GDPR Made Clear: Purpose Limitation

October 9th 2025

Plain English guidance for cultural organisations navigating UK GDPR

Welcome back to my seven-part series unpacking the UK GDPR principles – written specifically for arts, cultural and heritage organisations. If you’ve ever wondered whether you can reuse data from one project for another, or whether it’s okay to keep data “just in case,” this post is for you. Let’s talk about Purpose Limitation – the principle that helps you stay focused, avoid data drift, and build audience trust.

Purpose Limitation – Stay Focused

You must only collect personal data for specific, clear and legitimate purposes – and you must stick to those purposes. That means:

  • No collecting data “just in case”
  • No vague or catch-all privacy policies
  • No repurposing data without checking it’s appropriate

If you want to use data for a new purpose, you need to assess whether it’s compatible with the original reason. If it’s not, you may need to rely on a different lawful basis or get fresh consent. Compatibility depends on factors like the context of collection, the relationship with the individual, and whether the new use is reasonably expected.

Practical Tips for Cultural Teams

Be clear about your purpose(s) at the point of data collection

Instead of saying “we collect data for marketing,” say “we’ll email you about upcoming exhibitions and events at [organisation name].”

Make sure your purposes for processing data are listed in your Privacy Policy

You should list each purpose for processing and the lawful basis you are relying on.

Avoid blanket statements

“We may use your data for any future purpose” won’t cut it.

Train staff to spot purpose creep

If someone suggests reusing data for a new campaign or project, pause and check whether it’s covered.

Sector-Specific Examples

Marketing Teams

Ticketing may collect personal data during the booking process, but if Marketing later wants to use that data for promotional emails, the organisation must ensure that the data notification at the point of collection clearly explains this use.

Organisations must communicate the lawful basis — whether consent or legitimate interests — upfront and reflect it clearly in the privacy policy. If relying on legitimate interests, the organisation should:

  • Conduct a Legitimate Interests Assessment (LIA) to ensure its reasonable, expected, and not intrusive.
  • Offer a clear and easy opt-out at the point of data capture and in every subsequent communication.
  • Ensure the privacy policy describes the marketing activity in plain English.

Organisations must collect data transparently and ensure consent is freely given, specific, and easy to withdraw — especially when multiple departments are involved.

Fundraising and Development Teams

You gather data from donors to process their donations and send thank-you messages. If you later want to research their giving capacity using publicly available sources, that’s a new purpose. You may be able to rely on legitimate interests – but you must be transparent and ensure the use is fair and expected. A Legitimate Interests Assessment can help you document your reasoning.

Final Thoughts

Purpose limitation isn’t about saying no – it’s about saying what, why and how. When organisations explain why they’re collecting data and how they’ll use it, audiences engage more readily, respond more openly, and place greater trust. Be clear, be specific, and stay focused.

What’s Next?

This post is part of a seven-part series exploring each of the UK GDPR principles in turn. Next up: Data Minimisation – how to collect only what you need, and nothing more.

Get In Touch

If you’re a cultural organisation looking for tailored support, plain English policies, or practical training that empowers your team, we’d love to help. Get in touch for a free 30-minute consultation.

Leave a Reply