How can I ensure that personal data is protected when creating and sharing content online?

In this article, Laura Stanley explores how heritage organisations can remain compliant under the relevant data protection laws when sharing content on their digital channels.

This resource is available in English and Welsh
A file drawer with multicoloured paper folders packed tightly together is seen. One pink folder is in focus and pulled out slightly compared to the rest.
Image courtesy of Shutterstock©

How can I ensure that personal data is protected when creating and sharing content online?

Protecting the data of your audiences is vital for heritage organisations. Whether you are conducting research into your local area or creating content about community projects, you always need to ensure you are protecting the personal data of the people who participate.

In this article, we’re going to share tips on which data laws apply to content creation and sharing, how organisations can ask for consent from the people involved in their content, and how they can use research without falling foul of data protection laws.


1. What is the law?

The first thing you want to do is look for the right legal information. Most regulations are available online, along with some informational resources and implementation guidelines for organisations.

For UK legislation, you can find very handy guides that go into more depth on the Information Commissioner’s Office (ICO) website. The ICO Office is the UK’s independent regulatory body looking after information rights.

The main rules for data protection in Europe are set out by the General Data Protection Regulation (GDPR). This was brought in in 2016 by the European Union to ensure all data is used fairly, lawfully, and transparently.

After Brexit, the UK introduced the UK-GDPR, which was essentially the same as the European GDPR but changed to accommodate domestic laws. UK-GDPR is supplemented by the Data Protection Act 2018 (DPA 2018). DPA 2018 covers exemptions from GDPR, such as for law enforcement or national security.

The guiding principle of GDPR and UK-GDPR is that there should always be a legitimate interest in the data you collect. Under the legislation, individuals have the right to be informed how their personal data will be used, the right to have their personal data erased, and the right to know exactly which elements of their personal data an organisation may hold.


2. What is personal data?

Once you’ve researched the law, the next step is to understand what constitutes personal data.

Personal data is defined as “information that relates to an identified or identifiable individual”. This could be anything from a name and number to an IP address.

For heritage organisations creating content, this could mean the data of people interviewed as part of an oral history project or someone you emailed for research purposes. If they are identifiable through your content, you need to take steps to protect their information or gain consent for its use.

This could also mean anyone identifiable who appears in your photos or films. To comply with UK-GDPR in this case, you’ll need to prove you have consent from every identifiable individual in your content.

During this process, you need to gain what is called informed consent – you must tell them how their data will be used, who by, and for what purpose. It could simply mean having them tick a box online (on surveys and questionnaires, for example) or asking them to sign a form.

By gaining consent, you protect your audiences, giving them control over their personal data and how it is used.


3. How can I protect personal data?

Anonymise your data

Data that has been anonymised is not subject to UK-GDPR rules because all identifiable information has been removed.

Anonymising data limits the risk to your audiences because it cannot lead directly back to them in the event of a cyber breach. It is good practice to anonymise data when conducting surveys or research that will inform your content, in cases where you don’t need specific names or details.

However, anonymising data has to be a thorough process. Removing names is not enough – if any data set can lead back to an individual, such as the name of their organisation and job role, then it has been pseudonymised, not made anonymous. That data still needs to be protected under UK-GDPR.

Consent forms

Anonymisation won’t work to protect the data of those who feature in your visual content, such as speaking on your videos or in the background of your photos.

For those people, you need to gain explicit permission for use of their name and image.

Consent forms and opt-in permissions are very important in staying compliant under UK-GDPR. You should use them for all data collection. You might even use your content to collect data that will inform your next piece or run a competition for those participating in it, in which case you may need to contact them later.

The most important thing is to be transparent about how you will use the data they give you and, if in doubt, always ask permission.

You can read what you need to include in a consent form below.

The humble notice

If you’ve ever stumbled across someone filming, you’ll have already seen this notice. “This event is being filmed/recorded for promotional purposes. By attending or participating in this event, you are giving consent to be recorded and for your image to be used in the future.”

This option is good for people filming or recording live events, such as a live podcast or a talk with an expert from your organisation. But you must ensure that you are clear about the purposes of the recording, stating what it will be used for and what it may be used for in the future.

