How the Art Market Can Successfully Comply With GDPR

From 25 May, 2018, the new EU GDPR (General Data Protection Regulation) will come into force, and the penalties for not complying with its complex demands are draconian, to say the least. Serious breaches can involve massive fines of up to four percent of a company’s yearly worldwide turnover, or €20 Million, whichever is the highest [1]. Yet art businesses around the world, be they online art sales platforms, auction house dealers, art galleries, and other professionals in the field, are not all a hundred percent confident about what these changes actually mean for them.


The Lowdown

The European Commission has compiled the new GDPR in order to provide protection for European Union citizens against the increasing data and privacy breaches in this forever spiraling data-driven era [1]. It will empower EU citizens by giving them control of their private information, thereby enabling them to: withdraw the consent that they have already given; or to delete it, whenever they wish to do so.


The European Commission states that the following are subject to the new GDPR:

“A company or entity which processes personal data as part of the activities [e.g. a mailing list of clients/perspective clients] of one of its branches established in the EU, regardless of where the data is processed; or a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU” [2].

The Impact of GDPR on Art Market Cryptocurrencies
The Impact of GDPR on Art Market Cryptocurrencies

If your art business is a medium or small enterprise that actively uses your clients’ personal data in this manner, then abiding by this new regulation is mandatory. However, not all obligations set out in the GDPR (for example, the need to appoint a Data Protection Officer), may be applicable if your company’s activities do not generate risks for individuals, and such data processing is not a major aspect of what your company does [2]. Personal data can be described as: any information which can be used to indirectly or directly identify someone. This includes things such as email/physical addresses, bank and bank card details, IP addresses, Facebook or Instagram posts, and so on [3].


In a Nutshell: How the Art Market Will be Affected by the GDPR

Wherever your art organization is conducting business from (that is to say, in or outside the EU): when the said business is with EU citizens, this important regulation will apply to you – regardless of whether the EU citizen lives in the EU or not. So for example, it could be a German EU citizen living in Singapore.

The regulation will impact the way in which your art business:

• Explains/attains consent for new & existing clients & prospects

• Has subscribes on your mailing list

• How your subscribers’ personal information is held (for example: on vendors/contact databases, back-up systems or other cloud-based data storage; by artists who are given collectors’ data; shipping agents; debit/credit card processors)


Client Lists

Building up substantial client lists is key to the success of many businesses, and no less so in the art world. So to that end, dealers and galleries are clearly concerned about forced changes in the market landscape. Peter Osborne, director of the Osborne Samuel Gallery in London, posed the question: “Can we carry on selectively emailing and mailing our people, or do we have to get their formal consent first?” [3]. Naturally, Osborne is mindful of the fact the if the gallery is obliged to send out a request to ‘opt in,’ to all and sundry on its extensive mailing lists, then in all likelihood, only a limited percentage of people are likely to comply with the request.

Further, the European and UK marketing director for the live online bidding platform, Invaluable, announced that in order to step up to the new regulations, his organisation is making cautious changes. Richard Whittle said: “We believe our certification with the Privacy Shield Framework has a direct correlation to our ability to comply with the upcoming GDPR, and we are currently working to ensure complete compliance with it” [3]. Moreover, Christopher Battiscombe, the director of the Society of London Art Dealers, stated: “the new legislation is causing some concern and it is still not entirely clear what dealers need to do to comply with it, for example in respect of mailing lists. We are seeking legal advice and also putting on a seminar on it…” [3].


Confidentiality, Auctioneers and GDPR

Client confidentiality and discretion are taken very seriously in a number of spheres, and the art world ranks high on the list. As Sotheby’s notes: “there remain important commercial and legal imperatives requiring confidentiality in certain circumstances” [4]. The auctioneers have however, duly followed the GDPR guidelines, and initiated various policies, processes and systems in order to ensure they are fully compliant. Moreover, Christie’s issued a statement to inform the public that they have a dedicated team which will oversee various measures to make the auction house GDPR compliant.


Tips on How to Successfully Implement GDPR

The first call of action is to assign dedicated staff to: map out and audit your data flows; determine what personal information you hold, and where it came from; to locate everywhere this data is stored; to find out who you share it with; how it is processed; and what you tell clients about their data processing.

The next step is to instruct the staff to send out a notification to each and every individual explaining: their new data rights, how their personal information has been acquired, how the company uses it, and who can access it. There should also be a polite appealing request asking them to ‘opt in.’ The notification should also contain a copy of your company’s new ‘Terms of Agreement,’ which should be modified in light of the GDPR. The terminology should be in layman’s terms.


Further Steps

• Add a disclaimer on your website stating that you will not hold any personal information without the user’s explicit consent (given by ticking a check box, etc.)

• If your client mailing list is kept on a vendor’s server in a contact management system, then your company’s privacy policy must acknowledge this

• Reappraise the ways in which you request, manage and record consent, & determining whether these practises are GDPR complaint

• Request a double opt-in for EU citizens who want to join your mailing list. (This is when an individual goes to your gallery/online sales website, and wants to sign up for your newsletter & is sent an email & link that must be clicked as confirmation they wish to be added to your client list. This is a very efficient way to be able to provide proof of consent

• Make sure that your procedures cover all the rights that individuals are entitled to, such as the way in which you provide electronic data, and how you will remove personal information

• If a customer makes a purchase and you give out his/her personal data to the artist, then you are obliged to obtain permission from the purchaser, preferably in writing or by email, on a purchase agreement or an invoice, so you have a record

• If you do not already use up-to-date high tech security settings on your website, external back-up drives, payment systems, and contact management system; and safeguard stored physical files which include private data, then ensure that you implement the necessary security measures

• Check that your company has the appropriate procedures set up in order to highlight any personal data breach, so it can be investigated and reported

• To avoid the risk of violation, take the necessary measures to inform your vendors & staff (who use contact, payment & shipping data), about the new mandatory obligations that the company must adhere to, as well as the potential implications that the GDRP may have. This could be in the form of meetings on the subject, as well as comprehensive written information and instructions on new procedures pertaining to your individual business

• Staff must be fully conversant in knowing how to delete, use & store personal data, and be fully aware of what third-party vendors do with the data

• If your company conducts cross-border processing through having operations in multiple EU member states, then you need to establish which one is your lead data protection supervisory authority [5].

For more detailed information, see the white paper from the Information Commissioner’s Office: Preparing for the General Data Protection Regulation



This article is set out to offer suggestions only, the information given should not not be construed as legal advice, and a specialist lawyer in the field should be consulted regarding your company’s individual case.



[1]. EUGDPR (2018). “GDPR Key Changes.” Accessed 19 May, 2018.

[2]. European Commission (2018). “Who does the data protection law apply to?” Accessed 19 May, 2018.

[3]. Velimirović, Andreja (2018). “How Will EU’s New GDPR Law Affect the Art Business?” Widewalls. Accessed 19 May, 2018.

[4]. Christopherson, Tom (2018). “Art Law and the Art Market: Disclosure or Discretion?”
Sotheby’s Institute of Art. Accessed 19 May, 2018.

[5]. Information Commissioner’s Off ice (2018). “Preparing for the General Data Protection Regulation: 12 Steps to take Now” (GPDR ).