GDPR Basics for Artists: Protecting your Customers' Privacy

GDPR Basics for Artists: Protecting Your Customers’ Privacy

IIn today’s digital age, where personal data is constantly being collected and processed, protecting your customers’ privacy has become paramount. The European Union (EU) introduced the General Data Protection Regulation (GDPR) to establish the world’s most comprehensive framework for personal data protection. This blog post provides an overview of the GDPR, highlighting its key features with examples, and offering a practical, 10-point checklist for artists and designers to implement GDPR compliance on their websites.

GDPR Basics for Artists: Protecting Your Customers' Privacy | Sketch Design Repeat

DISCLAIMER: The information contained in this blog post is intended for informational and educational purposes only and should not be construed to constitute legal advice. Before taking any action, or before refraining from taking any action, based on the information contained in this post, please consult an attorney.

The Basics of the GDPR

The GDPR is a set of data protection rules and regulations that went into effect on May 25, 2018, and applies to any organization that processes personal data of EU citizens, regardless of its location. In general, the GDPR provides individuals with greater control over their personal information and it imposes obligations on organizations to ensure the privacy and security of such data.

Key Features of the GDPR with Examples

1. Extraterritorial Scope

The GDPR applies not only to organizations within the EU but also to those outside the EU that process personal data of EU citizens.

Example: If you’re an artist based in the United States and your website sells artwork to customers worldwide, including EU citizens, the GDPR applies to you. This means you must comply with its provisions, regardless of your location. Compliance with the GDPR, however, is not required if sales to EU citizens are “merely incidental” or if you are not targeting EU citizens with advertising. If you have EU citizens on your email list, however, you must comply with the GDPR.

2. Expanded Definition of Personal Data

The GDPR expands the definition of “personal data” to include any information that can directly or indirectly identify an individual, such as IP addresses, location data, and cookies.

Example: As an artist, you may collect personal data through contact forms, newsletter sign-ups, or checkouts on your website. This could include information such as names, email addresses, shipping addresses, payment data, and even IP addresses. Under the GDPR, all of this data is considered “personal data” and requires proper protection and handling.

3. Lawful Basis for Data Processing

Organizations must have a lawful basis, such as consent or legitimate interest, for processing personal data.

Example: If you sell artwork or products online, you need a lawful basis for processing customer data. This can be achieved by obtaining explicit consent from customers through a pop-up click screen during the purchase process or by relying on the necessity of processing for the performance of a contract or sales agreement.

4. Data Subject Rights

The GDPR strengthens individuals’ rights, including the right to access, rectify, erase, and restrict the processing of their personal data.

Example: As an artist, your customers have the right to request access to their personal data held by you, update or correct any inaccuracies, and even request the deletion of their data. You should establish procedures to handle these requests promptly and effectively.

5. Consent

Consent must be freely given, specific, informed, and unambiguous, requiring a clear affirmative action from the data subject/customer/subscriber.

Example: When collecting email addresses for your newsletter or conducting sales, ensure that you have a clear opt-in checkbox where users actively indicate their consent to receive marketing communications. Avoid using pre-ticked boxes or assuming consent by default, which run afoul of the GDPR.

6. Data Breach Notifications

Organizations are required to notify data breaches to the relevant supervisory authority and affected individuals within 72 hours of becoming aware of the breach.

Example: If you experience a data breach that affects your customers’ personal data, such as unauthorized access to your website’s database, you must notify both the relevant supervisory authority (e.g., a data protection authority) and the affected individuals within 72 hours.

7. Privacy by Design and Default

Privacy considerations must be incorporated into the design and operation of systems and services from the outset.

Example: Incorporate privacy considerations into your website design. For instance, minimize the collection of unnecessary personal data, anonymize or pseudonymize data where possible, and implement appropriate security measures to protect the data you do collect.

8. Data Protection Impact Assessments (DPIAs)

Organizations must conduct DPIAs for processing activities that are likely to result in high risks to individuals’ rights and freedoms. This is unlikely for artists and designers.

Example: If you plan to launch a new project that involves extensive data processing or presents potential risks to individuals’ privacy, such as an interactive art installation that collects personal data, conduct a DPIA to assess and mitigate those risks.

9. Data Protection Officers (DPOs)

Some organizations are required to appoint a DPO to oversee data protection activities and act as a point of contact with supervisory authorities.

