Dealing with GDPR

If it stops our data from being sold, that is a good thing. For now, GDPR is just one more compliance task, and I don’t even live in the EU.

Beach toys, by Carol L. Douglas
I read with mild amusement that galleries may be faced with “onerous new requirements” to prove they are not selling undocumented antiquities, laundering money, or any of the other things covered under the Bank Secrecy Act. I don’t think this is necessarily a bad idea. “The art market is an ideal playing ground for money laundering,” said Thomas Christ, of the Basel Institute on Governance, a Swiss nonprofit that studied the issue.
Most galleries in the US, aren’t dealing with foreign princes and Monet-style pricing. Instead, they’re dealing with compliance of a different sort. On May 25, the General Data Protection Regulation (GDPR) went into effect in the European Union. Living and selling art in a coastal town, even my relatively small list contains names from the EU. There is no exemption from compliance for sole proprietors or small businesses, and the penalties are stiff.
Sea and sand, by Carol L. Douglas
This is why you’ve suddenly been getting emails from vendors asking if you want to remain on their mailing lists. They’re hustling to remain in compliance.
Can I document why I have every name on my list? No way. Some were collected long ago, when I was schlepping a tent from town to town selling paintings on village greens. I will proceed on the assumption that those people would have cleared off my mailing list long ago, had they wanted to.
If you hold and work with data collected from clients, then you need to have a contract with the client stating how that data is to be held and managed. There are two principles involved. The first is that you must have appropriate legal grounds for processing the data and that you do it in a transparent manner. The second is that you must only collect data for a specific purpose and use it only for that purpose.
Off the Marginal Way, by Carol L. Douglas
For the gallerist or artist, this generally comes down to clearly informing your subscribers about how you plan to use their information. It also means that you can’t take the list you got from the church lawn fête and use it for your own business.
You’re also supposed to recite the subscribers’ rights and how they can lodge a complaint. Frankly, that’s more than I can deal with. Luckily, I use Blogger and Mailchimp, and they handle the jargon for me.
I added this note to my blog: “Subscribe here and receive every post by email. Never used for anything else; never passed along.” Had I enough room, I would have added, “because I have no idea how to even collect the darn things from Google, or any plan to sell the names once I collect them. I’m just not that smart.”

Surf, by Carol L. Douglas

It’s one more way that blogs and emails are being pushed into the hands of big operations like Google, but I don’t see any option. Who among us has the expertise to navigate these legal shoals or the resources to lawyer up? Certainly not me.
There is one part of the GDPR that tickles my fancy. That’s “the right to be forgotten.” Say I took photos of you in a drunken brawl at one of my openings and for some reason decided to post them on Instagram. Twenty years later, older and possibly wiser, you objected. You could ask me to delete the photo and I’d have to justify why I shouldn’t. It will be interesting to see how that meshes with American free speech rights.