GDPR: Data Protection Overview

Data protection is about organisations collecting and using data in a fair, responsible and transparent way. It puts the emphasis on needing a good reason for holding and using the data and being clear about what those reasons are. It also emphasises the need to have consent from individuals (in some situations), and the individual’s rights over their data. New data protection laws (often referred to as GDPR) came into force in May 2018.

What does data protection mean for a leisure-time music group? 

From a music group’s point of view data protection might seem overly regulatory and just more work to do. But data protection laws apply to all organisations, from multi-national banks to local community organisations. 

Effective data protection should be a good thing for your group. Most of it is common sense and done well can make your group more efficient. This can help with a huge range of things from reputation to committee recruitment and your long-term sustainability.

So what do we actually have to do? 

Exactly what you need to do will vary. We have lots of resources to help (see overleaf). Briefly, some common themes are: 

  • Consider all the data you hold on all the people you work with: members, audiences, volunteers, freelancers (e.g. MD, soloists)
  • You need a good reason to use data, but you don’t always need consent. E.g. you don’t need consent to hold a member’s contact details to communicate with them about group activities.
  • Sometimes you will need consent. This should be positive consent i.e. an individual takes a positive action to give consent (e.g. they tick a box).
  • Either way you should provide individuals with clear and simple information about why you are asking for data and how you will use it. 
  • Data retention – you should not hold data for longer than you need to. You may need some processes to ensure data is reviewed regularly.
  • Documentation – demonstrating that you have polices and processes that address how you use data is important.

This seems like a lot of work

Don’t panic. Data protection does require a bit of thought and attention but is mostly common sense. For smaller organisations the key thing is to show willing and focus on taking practical steps to be responsible in how you treat data. 

Resources (available to Making Music members)


Data Retention

You can view the full guidance on the website of the Information Commissioner's Office (ICO) on these regulations and topics.

Guide to data protection

Guide to direct marketing

Guide to PECR

We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.