What is GDPR?

General Data Protection Regulation.

On May 25, 2018, a European privacy regulation called The General Data Protection Regulation (GDPR) came into effect. It provides EU citizens with greater control over their personal data and assurances that their information is being securely protected. The GDPR is the EU’s way of giving individuals more power over their data and less power to the organizations that collect and use such data for monetary gain.

This applies only to music groups in the UK and EU. Note that since Brexit, the UK continues to follow and endorse the GDPR guidelines. Although not the same regulations, they're deemed 'essentially equivalent'. For more details see the Brexit question below.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

GDPR defines 3 roles:

  1. Data Controller: The organization that collects data from EU residents, which in our case is the music group.
  2. Data Processor: The organization that processes data on behalf of the data controller, i.e. Muzodo.
  3. Data Subject: The person, i.e. the music group member.

GDPR has 2 main objectives:

  1. Consent to the use of personal data.
  2. Secure handling of data.

Consent

As it pertains to music groups within the context of Muzodo, members have the right:
  1. To access: Individuals have the right to request access to their personal data and to ask how their data is used after it has been gathered.
  2. To be forgotten: Members may withdraw their consent at any time. If members leave the group or withdraw their consent to the use of their personal data, then they have the right to have their data deleted.
  3. To be notified: If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Data Handling and Storage

Muzodo data is securely handled and stored in Europe on our servers in the UK and Germany.

Data Security

GDPR includes the concept of "privacy by design". Organisations must review their processes to ensure all data handling aspects are compliant. Muzodo was built from the ground up with security in mind.

Mobile app

Muzodo has an app in the Google Playstore (for Android) and the Apple Appstore (for iOS). We do not send any personal details to these platforms. Once the app is installed on your device, the app gets your event details directly from our servers. As per standard practice, to send you notifications we use the push services provided by these platforms. This requires a unique ID that they provide and associate to your device. Note that any app that sends you notifications (email, Facebook, Whatsapp, etc) uses the same service.

Penalties

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

After Brexit, does this still apply to music groups in the UK?

Prior to Brexit, the UK Government indicated it would implement equivalent or alternative legal mechanisms. The expectation was that any such legislation would largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard.

The UK continues to follow and endorse the GDPR guidelines. Although not the same regulations, the UK and EU regulations are deemed 'essentially equivalent' which is expected to last until 27 June 2025. For more details see Overview – Data Protection and the EU hosted on the ICO's website.

What are music group administrator responsibilities?

Music group administrators are the "data controllers" and have the obligation to ensure their members' data is collected and processed in a manner consistent with the GDPR regulation. They must ensure the systems (processors), whether formal systems, or storing member data on their computers, that they comply with the regulation.

Does my music group need to appoint a Data Protection Officer (DPO)?

No. DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.


See: GDPR blog by Superoffice

See: Wikipedia - General Data Protection Regulation

See: ICO (for groups in the UK)