Blog

What you actually need to do about GDPR right now

bencurthoys May 22, 2018

So, here we are, 3 days to go, too late to really do anything. So supposing you’ve only just decided that perhaps you might need to think about it a little bit, what do you need to do now?

Well.

  1. You do need to read the guidance, and have senior management read the guidance, and take it seriously, and WRITE DOWN your policies, EVEN if what you currently do now is fully in compliance and you don’t need to change a thing.
  1. Go through this checklist

  1. Assuming you are not doing anything immoral to start with, you probably don’t need to change anything much.

  2. You definitely don’t need to email everyone you’ve ever sold a ticket to, asking for permission to store their data in your database. Under GDPR there are 6 lawful bases for processing data

and if someone has bought a ticket from you, you don’t need to rely on consent. Performance of contract and legitimate interest have you covered.

  1. IF your email marking list is of unknown provenance, imported into Monad from some Excel spreadsheet you used to maintain by hand or from another ticketing system, and you can’t offer any evidence that someone has consented to marketing emails other than “um there’s a tick in the box so they must have done”, you probably should refresh consent for that list before using it. You probably should refresh consent for that list anyway, whether it’s legally required or not. If you don’t actually use email marketing, then don’t request consent for something you don’t actually plan to do.

  2. When designing your new, GDPR compliant marketing permission questions, do be as specific as possible. “May we send your data to selected partners?” is no longer adequate. 3rd parties need to be explicitly identified by name, and best practice is for email lists to be specific about their content and frequency.

  3. Not that you would, because you’re nice, but it isn’t ok to bundle consent. You can’t include marketing consent in the T&Cs that someone has to agree to to buy a ticket: they have to be able to opt in and out of consent-based processing (i.e. marketing) separately. Being granular is part of being specific. Someone might want to receive your regular monthly programme emails without agreeing to any other marketing email you feel like sending.

Permalink | Discuss on our forums

Introducing the new look Order Details page

Apr 3, 2024

Updated profile display starts roll-out with version 2.29.20.0

Mar 26, 2024

A Museum on Mastodon

Mar 14, 2024

On Memberships

Nov 7, 2023

Monad Ticketing brings new features and opportunities with Version 2.0

Apr 11, 2023

Apple and Google Wallet Integrations now supported

Nov 1, 2022

Further updates to Sales UI

Aug 31, 2022

Upcoming UI Changes

Jul 20, 2022

Theatre Tokens Promotion

Mar 23, 2022

Monad Ticketing support team expands with 25+ years’ experience

Nov 3, 2021

We're Recruiting: 2 x Support and Learning Officer

Aug 30, 2021

Pay what you decide - accessibility and payment points

Jul 28, 2021

Pay what you decide (want / can / feel)

Jul 1, 2021

COVID Features summary

Jun 16, 2021

Digital Product Delivery - Part 2

Nov 2, 2020

Open Letter to my MP on the Culture Recovery Fund

Oct 30, 2020

Digital Product Delivery

Sep 18, 2020

A ticket to run?

Apr 5, 2020

COVID-19 preparedness

Mar 13, 2020

Experimental new API and UI

Nov 6, 2019

SECUREmedia Partnership

Jul 9, 2019

Our integration with Theatre Tokens

Feb 28, 2019

Dynamic pricing for small arts organisations

Sep 11, 2018

Is bad data worse than no data?

Aug 21, 2018

On Reading Reports

Jun 29, 2018

Why app integration is the way forward

Jun 5, 2018

The Access Card: What it is, and how it can help your events

May 8, 2018

TPC 2018 Wrap-Up: Is Blockchain the Future of Ticketing?

Apr 10, 2018

TPC 2018 Wrap-Up: GDPR, Legitimate Interest, and the Spirit of the Law

Mar 30, 2018