In any cultural establishment, the collection of data must remain responsible and consensual at all times
We’re all aware of the importance of data protection when it comes to the management of any business, and that includes the running of museums and other cultural venues. Museum leaders must continually ask themselves what ethical considerations are involved in managing, storing and using data in order to stay within guidelines and ensure they are practising responsible data handling.
But it’s understandable for GDPR and data management to feel like a minefield. A long term plan is vital in order to counteract the volatile nature of cybersecurity and data usage, ensuring that the storage and processing of data remains in line with General Data Protection Regulations. This should involve working with IT departments and infosec experts to ensure the right policies are put in place.
But what are the consequences of irresponsible data management, and what does an ethical data management plan look like for cultural organisations?
Museums and their GDPR obligations
There are many reasons why museums might collect the data of their visitors and online audience, from newsletter mailing and fundraising appeals, to volunteer management, gift aid and events. However, GDPR guidelines state that “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).”
This means museums, like other organisations, have a duty to only collect data which is useful, and avoid storing extraneous information. What’s more data should only be kept for as long as it is required.
GDPR requires museums to practice good security measures both in terms of physical documentation and digital information – supported by clear, constructive policies and procedures. It also reminds museums that everyone has the right to request access to the data held at any time, so it must be stored securely and clearly.
Data is only as secure as its collection points. These differ from organisation to organisation, but some of the most common options are:
- Reception desks
- Friends groups
- Online donations
- Newsletter sign ups
- Commercial hire
- Volunteer management systems
- Gift Aid data
Organisations of all kinds must be consistent and ethical in their approach to gaining consent, aligning processes across the venue’s physical and digital spaces to ensure best practice throughout.
The consequences of bad data management can be catastrophic
Gone are the days when cybersecurity felt like an abstract concept. Organisations across all industries, including arts and culture, are feeling the pressure to bolster their data protection efforts, as even the biggest museum names fall victim to breaches and hacks.
Back in 2016, New York’s American Museum of Natural History was one such victim, losing almost $3 million in a phishing scandal, which started with a single employee believing a scam email was genuine. Likewise, in 2015, an entire program’s worth of data at Nature Conservancy Australia became encrypted after a member of staff was fooled into clicking a single link.
Meanwhile, in 2019, four of London’s major tourist attractions were targeted by hackers. As consequence of this, the Natural History Museum, the Imperial War Museum, Kew Gardens and the Tate recorded tens of millions of attacks between them.
What does a data management plan look like?
Before a plan can be created, a data security audit is often advised in order to clarify the journey data takes from visitor to storage. This can highlight any weak spots or areas of concern, while also getting everyone up to speed on the way data management does and should work within the museum space. Common risk points could be forms left unsupervised on the welcome desk, or data spreadsheets being accessible to every member of staff, despite only being used by upper management.
About the author – Tim Deakin
Tim Deakin is a journalist and editorial consultant working with a broad range of online publications.