The new law, the General Data Protection Regulation 2018, will apply in the EU and non-EU countries holding data on EU citizens and gives consumers more control over how organisations use their data.
It requires businesses to have a ‘legitimate interest’ for holding that data and gives individuals the right, through a ‘subject access request’, to see the data collected on them.
Art market firms contacted by ATG have detailed their preparations, such as revising privacy policies and staff training – see auctioneer round-up below. Though GDPR does not necessarily require it, some are emailing their customers and contacts to get consent to continue marketing to them.
Simon Stokes, art and data privacy partner with law firm Blake Morgan, advises art market firms that “there is still time to take practical steps to comply – updating privacy policies, marketing practices, reviewing IT security and ensuring all areas within your business where personal data are processed are considered and the necessary steps taken.”
Download your free art market guide to GDPR best practice here.
"Confidentiality lies at the core of our business and, although we already have stringent privacy rules in place, this has been a high priority project for Christie’s," a spokesperson tells ATG.
Christie's has had a cross functional team working to ensure compliance with GDPR "for some time". This team is led by a dedicated manager and reports to a steering group formed of senior management, including Christie’s technology officer and heads of legal and risk and marketing.
The Christie’s GDPR team is reviewing all aspects of its business to ensure that the 252-year old firm is compliant with the GDPR. It has:
- Appointed an international director of governance and data protection to oversee data privacy through the transition period;
- Audited and mapped the personal data it processes and the legal basis for doing so;
- Reviewed and revised its policies, processes, guidance, systems, and terms and conditions in light of the new regulation;
- Assured clients that these polices and processes will be implemented globally to assure them their data will be protected regardless of where they are based;
- Rolled-out compulsory global e-learning training for all staff together with tailored training for certain areas of the business.
Stansted-based auctioneer Sworders tells ATG it is undergoing the following GDPR preparations:
- All Sworders employees have completed a mandatory GDPR questionnaire which was then used to compile a data audit detailing how the firm processes data as a company and as individuals. "This enabled us to ensure we are fully compliant, both with data security and the flow of data between Sworders and third party companies," says Emma McCann, digital marketing executive at Sworders.
- The firm has been holding a monthly GDPR meeting, attended by its law firm;
- On April 12, the firm began its "three strike" re-consent email campaigns to the full Sworders marketing database, excluding new sign-ups for which it has clear dates of consent, asking them to confirm that they wish to continue receiving marketing emails.
Anyone not responding to a second and third invitation to opt-in is securely deleted from the Sworders mailing list.
“We have always taken client confidentiality and the storage of personal information seriously," says Jane Tennant, a director of Tennants Auctioneers. "Maintaining client trust is at the heart of our reputation and one of the main reasons clients do business with us."
The Leyburn-based auctioneer looked into the new GDPR requirements and following legal advice, "set about a re-subscribe process to cement client consent,” Tennant tells ATG. “While this process will undoubtedly reduce our mailing list, we are already seeing positive signs that it will result in a database of the most interested and engaged clients.”
Fellows tells ATG that it is taking a risk-based approach, recognising that meeting the new regulations will be a gradual process for most companies.
“We are also rehearsing the process of breach notification internally and are putting in place a clear process for subject access requests.”
In readiness for EU GDPR on May 25, Bonhams has spent the past year implementing changes and reviews – "all of which have been undertaken to ensure the continued protection of our clients’ personal data," a Bonhams spokesperson tells ATG.
"These changes are cultural, technical and process-orientated, ranging from a dedicated data protection leadership team, to the reclassification of customer data, new technical infrastructure, website changes and enhanced security provisions.
"Bonhams remains dedicated to protect the personal data we hold."
"The introduction of new data protection laws through GDPR, which will impact on Sotheby's operations globally, has provided us with an opportunity to review all aspects of our business where personal data is used or processed," a spokesman told ATG.
"This review is being conducted both internally throughout the Sotheby's group of companies and in relation to our external vendors, and to ensure that we have systems, processes and policies in place to manage any data to the standards expected under the new regulations.
"For the past year Sotheby’s has engaged in a comprehensive process to identify the data we hold and to ensure we have implemented privacy, confidentiality and information security measures consistent not only with GDPR and laws of other jurisdictions, but to our own high standards."