products from you – what information do you collect, why do you collect it, what do you do with it, and where is it stored?
Your newsletter subscription data may also be routed through your box office or CRM system, so be clear about that too.
Here’s how the Abbey Theatre lets its customers know where they can buy tickets without giving their personal data:
“When you purchase a ticket (or tickets), merchandise, membership or gift voucher(s) through the Abbey Theatre Box Office or online your name, address data, email and contact number will be stored in our Box Office system, Tessitura. You may, of course, purchase a ticket (or tickets) in person without supplying the aforementioned personal data. Please be assured that we do not share your personal details with any other company without your consent..”
Say who you share information with, in what form, and for what reason. For example, you may send anonymised box office information to us in order to improve your audience experience. You might also share anonymised ticketing data with touring companies who visit your venue.
Here’s how the Southbank Centre word their third parties section:
“We may share anonymised personal information with other organisations, particularly Arts Council England, who use this to analyse our audience development programmes, ticket sales and self-generated funding to understand the impact of the public investment made in Southbank Centre.
Many of the events at Southbank Centre are presented in partnership with other companies such as with our Resident Orchestras and other artistic organisations and promoters. We will let them know about your booking and share your name and contact details with them but they can’t contact you unless you select either the Email or Post option under ‘I would like to hear about events, news and offers from the artists or companies presenting the events I’ve booked’ as part of your booking online, at the Ticket Office or over the phone. We will not share sensitive information or your payment details.”
Access to your personal information
Under GDPR, the data subject has the right to access and amend any of their personal data that you hold. Make it easy for them by including a name and contact email.
You are entitled to view, amend, or delete the personal information that we hold. Email your request to our data protection officer [NAME} at [CONTACT DETAILS]
Changes to this Privacy Notice
Once you’ve got your own policy written up, make sure it is easy to find on your website. You can also link to it when you’re prompting people to sign up for a newsletter, or when they are entering booking information. Again, it’s a way to show you value your customers’ privacy, so don’t be afraid to highlight it when you see an opportunity.