GDPR: Privacy notices and statements

A key part of your responsibilities under GDPR is to provide easily-understandable and accessible information to individuals at the point at which you are collecting their data - these are called privacy statements.

Contents:

What should a privacy statement look like?

GDPR says this information should be:

  • “concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.”

Keeping them simple

The important thing about a privacy statement is that it presents the key information in a format that people will actually read and understand - masses of terms and conditions in ‘lawyer-speak’ are not the way to go! The (wide) list of information that GDPR says you should include can make this seem an impossible contradiction, but in reality this can usually be resolved by providing different ‘layers’ of information at different times/places:

  1. A short version of the most relevant information at the point of actually collecting the data – a privacy statement with a clear link/direction to…
  2. More detailed information – this might be in a longer privacy notice (sometimes called a ‘privacy policy’).

Although this ‘layered’ approach can often work well – especially when collecting data online – it will not be appropriate in every situation. Exactly what information you will need to provide in a privacy statement will depend on what data you are collecting, how, and why. We have some guidance on common scenarios below, including example wording and links to template privacy statements and a template privacy notice.

When asking for consent

Under GDPR, requests for consent must be ‘unbundled’ and should be ‘granular’:

‘Unbundled’ – e.g. new members providing their data for group administration shouldn’t be forced to consent to being added to your marketing mailing list at the same time – this must be a separate option on the form that they are able to decline.

Similarly, you can no longer ask people to sign up to your mailing list to be entered into a prize draw (this would count as coercing their consent for the mailing list). Instead, the option to enter the prize draw and the option to sign up to the mailing list must be separate and independent of each other.

‘Granular’ – where possible, consent options should be broken down to give users real choice over how their data is used – e.g. separate tick boxes to consent to being contacted by ‘email’, ‘phone’ and ‘post’ would usually be better than a single option to consent to either all three or none.

Collecting member data for administration

Most of this data would generally come under the lawful basis of either contract or legitimate interest – i.e. you are collecting data necessary for the administration of their membership with your group. This means you don’t need their active consent. However, you should give them access to a privacy statement explaining how their data will be used and you may want to ask them to sign something to confirm that they have seen the privacy statement.

As well as data collected under the lawful process of ‘contract’ or ‘legitimate interest’, you may also need their consent for some things, such as sending them marketing emails or using photos of them in publicity materials. In this case you cannot use their data in this way unless they give you their active consent (e.g. they tick a box if they agree to this).

Collecting member data through your website

If you collect member data via forms on your website you can probably take a layered approach

  1. Have simple short version information available at the point of collection (i.e. on the actual website form)
  2. Provide a link away to more detailed information

E.g.

We’re collecting this information from you to help [Group Name] manage your membership and activities with the group. We will not use it for anything else unless you say we can.

You can find out more about how we store and use your data and what your rights are in our privacy notice [link].

If you need consent for anything (e.g. marketing emails) you should include a separate tick-box option for that (see ‘mailing list’ section below).

Collecting member data via email

If you ask for data over email then it is fairly easy to recreate the website process above.

Provide the short version key information in the email and provide a link to the long form information held online. If you need them to show their active consent for any particular uses of their data, this can also be given over email (for clarity you might want to provide them with some specific wording to include in their reply to you e.g. ‘I am happy for [Group name] to send me marketing/promotional emails’).

Collecting member data via a paper form

If you collect this data from members on paper forms, asking them to go to a website page if they want more information is less helpful - is anyone filling out a paper form at a rehearsal likely to bother taking out their phone, typing in a long URL and reading the full information before continuing?

The simplest solution might be to provide all the information on paper at the point of them providing the data – that way they easily see any additional information they may need before signing and date the paper for your records and providing any additional consent if needed.

We have a template privacy statement to help with this.

Existing members

As you prepare for GDPR you may find that your existing members’ data was collected without them being shown a privacy statement or asked for their consent (where it needs to have been given).

How you deal with this is a decision for your committee. Certainly, if you’re not already, you should ensure you provide appropriate privacy statements from now on, and there is an argument (of sorts) that data gathered for legitimate purposes in the past (though without a privacy statement) and used without any complaint or issues should practically be ok to continue with.

However, it is always good practice (and will reflect better on your group) to be clear and transparent with your members about the data you hold and use. Since you are likely doing an audit of your data in preparation for GDPR anyway, and given that you see your members regularly at rehearsals or meetings, we’d suggest you use the opportunity to take a long a privacy statement for everybody to see/sign and give consent where necessary to bring you up to date.

We have a template privacy statement to help with this.

Of course if you are happy that you have always provided sufficient information and privacy statements (or similar) in the past then there is no need to go over old ground.

Collecting data when you need consent

Sometimes you will collect data for which neither ‘legitimate interest’ nor ‘contract’ is an appropriate lawful basis. This is most often the case when dealing with collecting data to use in your marketing mailing lists. In these cases, you need to gain the person’s consent.

