Understanding the GDPR legislation
What is the GDPR?
The General Data Protection Regulation is a piece of EU legislation that has been introduced by the EU and will come into force in all EU Member States on the 25 May 2018. The GDPR strengthens data protection law and brings it in line with new technologies and previously unforeseen ways in which data is now handled. As the legislation will enter into force before the UK leaves the EU, the legislation will have effect in the UK.
Why has this legislation been introduced?
New technologies have seen individuals give an increasing amount of data to businesses, and that data is playing an increasingly central part in business strategy. Consequently, data breaches at large companies have been headline news in recent years. Data breaches can lead to Personal Data being accessed by unauthorised third parties which creates a risk of identity theft, fraud and a breach of privacy for the individuals affected. The GDPR requires all businesses that use Personal Data to only use Personal Data where necessary and when they have an appropriate reason and permission to use it. Businesses have a duty to protect Personal Data and to inform the authorities and impacted individuals should there be a data breach.
What is ‘Personal Data’?
Personal Data is any data that can be used to identify a living individual (e.g. name, address, identification number) or any data that could be used in conjunction with other information to identify a living individual (for instance, an IP address doesn’t always identify an individual, but if it is held by a business that is able to identify the individual due to other information held, then the IP address will be Personal Data).
What is a ‘data breach’?
A data breach is defined in the GDPR as a breach of security which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
What is PRS for Music doing to ensure it is compliant?
How do I report concerns on the use of data by PRS and any partner organisations?
GDPR and PRS for Music members
How does PRS for Music process my Personal data?
If I am no longer a PRS for Music member, can my data be forgotten?
The GDPR does contain the right for data subjects to require that their Personal Data is deleted (the "right to be forgotten") but only where the data is no longer needed for the original purpose it was collected for, if there is no new lawful purpose or if the Personal Data has been processed in breach of the GDPR. Note, however, that there are specific exceptions to this right – for instance, where the data processor requires the Personal Data to comply with its legal obligations (for instance, to provide tax information to HMRC). Even if you are no longer a member of PRS for Music, we may need to retain your Personal Data after your membership ends, for example to ensure that you still receive royalties for any performances that took place during the period you were still a member.
How do I request access to the Personal Data PRS holds about me?
I currently receive marketing emails from PRS for Music, how do I opt out of these?
Every marketing email that we send includes an ‘unsubscribe’ button in the footer of the email enabling you to opt-out of receiving marketing emails at any time.
How would I request that my data is transferred to another collecting society if I decided to leave PRS for Music?