Example: While most artists won’t require a dedicated DPO, consider appointing someone responsible for overseeing data protection compliance within your organization, especially if you regularly process large amounts of personal data or if you have more than 250 employees. Typically, in the U.S.A., this person is the website owner.

10. Penalties and Fines

Non-compliance with the GDPR can result in significant fines, with the maximum penalty being up to €20 million or 4% of the global annual turnover, whichever is higher.

Example: If your website is found to be non-compliant with GDPR requirements and you process personal data without a lawful basis, you could face fines of up to €20 million or 4% of your global annual turnover, whichever is higher.

Related Article: 5 Steps to Set Up Your Surface Design Business

Implementing the GDPR on an Artist’s Website: A 10-Point Checklist

To avoid running afoul of the GDPR, the following is a ten-point checklist of ways to implement the GDPR on your website.

1. Awareness: Embrace Your GDPR Canvas

Understand the basic principles and requirements of the GDPR to ensure compliance. As an artist or designer, familiarize yourself with the GDPR’s principles and requirements, as noted above. Understand how it applies to your creative process, such as collecting and processing personal data from customers, subscribers, or website visitors.

2. Data Mapping: Unveiling Your Artistic Data Landscape

Identify the personal data you collect, where it is stored, how it is processed, and who has access to it. For instance, if you operate an online store selling art prints, note the customer information you gather during the purchase process, including names, email addresses, shipping addresses, IP addresses, and payment details.

3. Lawful Basis: The Foundation of Compliance

Determine the lawful basis for processing personal data and document it accordingly. If you collect customer data to fulfill orders, the lawful basis can be the necessity of processing for the performance of a contract or sales agreement. Ensure you have a clear understanding of the legal basis for collecting personal data and document it for compliance purposes.

4. Privacy Policy: Brushing Eloquent Transparency

Craft a comprehensive privacy policy that clearly explains how you collect, use, store, and protect personal data. Specify the purposes for which the data is collected, the lawful basis for processing, and the rights of individuals.

Provide an easy-to-understand policy that is accessible on all pages of your website. Pre-prepared templates of GDPR compliant Privacy Policies are easily available and affordable on the internet.

5.  Consent Mechanism: Colors of Active Affirmation

When collecting email addresses for your newsletter or marketing communications, implement an explicit opt-in mechanism. Allow users to actively indicate their consent by ticking a checkbox or taking a similar action on a Cookies Notice or GDPR Notice pop-up screen. Ensure that the language used is clear, specific, and informed.

6. Data Subject Rights: Honoring Your Patrons’ Wishes

Develop procedures to handle data subject requests promptly and effectively. If a customer requests access to their personal data, have a process in place to provide them with the requested information within the specified time frame. Similarly, establish procedures for handling requests to rectify or erase personal data.

7. Security Measures: Crafting the Shield of Protection

Implement appropriate technical and organizational measures to protect personal data. Secure your website and data storage systems by using encryption, strong passwords, and regular software updates. If you collaborate with third-party service providers, ensure they have adequate security measures in place, as well.

8. Data Breach Response Plan: Navigating the Unexpected

Prepare a response plan in case of a data breach. Have a clear procedure to detect and investigate breaches promptly. Determine how you will notify affected individuals and the relevant supervisory authority within the required timeframe. Create a communication strategy to manage any potential reputational impact.

9. Third-Party Processors: Trustworthy Artistic Collaborations

If you engage third-party processors to handle personal data on your behalf, such as payment processors or email marketing services, ensure they are GDPR compliant. Review their privacy policies, data protection practices, and agreements to ensure they align with GDPR requirements.

10. Ongoing Compliance: Evolving Artistry, Unyielding Compliance

Regularly review and update your privacy practices to ensure ongoing compliance with the GDPR. Stay informed about any regulatory changes or updates that may impact your obligations as an artist or designer. Provide training to your staff on data protection best practices to maintain a culture of compliance.


The GDPR brings significant changes to the way personal data is handled, shifting the focus towards individual rights and data protection. By implementing the 10-point checklist outlined in this blog post, artists can take meaningful steps towards GDPR compliance on their websites and enhancing data privacy, which fosters trust with their audience.

Remember, GDPR compliance is a mandatory and ongoing process, and staying informed and vigilant is essential to protect personal data and meet the GDPR’s regulatory requirements.

Back to blog