Mailing Lists in general

If you collect data for a marketing mailing list then you will need to:

  • Make sure the person gives active consent (e.g. they tick a box – NB. It can’t be pre-ticked as this would count as ‘passive’ not ‘active’ consent)
  • Provide a short privacy statement including exactly what they are consenting to
  • Provide information on where to find your full privacy notice.

Other considerations: 

  • What data do you actually need to collect? The rule of thumb is to keep it to a minimum - if it is an email sign up list then all you really need is the name and email (not age, location, gender etc.)
  • Third parties: the simplest thing to do, and our recommendation, is to never pass data to third parties for them to use. If you do want to offer the option for people to consent to this (e.g. for them to sign up to your group’s corporate sponsor’s mailing list), you will need to have an additional consent option that is clearly separate from the rest and to reference it in your privacy statement.

Signing-up via your website

Consent: this needs to be positive – i.e. the person signing up has to take an action to say ‘yes email me’. This can be a few different things.

  • It could be a simple form only used for signing up to the mailing list where you just ask for name and email and then making it clear that by completing the form they agree to be on the mailing list.
  • If you have any extra options - such as passing details to third parties - you should include tick box options to indicate consent for each separate part (the group mailing list and the extra option/s).

Privacy statements: exactly what your privacy statement should say will depend on what data you collect and how.

Example - simple form – just name and email (no extra preference/data sharing options):

If you would like to receive emails from [Group Name] about our forthcoming events, offers and activities please enter your details below.

We will not use your data for any purpose other than to email you about our events, offers and activities and we will not give your data to any third parties. You can find out more about how we store and use your data and what your rights are in our privacy notice [link].

If you have a slightly more complicated mailing list sign-up, such as topic or communication method options, then you may need some more details.

Example – form with more options (not including sharing with third party):

Example form with additional options

We would like to keep you up to date with information about our events, offers and activities. If you would like to receive this information please provide your details below and tick the relevant preference boxes.

Example – form with option for sharing with third party

Example form with third party option

Signing-up via a paper form

The principles of what to include on a paper sign-up form are the same as those for a website form (see above). Relevant information should be provided on the collection form, consent options offered should be ‘granular’ where possible (e.g. ‘by email’ vs. ‘by phone’) and must be ‘unbundled’ (e.g. ‘enter prize draw’ can’t require the person to consent to ‘sign up to mailing list’) to ensure consent is freely given.

We have a template form to help with this.

NB. When collecting data via a printed form you may also consider having a printout of your group’s full privacy notice on display next to the form. While a hyperlink to this information might be sufficient for users of a form on your website (as the user is already online and can simply ‘click’ to view it) those signing up via a paper form may not have easy or immediate access to the internet. Providing a printed copy helps them get around this potential problem.

We have a template privacy notice to help with this.

Collecting data from volunteers and freelancers

It can be easy to fall in to the trap of focusing on member data and mailing lists. But you should provide information about how you will use data to all the people from whom you collect data. This might include volunteers or freelancers such as your MD, a workshop leader or other professional musicians.

In some respects volunteers/freelancers can be treated in a similar way to members:

  • Most data would come under the lawful basis of contract as you need it to arrange their work with you. This means you don’t need their active consent but you should still provide a privacy statement to make them aware of what data you collect and why. 
  • You may need their consent for some things, such as sending them marketing emails or using photos of them in publicity materials. In this case you cannot use their data in this way unless they give you their active consent (e.g. they tick a box if they agree to this).

The approach to providing privacy statements can also be similar to the approach for members.

Collecting data through your website

You can probably take a layered approach

  • Have simple short version of the information available at the point of collection (i.e. on the actual website form)
  • Provide a link away to more detailed information

If you need consent for anything (e.g. marketing emails) you should include a separate tick-box option for that (see ‘mailing list’ section above).

Collecting data via email

Provide the short version key information in the email and provide a link to the long form information held online. If you need them to show their active consent for any particular uses of their data, this can also be given over email (for clarity you might want to provide them with some specific wording to include in their reply to you e.g. ‘I am happy for [Group name] to send me marketing/promotional emails’).

Collecting member data via a paper form

If you collect this data on paper forms, asking them to go to a website page if they want more information is less helpful - is anyone filling out a paper form at a rehearsal likely to bother taking out their phone, typing in a long URL and reading the full information before continuing?

The simplest solution might be to provide all the information on paper at the point of them providing the data – that way they easily see any additional information they may need before signing and date the paper for your records and providing any additional consent if needed.

What to include

Whilst the approach might be similar to member data the privacy statement should be more tailored to the role. It might make sense to provide them with the privacy statement at the same time as a contract/working agreement. This is fine but it should still be a separate document and not included it as part of a contract/working agreement. 

We have a template privacy statement to help with this.


We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.