Surviving GDPR as a small arts organisation

Strike A Light
3 min readApr 23, 2024


This article was originally published in 2018 — so some of the information may have changed since then!

You’ve heard people saying the letters GDPR in hushed tones with panic stricken faces.

You know it’s to do with data protection and something important you should be doing by 25 May (2018!). You may also have started reading through the ICO website and then decided at the line “standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority…” that maybe you should make a cup of tea and have a sit down first, before filing it away under ‘to do at some point’.

Actually, I’m being unfair. The Information Commissioner’s website is very clear and helpful and their introduction to GDPR here is a very good place to start. They also have a Self Assessment Checklist you can use.

Strike A Light have been undergoing a big organisational development project as we’re now a National Portfolio Organisation with Arts Council England (fanfare, confetti etc) and we’re also in a consortium of arts organisations here in Gloucestershire for a project called Catalyst with Create Gloucestershire. As part of all this we nominated ourselves to explore the world of GDPR and report back for our colleagues.

We’ve been on two different training sessions, we’ve read every single thing we can find online, we’ve watched youtube videos from legal firms, and we’ve condensed it down into an action plan for small arts organisations.

If you’re looking for a place to begin making friends with GDPR then hopefully this will help. Click on the links below to download the documents.

  • This is the action plan which introduces GDPR and what it means for arts organisations, and includes a checklist: GDPR-Action-Plan (.pdf)
  • This is a template for a data audit, which is an important action on the checklist: GDPR-Data-Audit-Template (.xlsx)
  • This is our current draft of our new data protection policy: Data-Protection-Policy (.pdf)

Hope you find this useful and please do read the disclaimer below.
Good luck on your GDPR adventure!

Christina Poulton
Executive Producer, Strike A Light

(image from We Are Lightning, which is coming to Strike A Light on its national tour)


We are sharing these documents in the interests of partnership working, sharing resources and to try and speed up the process for those who have a ‘to do’ list as long as your arm and are drowning in admin (i.e. most of us)

These documents are based on our research as above, presented in good faith, but DO NOT replace formal legal advice and are designed to be used in conjunction with the ICO information and your own research to ensure it is implemented comprehensively for your organisation.

We are still updating these documents for our own organisation as we work through the process and updates are being issued by ICO regularly.

This is also aimed at small arts organisations so information that is less pertinent for that context is only included briefly. If you handle large quantities of sensitive data or work with lots of international partners for example, then you will need more detail for these aspects.

Once you have read through the documents, do use the links included in the action plan for further research to make sure you’re covered.