What is GDPR?

General Data Protection Regulation.

On May 25, 2018, a European privacy regulation called The General Data Protection Regulation (GDPR) came into effect. It provides EU citizens with greater control over their personal data and assurances that their information is being securely protected. The GDPR is the EU’s way of giving individuals more power over their data and less power to the organizations that collect and use such data for monetary gain.

This applies only to music groups in the EU (UK groups, see Brexit question below).

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

GDPR defines 3 roles:

  1. Data Controller: The organization that collects data from EU residents, which in our case is the music group.
  2. Data Processor: The organization that processes data on behalf of the data controller, i.e. Muzodo.
  3. Data Subject: The person, i.e. the music group member.

GDPR has 2 main objectives:

  1. Consent to the use of personal data.
  2. Secure handling of data.

Consent

As it pertains to music groups within the context of Muzodo, members have the right:
  1. To access: Individuals have the right to request access to their personal data and to ask how their data is used after it has been gathered.
  2. To be forgotten: Members may withdraw their consent at any time. If members leave the group or withdraw their consent to the use of their personal data, then they have the right to have their data deleted.
  3. To be notified: If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Data Security

GDPR includes the concept of "privacy by design". Organisations must review their processes to ensure all data handling aspects are compliant. Muzodo was built from the ground up with security in mind.

Penalties

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

Given the uncertain Brexit, does this apply to music groups in the UK?

It is uncertain at this point if the UK will retain the GDPR post-Brexit. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard.

Will Muzodo be GDPR compliant?

Yes. We're working hard to ensure Muzodo is GDPR compliant by May 2018. Muzodo data is already securely handled and stored. Adjustments are being made to obtain explicit consent from group members when they're added to a group for the use of their private data.

What are music group administrator responsibilities?

Music group administrators are the "data controllers" and have the obligation to ensure their members' data is collected and processed in a manner consistent with the GDPR regulation. They must ensure the systems (processors), whether formal systems, or storing member data on their computers, that they comply with the regulation.

Does my music group need to appoint a Data Protection Officer (DPO)?

No. DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.


See: Frequently Asked Questions about the incoming GDPR.

See: GDPR blog by Superoffice

See: Wikipedia - General Data Protection Regulation

See: ICO (for groups in the UK)