You must also ensure that the sign is seen by all attendees. It must be clear and visible to ensure that attendees knowingly give consent for their image to be used. Organisations may also benefit from including such information on any tickets, emails, or on their website prior to filming.

It is less likely that large groups will be identifiable in your filming if you don’t focus on individuals, and therefore UK-GDPR won’t apply. But for those wanting to err on the side of caution, putting a notice out supplements the consent form. For anyone directly featured in the recording, such as an interviewee, they still need to fill one out.


4. What to include in a consent form?

UK-GDPR stipulates that consent should be “freely given, specific, informed and unambiguous”. These principles should be reflected in your consent forms.

You need to include information on:

  • What the content will be used for (e.g. promotional or archival purposes)
  • Who is using it (e.g. the name of your organisation or project)
  • If the data will be stored for future use
  • Who to contact if they have any concerns

Remember: the goal with your consent form is transparency. Be concise and clear – you want people to understand what they are signing up to.

It is also important to be aware that people have the right to withdraw their consent at any time, even if they initially fill out a consent form. If they choose to do so, you’ll need to stop using their data, and therefore their image, immediately.


5. More tips on protecting your data

Stay cyber secure

Protecting your data isn’t just about staying compliant – it’s also about keeping it safe. It’s important that you have technology you can trust.

Data breaches occur when cyber criminals can access an organisation’s network through vulnerabilities in their system. To guard against this, you must continually update your software and apps (this is called patching) and train employees on how to spot phishing attacks that could lead to data being stolen.

You should also have good antivirus and endpoint protection software to prevent anyone gaining access on your devices – this is especially important now employees work at home, on their own Wifi networks and in the cloud.

It’s also important to note that, if any data breaches do occur, you need to report them to both the people affected and the ICO within 72 hours.

Review the data you need

Once you have gained consent, you can keep data as long as you need, as long as you are using it for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. This stipulation is very helpful for heritage projects.

However, if you review your data and find you don’t need it or it is no longer in the public interest, it is more ethical to remove it or put it “beyond use”.

Limit access

By limiting access to certain data and content, you can keep track of who has eyes on it at all times. Research has shown that 85% of data breaches have a human element, even if it was just clicking on a phishing email by accident. But by allowing employees and volunteers different levels of access, organisations can limit that risk.

Keep learning

Data laws change all the time – as we saw with Brexit and the addition of the DPA 2018 – and it varies country to country. Do your research regularly to ensure that you understand and are complying with all relevant regulations. Always opt on the side of caution.

If you are concerned about how your organisation protects its data, you can undertake a Data Protection Self-Assessment through the ICO.

Designed to help small to medium sized organisations in all sectors, the tool helps organisations to assess their current compliance with data protection laws and offers practical steps they can take to keep the personal data of their audiences secure.

Useful links


More help here

Mobile phone displaying Mona Lisa painting

Data protection checklist

This data protection checklist by Dr Kit Good will help your heritage organisation determine whether the content you are sharing online is data protection compliant.

old computer with screen and floppy disc

Is the content I’m sharing online data protection compliant?

Whatever the aims, if you are sharing personal data online, you need to comply with data protection laws. This guide by Dr Kit Good takes you through the key things you need to consider when sharing personal data online.


Browse related resources by smart tags:

Data protection Digital content GDPR Legal compliance
Published: 2022
Resource type: Articles

Creative Commons Licence Except where noted and excluding company and organisation logos this work is shared under a Creative Commons Attribution 4.0 (CC BY 4.0) Licence

Please attribute as: "How can I ensure that personal data is protected when creating and sharing content online? (2022) by Laura Stanley, Charity Digital supported by The National Lottery Heritage Fund, licensed under CC BY 4.0


More help here

Digital Heritage Hub is managed by Arts Marketing Association (AMA) in partnership with The Heritage Digital Consortium and The University of Leeds. It has received Department for Digital, Culture, Media and Sport (DCMS) and National Lottery funding, distributed by The Heritage Fund as part of their Digital Skills for Heritage initiative. Digital Heritage Hub is free and answers small to medium sized heritage organisations most pressing and frequently asked digital questions.

Arts Marketing Association
Heritage Digital
University of Leeds logo
The Heritage Fund logo