Data Protection: what are your responsibilities?

Data protection exists to protect individuals from having data about them wrongfully gathered or used by organisations. It boils down to eight key Principles, which any group storing individual’s data must follow in order to comply with the terms of the Data Protection act 1998 (DPA) alongside some additional regulations from the Privacy and Electronic Communications Regulations 2003 (PECR) specific to electronic communications (like email).


  1. What do we have to do?
  2. The Data Protection principles
  3. Direct marketing
  4. Using Cookies
  5. The General Data Protection Regulation (GDPR)

1.  What do we have to do?

Although your group has a responsibility to ensure that data collection, storage and use abides by certain rules, the good news is that these are mostly common sense and quite easy to keep to!

2. The Data Protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

Essentially this means that if your group holds any personal data on your members or the public, you must have a legitmate reason for collecting and using it, and must not use it in any way that could have a negative impact on the individual. You also have to be clear and open about how you’re planning to use the information, and only use that information in a way the individuals might reasonably expect you to. 

2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that/those purpose(s)

Essentially, if your groups is storing data about individuals (e.g. the names and phone numbers of members), you need to say why it's being stored when you get it from them (e.g. to let them know about rehearsals), and you need to ensure that you only then use it for reasonable related purposes (i.e. not giving their data to a local company for telemarketing!). If you will use the data for marketing or promotion, there are also further requirements.

Making Music member groups and most not-for-profit organisations are exempt from the part of this principle that requires that your Data Controller registers with the Information Commissioner's Office (ICO). You can check if this applies to you by completing a brief self-assessment survey.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

You shouldn't store more data than the minimum information needed for your purposes (e.g. you can store someone's home address, but not who else lives there).

4. Personal data shall be accurate and, where necessary, kept up to date

You must take reasonable steps to ensure that the data you collect and keep is accurate and up to date. You don't have to pro-actively check whether details have changed on a regular basis (though this can be good practice), but you should ensure there is a way for people to let you know about changes to their details, and that you update your data as soon as possible after you are informed.

5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose

You can't keep information too long. If a member goes on a (long!) holiday for six months, you can keep their data, but if a member leaves and you have no reason to think they will return, you should remove all of their personal data. Likewise, if you collected someone's data to send invitations to concerts and they indicate they are no longer interested, you should remove their data.

6. Personal data shall be processed in accordance with the rights of data subjects under the Act.

This is less intimidating than it sounds - it just means that once an individual has given you their data, they retain some rights over it:

  • To see a copy of the data you hold about them
  • To object to any storage or use of their data that might cause them substantial distress of damage
  • To stop you sending them direct marketing materials
  • To object to any automated decisions made based on their data
  • To have innaccurate data corrected
  • To seek compensation for any loss or damage suffered as a direct result of your organisation failing to abide by the DPA 

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data

If you are holding individuals' data, you must ensure that it is protected from unauthorised access. This would include storing it securely, using strong passwords (if digital) or locks (if physical) and ensuring that noone can access the data unless they have a good reason to.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Though it is unlikely that you would need to, if you plan to transfer the data to a non EEA country, you should ensure that the country provides adequate protections for data, and obtain the permission of the individuals whose data you hold.

3. Direct Marketing requirements

This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity or political party campaigning for support or funds. There are slightly different requirements for email, phone and fax communications. The full requirements can be found in the ICO's summary guidance. The most important points applicable for most Making Music groups will be:

Get (and keep a record of) consent before you send

You will usually need a person's consent before you can send them a marketing message.

This must be knowingly given, clear and specific: it should cover your organisation, the type of communication you want to use (e.g. phone, email, fax, SMS) and involve a positive action (ticking a box, sending an email, subscribing to a service). Consent for sending someone emails will usually need to be more explicit than for post (e.g. needing the user to actively 'opt-in' rather than just giving them an option to 'opt-out'.


Implied opt-in for post: "We may write to you by post to keep you informed about forthcoming concerts and other events, [and to let you know about offers from organisations approved by us]. If for any reason you would prefer not to receive such information, please write to [a person in your group who will manage this - ideally the Data Controller] and we shall remove your name from our mailing list."

Explicit opt-in for email: "From time to time we send email to members and supporters giving details of our forthcoming concerts and other events, [and to let you know about offers from organisations approved by us]. If you would like us contact you in this way, please tick this box."

Include a clear way to opt out in every communication

Even if someone has previously given their consent for you to send them marketing messages, they have the right to change their mind. You must give them a clear opportunity to tell you so in your communications (this is especially important for emails, where you will otherwise risk being marked as spam).

E.g. "You have been sent this email because you opted in to hear about our forthcoming concerts and other events. If you would no longer like to receive 

these, please reply to this email with 'unsubscribe'."

Once someone has asked to no longer be sent messages, you must make this change within three months (or ideally within 28 days).

4. Using cookies on your website

A cookie is a small text file that is downloaded onto a computer or smartphone when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. You may use cookies to track how many users are visiting your website (e.g. through Google Analytics) or to save information about what they have seen (e.g. to auto-complete a form). The PECR regulations extended specific requirements for using cookies.
If you use cookies you should:
  • Tell people which cookies you are using and why (usually on a pop-up or well-signposted 'cookies' page of your website)
  • Get the user's consent to store a cookie on their device (though there is currently some ambiguity about how explicit this needs to be: some websites will show a pop-up message requiring users to agree to cookies being used before continuing, some show a message explaining that cookies are used but do not stop the user from continuing, and some take a user visiting the site as an act of 'implied' consent in itself)

5. The General Data Protection Regulation (GDPR)

From May 2018 the new GDPR will be in place in the UK. The new regulations may mean changes in how you operate in relation to collecting, storing and using data.

We have started to digest GDPR with a view to providing detailed guidance in early 2018. However, our initial assessment is that if you are following current data protection guidelines (as detailed in this guidance) and are acting in a fair and reasonable way in how you collect and use data, the impact of GDPR will not be significant.

Some of the main changes to consider will be:

  • How you get permission to use data for marketing purposes - such as promoting concerts (with particular reference to email addresses).
  • Ensuring data is not kept for longer than necessary. An example might be contact details for a member who left your group 18 months ago. Do you have a reason to keep and use that data? If not, how do you remove it?

If you want to get a head start the most useful thing you can do at the moment is to make an audit of the type of information you hold on individuals and how you collect, store and use it (see an example below).

This should be for every type of individual you work with – members, audience, freelancers, volunteers etc.  If you spend some time collating this information now it will be easier to work out how the new regulations will affect you and where you might have to make changes to ensure you are compliant.

 About the Data

Audience member

Music Director (MD)

What data do we hold?

Name and email

Name, address, phone, email, bank details

How did we get it?

Sign-up sheet at concert

Does the sheet explain how the data will be used and/or include permission tick boxes?

Contract from MD at start of engagement

How is it stored?

On a spread sheet.

What happens to the original piece of paper?

Is the s/sheet password protected – who has the password and when was it last changed?

Stored on computer

Is it password protected? Who has the password and when was it last changed?

How is it used?

To send emails about future concerts

Do they have the option to unsubscribe?

Used to communicate about MD role and pay invoices.

We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.