Cymraeg

Data protection checklist

This data protection checklist by Dr Kit Good will help your heritage organisation determine whether the content you are sharing online is data protection compliant.


This resource is available in English and Welsh
Mobile phone displaying Mona Lisa painting
Photo by Fabrizio Verrecchia on Unsplash

Data protection checklist

Data protection checklist

Know your data

Are you posting personal data? The data relates to a living, identifiable individual
Are you a ‘data controller’?
We decide what data we are collecting and what we do with it
We have self-assessed whether we need to register with the Information Commissioner’s Office

Know your high risk data

Are you posting ‘special category’ or ‘criminal convictions’ data? The data relates to an individual’s:
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation
  • genetic data or biometric data
  • Criminal convictions has a separate legal rules 
  • criminal convictions

Have a good reason

What is our legal basis for posting the information online?

We have a legal obligation to post the information
We are public authority and posting the information is part of our public task 
We have a legitimate interest, balanced fairly against the rights and freedoms of the individual
We have obtained the individual’s informed, freely given, affirmative consent 

 

If we are posting ‘special category’ or criminal convictions online, what is our additional legal basis for posting the information online?

We have obtained the individual’s explicit consent 
The individual has clearly put the information in the public domain already

Keep it in scope, relevant and accurate

We are using the data only for our stated purposes  
We are posting only the data that is relevant to the purpose, and is not excessive or more than we need  
We have checked to ensure the data is accurate before posting

 

Take it down when you’re done

We keep the data no longer than is necessary
We have a retention policy based on legal or business requirements

 

Keep it safe

The website and/or platform we are posting data to has a robust firewall and up-to-date software 
We have IT staff or a contracted IT service that assists with cyber security 
Where we use third party social media platforms, we use complex passwords and restrict access to trained staff
Our staff are trained and aware of data protection and IT security, including being aware about phishing links, sending encrypted files and checking email recipients before sending 

 

Be accountable

How can my organisation prove it is data protection compliant?

The website and/or platform we are posting data to has a robust firewall and up-to-date software 
We have IT staff or a contracted IT service that assists with cyber security 
Where we use third party social media platforms, we use complex passwords and restrict access to trained staff
Our staff are trained and aware of data protection and IT security, including being aware about phishing links, sending encrypted files and checking email recipients before sending 
We have documented our data protection processes and procedures  

 

Tell people what you’re doing

How do I let people know how we process their data? 

We have a privacy notice in place that states to individuals: 
  • The name and contact details of your organisation
  • The purposes of the processing and the lawful bases, stating the legitimate interests for the processing
  • The types of personal data you process and where you get it from, if you haven’t got it from the individual 
  • Details of any third-parties you share data with, including details of any international transfers and the safeguards you apply 
  • How long the data you process is kept for 
  • How they can exercise their rights 
  • The contact details of your Data Protection Officer or equivalent representative

 

Let people find out more

Staff know how to recognise a data subject rights request (DSAR) when it is received 
The organisation knows how to deal with data subject rights request 
The organisation is able to remove / delete information provided based on consent 

 



More help here


old computer with screen and floppy disc

Is the content I’m sharing online data protection compliant?

Whatever the aims, if you are sharing personal data online, you need to comply with data protection laws. This guide by Dr Kit Good takes you through the key things you need to consider when sharing personal data online.

 
A file drawer with multicoloured paper folders packed tightly together is seen. One pink folder is in focus and pulled out slightly compared to the rest.

How can I ensure that personal data is protected when creating and sharing content online?

In this article, Laura Stanley explores how heritage organisations can remain compliant under the relevant data protection laws when sharing content on their digital channels.

 
Published: 2022


Creative Commons Licence Except where noted and excluding company and organisation logos this work is shared under a Creative Commons Attribution 4.0 (CC BY 4.0) Licence

Please attribute as: "Data protection checklist (2022) by Dr Kit Good, Naomi Korn Associates supported by The National Lottery Heritage Fund, licensed under CC BY 4.0




 
 


More help here



Digital Heritage Hub is managed by Arts Marketing Association (AMA) in partnership with The Heritage Digital Consortium and The University of Leeds. It has received Department for Digital, Culture, Media and Sport (DCMS) and National Lottery funding, distributed by The Heritage Fund as part of their Digital Skills for Heritage initiative. Digital Heritage Hub is free and answers small to medium sized heritage organisations most pressing and frequently asked digital questions.

Arts Marketing Association
Heritage Digital
University of Leeds logo
The Heritage Fund logo