GDPR Made Clear: Lawfulness, Fairness, and Transparency

October 2nd 2025

UK GDPR, Demystified for the Cultural Sector

Welcome to the first in my seven-part series unpacking the UK GDPR principles – written specifically for arts, cultural, and heritage organisations. If you’ve ever felt GDPR guidance was written for lawyers, not for learning and engagement teams or box office staff, you’re not alone. This series is here to change that. Each post takes one principle and translates it into plain English, with practical tips your team can apply straight away. Let’s start with the foundation: Lawfulness, Fairness, and Transparency and what the UK GDPR says.

Lawfulness: Only Collect What You’re Allowed To

You need a valid reason (called a “lawful basis”) for collecting and using someone’s personal data. For most cultural organisations, the most common bases are:

  • Consent – for example, someone signs up to your newsletter
  • Contract – for example, you’re processing ticket bookings
  • Legal obligation – for example, reporting payroll to HMRC
  • Legitimate interests – for example, sending a follow-up survey after a performance
  • Public task – for example, archiving photographs and film for heritage purposes

Vital interests only apply in life-or-death situations where consent can’t be obtained. It’s rare in cultural settings, but useful to know when drafting privacy policies or training materials.

Practical Tip: Make sure your privacy policy clearly states which lawful basis you’re using for each type of data. If you’re relying on legitimate interests, ask: is this reasonable, expected, and not intrusive? A Legitimate Interests Assessment can help.

Fairness: Don’t Surprise People

Fairness means treating people’s data in a way they’d reasonably expect. If someone gives you their email to hear about exhibitions, don’t use it to promote your café or share it with a partner venue – unless you’ve told them upfront.

Practical Tip: Put yourself in your visitor’s shoes. Would they be surprised by how you’re using their data? If yes, rethink or reword your approach.

Transparency: Say What You Do, and Do What You Say

Transparency is about being open and individuals have a right to be informed about how you’ll process their data. Your privacy policy should be easy to find, easy to read, and tailored to your audience – whether that’s customers, visitors, participants, donors, or volunteers.

Practical Tip: Use plain English. Break up long paragraphs. Add headings like “What we collect,” “Why we collect it,” and “How long we keep it.” If you work with third parties (like ticketing platforms or survey tools), name them.

Sector-Specific Examples

Box Office: When someone books a ticket, you’re collecting their data under the “contract” basis. If your organisation then want to send bookers direct marketing about future events, you’ll need to rely on “legitimate interests” or get their consent. Be clear at the point of booking what they can expect – and make it easy to opt out.

Learning and Engagement Teams: When working with schools and young people be crystal clear about how their data is stored, shared, and deleted. Use accessible language for parents and carers.

Fundraising: If you’re researching potential donors, be upfront about how you gather and use publicly available information.

Final Thoughts

Lawfulness, fairness, and transparency aren’t just legal boxes to tick – they’re about building trust. When your audiences know what to expect, they’re more likely to engage, share, and support your work. Start with clarity. Build with confidence.

What’s Next?

This post is part of a seven-part series exploring each of the UK GDPR principles in turn. Next up: Purpose Limitation – how to stay focused, avoid data drift, and keep your intentions clear.

Get In Touch

If you’re a cultural organisation looking for tailored support, plain English policies, or practical training that empowers your team, we’d love to help. Get in touch for a free 30-minute consultation.

Leave a Reply