Art businesses ill-prepared for new EU data protection law

Data privacy is getting a long-overdue overhaul with GDPR, but is the art market ready?

Sweeping new European data protection regulations will be introduced in May Charles Deluvio

Sweeping new European data protection regulations will be introduced in May Charles Deluvio

Barely four months before it becomes law, much of the UK art market has yet to address what is billed as the most important change in data privacy regulation in 20 years.

The General Data Protection Regulation (GDPR) comes into force on 25 May to protect European Union citizens against privacy and data breaches, replacing the previous 1995 law. The new law aims to give individuals more power over how and where their personal data is used by companies “in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established”, according to the UK Information Commissioner, which will enforce the law in Great Britain.

Organisations that fail to implement the changes risk heavy fines of up to 4% of global turnover or €20m (whichever is greater), and it will apply to the UK regardless of Brexit. However, when contacted for this article, few galleries or other art market concerns had even begun to plan for the changes.

Many businesses unprepared

One organisation that has taken action is the Society of London Art Dealers (Slad), which circulated a briefing from the art lawyer Simon Stokes of Blake Morgan to members in September to alert them to the stringent new regime.

Slad’s director general Christopher Battiscombe says: “The new legislation is causing some concern and it is still not entirely clear what dealers need to do to comply with it, for example in respect of mailing lists. We are seeking legal advice and also putting on a seminar on it for members this month [February].”

Peter Osborne, the director of London-­based gallery Osborne Samuel, says his main concern is how the gallery can use historic data after May: “Can we carry on selectively emailing and mailing our people or do we have to get their formal consent first? Slad think we should be OK; I do hope this is the case.” He fears that if the gallery has to contact everyone on its existing lists to get them to opt in, only a small percentage will respond and “the people we most want to contact (VIPs and top clients) are just the kind of time-poor people who may not reply.”

Portals, aggregators, online auction platforms and the major auction houses appear to have been more active than the trade so far.

Richard Whittle, the marketing director in the UK and Europe for Invaluable, the live online bidding platform, says: “We believe our certification with the Privacy Shield Framework has a direct correlation to our ability to comply with the upcoming GDPR, and we are currently working to ensure complete compliance with it.”

Christie’s has a team working on the project and expects to be fully compliant by the deadline, with a spokeswoman saying: “Confidentiality is at the core of our business.”

Sotheby’s notes that “there are neither specific exemptions under the regulation for the art market, nor specific requirements pertinent to the art market”, but the auction house states that it knows its obligations and has systems, processes and policies in place that are already compliant.

Changes under GDPR

GDPR centres on the individual’s data, not the organisation processing it, in relation to the offering of goods or services (regardless of whether payment is required), and it applies not just to customers, but to staff, suppliers and others.

Firms must make clear requests for consent to process personal data, stating why they want it and providing easily accessible consent forms, while making it as easy to withdraw consent as to give it—so no more interminable, jargon-filled small print. Tick-boxes for opting in will replace those for opting out.

Attention to detail is essential for avoiding the tiered system of fines. Not having records in order, for instance, could cost 2% of annual turnover. The rules extend beyond data controllers to data processors, such as cloud storage facilities, and contracts between the two must be updated to reflect this.

Ian De Freitas, a partner at London-­based law firm Farrer & Co, has been advising on GDPR for three years and says clients are most concerned with making sure their privacy and marketing policies are compliant.

He identifies the three main impacts for art market businesses as increased risk, culture change within organisations, and a change in relationships with clients, contributors, employees and service providers.

“Companies should focus initially on making it appear for outward purposes that they are compliant with GDPR,” De Freitas says. “They need to look at the privacy policies and the terms and conditions they offer their customers to make sure they are GDPR-compliant. That still takes quite a bit of work, because you have to know what you are doing with data and that it is completely lawful, and you must also put it all in simple language.”

Lack of clarity

The UK Information Commissioner overseeing this process, however, faces a lack of clarity from European regulators. Operating as the Article 29 Working Party, the regulators are supposed to issue common guidance, “but they have not been very good at doing this”, De Freitas says, “and their language is not clear at all. They have also only issued guidelines in some areas and occasionally in my view they have strayed beyond what GDPR ­actually requires.”

Regardless of this, once the law changes, the regulators will apply their own interpretation of the rules and the only place to test this will be in the courts, De Freitas says.

Limited resources will force ­regulators to focus initially on larger organisations in other sectors, such as banking, insurance, technology and retail, he adds. However, they must investigate individual complaints, so reactive investigations could target anyone, including art businesses. “Therefore, if you get any challenges from individuals, be very careful how you respond to these after 25 May, as it could lead to an investigation,” De Freitas cautions.

Firms must review how they share data internally and with other organisations and will have to re-engineer employment contracts as employees’ subordinate status means they cannot freely consent to data permissions.

“GDPR is odd because although it is supposed to be a European-wide measure the member states couldn’t agree on everything, so certain areas will be dealt with country by country,” De Freitas says. “These include areas of employment law, the processing of criminal data and freedom of expression. The UK government is in the process of introducing a new Data Protection Bill, which will fill the gaps, but it is very late in the day and won’t give everyone much time to accommodate UK-specific rules.”

The countdown TO “ZERO DAY” BEGINS

Ian De Freitas of the law firm Farrer & Co identifies the key requirements for GDPR compliance by 25 May 2018

“As ‘Zero Day’ approaches, businesses within the art market need to remember that cleaning up old data takes time and a lot of hard work, so leaving everything to the very last minute is not an option,” De Freitas says. “We have had nearly two years to get ready and it is getting a bit late, so businesses should act immediately. There will be very little sympathy for those that do not.”

  • Establish leadership and assign responsibility. Set up your team and allocate the budget to deal with this process.
  • Map personal data. How do you acquire, use and share it?
  • Analyse processes for compliance.Establish risks and your approach to them.
  • Implement change. For example, obtain renewed consent for holding and using data, amend and reissue privacy policies, and revise service provider contracts.
  • Train staff.
  • Monitor and enforce compliance.

Preparing for the General Data Protection Regulations (GDPR)

12 steps to take now


You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.


You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.


You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Data Protection by Design and Data Protection Impact Assessments

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Data Protection officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a data protection officer.


If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

  • A series of documents to help organisations prepare for GDPR can be found on the Information Commissioner’s website: