FEATURE: Let’s Be Friends… GDPR and What It Means for the Music Industry



Let’s Be Friends…


ALL PHOTOS: Unsplash 

GDPR and What It Means for the Music Industry


MANY of us have received…


emails from various companies and people regarding GDPR and changes to the way our data is held/treated. These emails, largely, give you all the spiel and ask if you can reply back – stating it is okay to keep you on file and contact you in the future. Being in the journalism game; I have received a few of these. I am concerned how my data is held and wonder, when I get emails from P.R. labels and recruitment agencies, just what are they doing with my email address and contact information – is it being used by third-party companies and those who wish to target me through marketing and calls. I will bring in an article that explains what the GDPR regulations mean for those of us in music; when we receive emails asking if we are happy to remain in contact – it can be quite confusing. A couple of problems have arisen from the new laws and how organisations are reacting. There is no need for a person to confirm, verbally or written, to say they are happy for someone to keep their data and be contacted. It is not a stipulation and, although it might be a courtesy, it can backfire quite a lot. I am seeing social media posts where people are receiving dozens of these emails and ask the same thing: Can I not have an out-of-office or message that confirms a ‘yes’ so I do not have to reply to these people one-by-one?!


I have not been barraged with these communications but have received a few that ask me is it okay to continue as before. The thing is; unless you are well-versed and boned-up regarding the new laws and what it means, you are likely to say ‘yes’ without thinking about it. There are complications and mistiness but, going forward, many are worried about their data and how it will be used. Given the Cambridge Analytica scandal with Facebook recently; many are paranoid their banking details/contact details and social media activities are being monitored and sold. Musicians provide their details to venues and promoters; they might have a P.R. label or a record deal – lots of sources who communicate with them and they do likewise. When they embark on a contract or send an email to a venue, let’s say; there is that implication it will be a secure market and transaction; that there will be transparency and equity – there will be no subterfuge and obfuscation that could mean musicians’ data gets into the hands of someone who has not requested it. I said I’d source an article that helps explain how GDPR changes impact music and the way data is held:

The regulation means that businesses need to protect the personal data and privacy of EU citizens within EU states. Personal data includes things can can identify a person, so name, address, web data, health data, etc.

Even if you have no idea what GDPR is (a new data protection law) then you’ll no doubt have had your inbox burned with email after email after email asking you one thing in a manner of different ways…

“Would you like to hear from us again?”

“Please give us permission to contact you after May.”

“Let this not be the end – click here to stay in touch.”

… and about 100 other versions of the same very simple action – Opting in!


The fact that none of us needs to consent to the emails/agreement makes me wonder what the ramifications of being passive are. I am sure I have received tonnes of the buggers but have not had time to read the emails separately. There is so much to digest and, at the end of the day, it boils down to this: whether we want things to stay as they are. There are no dark arts and duplicitous crevices implemented in the new laws that mean things will shift and the data subject is being conned. It is, in essence, dotting the ‘i’ and crossing the ‘T’ to an insane degree. I worry I have forgotten to respond to a few emails and have been taken off mailing lists. I rely on contacts and emails from P.R. agencies so I can keep working. If there is an email that has been sent to Spam or Junk or it has been buried about all the others; I wonder whether I will know who I have overlooked and whether I will hear from them again! The article covers the same ground as me with regards the mass of emails one will receive:

50% won’t open the damn thing and then you’ll lose them. Those occasional openers are bound to get binned. What if they wanted to hear from you but didn’t open that email? They’re gone.

And then… then there’s click rate! The avg. click rate is less than 4% so you’re effectively killing off 96% of your 50% list.


If you had 1,000 people on your list, and you went down the opt-in route, then chances are you’re going to end up with 20 people left!

20! And those are probably a few employees, your friends, and your mum.

If they’re an individual, and an existing customer, then provided they’ve been able to always remove themselves from your list then the soft opt-in applies under PECR, and as we’ll see you don’t need consent under GDPR. You don’t need to delete them.

And here’s the thing, if you haven’t emailed already, you’re way behind those who went early when this was all new and you’ll mostly likely get deleted before you’re opened as we’re all sick of it”.

There is a lot to take in and it brings me back to the earlier point regarding streamlining and making it easier for people to say ‘yes’ to everyone. If we are on a mailing list or signed up with an agency/venue, for example, we have done so for a reason and are capable of removing ourselves when we feel fit. If we are confused regarding compliance with the new regulations; are we losing vital contacts – there are those who we have not signed up for and will email us in an attempt to get our personal details.


How does Legitimate Interest help rationalise the quandary and offer peace of mind?

Legitimate Interest:

“Legitimate interest is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.” – The ICO

Sending out emails under a legitimate interest basis could well be a better solution for you, but you’ll still need to comply with PECR when emailing individuals”.

The new laws protect those inside of Europe but, given the political transition we are seeing; will we still be protected and ‘in’ come this time next year?! It is a big pile of rules and foreign terms we need to decipher to ensure we are making the right choices and doing our due diligence. I will end this thing soon but, reading another piece that looks at GDPR and it advises those who want to be proactive and safe:

Ok, maybe I should be doing something about this – where should I start?
First things first: get familiar with the law and nominate someone in your organisation to lead your company through the new requirements. You might need to appoint a data protection officer. Knowing both the relevant privacy laws and how to apply them to business processes is a considerable challenge. Having an appropriately skilled and qualified person in place is a must, and can repay any costs many times over by focussing any additional work only where it is absolutely necessary, whilst making sure full advantage is taken of the opportunity to engage more deeply with customers and fans.


Knowing what you need to do to comply with GDPR starts with having a proper grip on (i) what personal data you have, (ii) why you have it, (iii) what you use it for, (iv) where it is used and stored, and (v) what rights (consent) you have to hold and use it.

For example, you’ll be relying on consent to market to fans: where is that consent coming from? Do you collect it directly from the fan, or does another company collect it for you? Under GDPR, pre-ticked marketing opt-ins will be a thing of the past. The entity for whom consent is being given will also need to be named (e.g. generic “event partner” opt-ins will no longer be permissible). If you rely on others to collect marketing consent on your behalf, you should ensure they meet the new requirements”.

That is useful advice for organisations and those who have a legal responsibility to get this right – what about us on the other side of the laptop who might be deleting emails or agreeing to stay on a mailing list for the wrong reasons?! A lot of the P.R. companies I speak with know I want to stay in contact and they are not going to use my data in any illegal way. If you do get these emails through – that ask if you want to remain ‘friends’ after May – then check this is a mailing list/firm you have signed up with. If not, then unsubscribe and be asked to taken off their list. If they are legitimate – an employment agency or mailing list for a festival – then do not panic.


Although you do not have to say ‘yes’; a quick reply with that one word is sufficient. You will not find, once you have agreed, you’ll get a lot of unwanted emails and things will change: this is a new process coming in that aims to protect the data of European citizens and will not compromise your security and rights. We are all a bit nervous after the data scandals on Facebook. It is understandable people are confused and reticent right now. An all-out opt-in might cause some problems and create some loss of contact and entanglement. If you check out this advice from the Musicians’ Union then it should make things clearer. I can understand there is frustration because everyone we are in regular contact with is sending emails regarding GDPR and new legislation. Do not get worried and, if concerned, do your research. New laws mean greater protection for people – things are not going to be made worse; it is designed to create better awareness and security. I am among the masses who is unsure what to do but, let us hope, when these new laws come in it will lead to improvement and better personal security…


FOR everyone.