Equifax aside, it seems that the upcoming GDPR (General Data Protection Regulation) changes are the one thing everyone in the data security industry is talking about. Yet, although the new rules about the way companies will be allowed to treat personal information will become enforceable on May 25, 2018, many are still unsure of what they will really bring to the table.
Despite the overall uncertainty looming over a vast majority of companies, countless articles are being written and consultancy firms are popping up, all with goals of explaining the ways the GDPR will change businesses. Today, we'll take a closer look at what the General Data Protection Regulation is and why it is making a variety of businesses quietly panicking, as well as just how much of an impact this new grand legislative change will have on the art market.
Simply put, the General Data Protection Regulation (GDPR) sets new requirements for all companies dealing with personal information belonging to their clients from the European Union. In case you are wondering what precisely passes for personal data in the eyes of the GDPR officials, here's a quick clarification: personal information is any information that can be used to directly or indirectly identify the individual. This means things like pictures, bank details, emails addresses, posts on various social media, medical information of any kind and IP addresses all fall under PI as far as the upcoming GDPR reforms are concerned.
Following four painstaking years of deliberation, the GDPR was adopted by the European Council in April 2016, and it will become enforceable by May 2018. It will implement complex and comprehensive data obligations on companies, many of which current policies are unlikely to satisfy. New rules will impact corporations doing business within the European Union, but it will also impact any organization in the world that deals with EU citizens regardless of its geographical location.
The main goal of the new regulation will be giving EU citizens back control over their own information - they will now be able to delete and move their data at will, take away consent as easily as they gave it in the first place and enjoy levels of security they never really had before. Failing to meet the new regulation could lead to some draconian fines, with the biggest one being forced to pay four percent of worldwide revenue or €20 million, whichever amount of money is higher.
Just by reading all the novelties the GDPR shall bring forth, it becomes perfectly clear that the new regulation and the art market will be bumping heads as soon as the 25th of May comes about. It's far from a secret that the entire art market is built upon a secretive way of dealing with information, a manner of conducting business that enables the leading figures to make as much money as possible. This lack of transparency will be in direct conflict with the GDPR and it will be interesting to see how the entire situation will unfold.
If successful, the GDPR will be bringing on an entire culture change within art organizations and the way companies deal with clients, contributors, employees and service providers.
Of course, it remains to be seen how capable the very top of the art world will be in finding loopholes around the new laws, which it will certainly try. After all, since many essential aspects of the market will be impacted, it will be impossible for the art market to continue functioning the same as before - if the changes were to make roots in the art market, things like art flipping and shady art dealing would nearly disappear while practices like private auctions would have to be drastically altered.
Unsurprisingly, due to its overall unwillingness to improve the blatant lack of rules, much of the UK and the EU art market is yet to address the demands of what is announced to be the most important change in data privacy regulation in the last 20 years.
One of the rare instances of an art organization apparently thinking how the market landscape will look past this year's May is the Society of London Art Dealers - its director, Christopher Battiscombe, explained his concerns about the forthcoming changes with the following statement:
The new legislation is causing some concern and it is still not entirely clear what dealers need to do to comply with it, for example in respect of mailing lists. We are seeking legal advice and also putting on a seminar on it for members this month [February].
Peter Osborne, the director of London-based gallery Osborne Samuel, also seems to be concerned about what the GDPR will mean for his business:
Can we carry on selectively emailing and mailing our people or do we have to get their formal consent first? SLAD thinks we should be OK; I do hope this is the case.
Osborne’s main concern seems to be that, if his organization is forced to contact everyone on its existing lists to get them to opt in, only a small percentage will respond and give consent – which is, in all fairness, a realistic scenario.
Richard Whittle, the marketing director in the UK and Europe for Invaluable, the live online bidding platform, also stated that his company is taking some careful steps in hopes of meeting the GDPR requirements:
We believe our certification with the Privacy Shield Framework has a direct correlation to our ability to comply with the upcoming GDPR, and we are currently working to ensure complete compliance with it.
Since auction houses are the ones expected to take the strongest hit, so to say, when GDPR becomes a necessity, it's no wonder they are among those already preparing for the forthcoming changes.
Aware that they will be under a very close observation by authorities due to their massive processing of a lot of different data, Christie's made it public that they've already put a team in action in charge of working on making the organization as GDPR compliant as possible. As of March 2018, people running Christie's expect to be fully compliant by the deadline.
Sotheby's, Christie's biggest competitor, also noted that they are aware of the new obligations and that they already have systems, processes and policies in place that are compliant with the forthcoming law.
As May 25th slowly approaches, businesses within the art world need to remember that putting things in order takes time and a lot of hard work, so leaving everything to the very last minute is not really an option (at least not a very good one). We'll now go through the most essential steps an art organization needs to go through if it, for whatever reason, did not already start working on adjusting to the new rules.
First of all, those responsible should set up a team and allocate the budget to deal with the process - alterations the GDPR brings are far from simple and a dedicated team working full time on it is definitely needed. The new team will need to map all the personal data the company has in possession and notify information owners of how their data is acquired, how it is used and who has access to it.
Of course, those responsible should also do little things as these can go a long way when it comes to being GDPR compliant. Changing terms of agreement to be more easily understood and making manners of giving/withdrawing consent are relatively simple things to do and, as such, should be considered a top priority.
The most long-term obligation anyone implementing GDPR changes will have on their hands is training their staff - being GDPR compliant is not just preparing for potential inspections in May 2018, it's supposed to be an entirely new way of doing business long term and it's intended to become a role model for how companies should function in the future.
Although the 25th of May is just around the corner, the truth is that, due to limited resources, authorities responsible of checking GDPR related complaints will have to initially focus on larger organizations in other sectors, such as banking, insurance, technology and retail. This means that it makes sense to presume that the art market will be of secondary concern for the powers that be, leaving it with a little more wiggle room than the case is with other industries.
With that being said, we should also note that GDPR enforcing authorities will be investigating individual complaints, so art businesses would do well to prepare their treatments of data as soon as possible.
As for what we can expect to see from auction houses, museums and galleries after the GDPR D-Day comes up on our calendars, it remains to be seen. Many of the new regulation's most essential requirements directly conflict the usual ways of conducting business in the art world, so we'll just have to wait and see if the new laws can prove themselves stronger than the art market's stubbornness to establish a more transparent method of earning money.
Featured image: A GDPR Padlock on a keyboard, via martechtoday.com. All images used for illustrative purposes only.