Responsible data management: keeping your Museum on the right side of the law and ethical considerations

In any cultural establishment, data collection must remain accountable and consensual at all times

We are all aware of the importance of data protection when it comes to the management of any business, and this includes the management of museums and other cultural places. Museum leaders must continually ask themselves what ethical considerations are involved in the management, storage and use of data in order to adhere to guidelines and ensure that they practice responsible data management.

But it’s understandable that GDPR and data management feel like a minefield. A long-term plan is essential to counter the volatile nature of cybersecurity and data usage, ensuring that data storage and processing remain compliant with the General Data Protection Regulation. This should involve working with IT departments and IT security experts to ensure the right policies are in place.

But what are the consequences of irresponsible data management, and what does an ethical data management plan look like for cultural organizations?

Museums and their GDPR obligations

There are many reasons why museums may collect data from their visitors and online audiences, from sending out newsletters and fundraising appeals to managing volunteers, donations and events. However, the GDPR guidelines state that “personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”.

This means that museums, like other organisations, have a duty to collect only useful data and to avoid storing superfluous information. In addition, data should only be retained for as long as necessary.

The GDPR requires museums to practice good security measures for both physical documentation and digital information, supported by clear and constructive policies and procedures. It also reminds museums that everyone has the right to request access to the data held at any time, so it must be stored securely and clearly.

Data is only as secure as its collection points. These differ from organization to organization, but some of the more common options are:

  • Reception counters
  • groups of friends
  • Online donations
  • Newsletter subscriptions
  • Commercial rental
  • Detail
  • Events
  • Volunteer Management Systems
  • Gift Aid Data

Organizations of all kinds must be consistent and ethical in their approach to obtaining consent, aligning processes across physical and digital spaces of place to ensure best practices everywhere.

The consequences of poor data management can be catastrophic

The days when cybersecurity was over are over. Organizations across all sectors, including arts and culture, are feeling the pressure to step up their data protection efforts as even the biggest names in museums fall victim to breaches and hacks.

In 2016, the American Museum of Natural History in New York was one such victim, losing nearly $3 million in a phishing scandal, which began with a single employee believing a fraudulent email was genuine. Similarly, in 2015, a Nature Conservancy Australia program’s data set was encrypted after a staff member was tricked into clicking a single link.

Meanwhile, in 2019, four of London’s top tourist attractions were targeted by hackers. As a result, the Natural History Museum, Imperial War Museum, Kew Gardens and the Tate have recorded tens of millions of attacks between them.

What does a data management plan look like?

Before a plan can be created, a data security audit is often advised to clarify the data journey from visitor to storage. This can highlight weak spots or areas of concern, while making everyone aware of how data management works and should work in the museum space. Common risk points could be forms left unattended on the reception desk, or data spreadsheets accessible to all staff, although only used by senior management.

Only when museums have a clear idea of ​​their current position on data protection can they take the necessary steps to improve their position. This may involve working with IT departments and outsourced infosec experts to put in place a realistic plan to keep the venue GDPR compliant, as well as investing in the necessary infrastructure for protection and prevention, creating a privacy policy and ensuring that all staff members are on the same page when it comes to data management.

The MuseumNext Digital Summit 2022 starts on the 6e June, and will feature inspiring insights and case studies from those championing the latest and greatest digital innovations in museums and galleries. Click here to book your tickets now, to make sure you don’t miss a thing.

Comments are closed.