Successfully managing data and privacy regulations

Authors: Helen Shone (2017), revised by Faye Clews (2019), Development Partners

April 2026: Note that since the publication of this Success Guide the Data (Use and Access) Act 2025 has changed much of the GDPR landscape. We hope to update this guidance accordingly. In the meantime, for further information we recommend checking the resources on the ICO website at ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources

This guide is intended for museums and other cultural organisations wanting to understand how they should be responding to current data protection regulation.

The General Data Protection Regulation (GDPR) is an EU-wide regulation which came into effect on 25 May 2018. The GDPR gives individuals more rights and protection in how their personal information (their data) is used by organisations.

There are two other pieces of legislation controlling the use of personal information, which work alongside the GDPR:

  • The Data Protection Act 2018 (DPA)
  • The Privacy and Electronic Communications Regulation 2003 (PECR)

This guide focuses on the combined effect of the GDPR and these two pieces of legislation, and covers the most important areas for action now. The GDPR applies to the whole UK, so this guide is suitable for all AIM members across the UK.

Data protection regulations are far more wide reaching than discussed here and we recommend reviewing the guidance and the regular updates provided by the Information Commissioner’s Office (ICO) and the Fundraising Regulator as well as other organisations listed in the further reading section.

This guide is for trustees, senior teams, members of staff and volunteers involved in fundraising or marketing. However, it would be useful to share the key points with all staff and volunteers since so many of them will come into contact with data collection and processing in the course of their working week. Remember that data protection is not just a fundraising issue, it relates to any data that the organisation collects and uses, from admissions and gift aid declarations to mailing lists and volunteer information.

This guide will outline the main data protection issues to help you carry out an audit of your current position and draw up an action plan. It aims to be a practical guide that will put you on the right path for data protection compliance.

Successfully managing data and privacy regulations (opens in a new tab)

Don’t miss a thing!

Sign up to our weekly email for the latest news from AIM, including events, training, grants and resources.

* indicates required

You can change your preferences or opt out of hearing from us at any time using the unsubscribe link in our emails. Read our full privacy notice.

Join AIM: We support and provide practical help to independent museums

Be part of a thriving community

Grow your network, attend events, learn from like-minded people and share your knowledge with our community.

Save money and get funding

Apply for AIM member grants, get discounts, special offers, promotions etc.

Get additional support from experts

Our team of consultants and mentors can help you.
Become a member From as little as £73 a year

Already a member? Make the most of your benefits.