You have probably seen an awful lot about GDPR coming from all angles recently and although I’ve no desire to add more white noise to the conversation, in the spirit of compliance this article sets out what Broadway Baby is doing about this new EU regulation to protect your data.
Essentially the only reason we would store your data on Broadway Baby is to maintain your user account if you are adding a listing, advertising or you are one of our reviewers. We have never, and will never sell your personal details onto a third party or let them ‘rent’ your data for marketing purposes.
We’ve never been big on sending out mailshots, but one decision I’ve taken as a result of GDPR is that should we decide to create a regular newsletter in the future, that it will only go to people who’ve explicitly requested it after 25th May 2018. Even if you left the ‘send me the occasional newsletter’ box checked when you registered, all of those have now been reset. Anyone on the database prior to that date won’t be included unless they’ve updated their preferences to grant consent and for new registrations our mailing list is now opt-in.
GDPR also calls on organisations to keep your data safe, and whilst no company can make 100% guarantees on the Wild West of the Digital Frontier (remember, Russia managed to hack America), we follow the principles of OWASP, which are the guidelines of IT’s best security experts. Even if a hacker managed to crack open the Broadway Baby database they wouldn’t find much of interest – passwords are one-way encrypted and we don’t store any financial info. Your email address is potentially the riskiest bit of data they could get hold of; but as I’ve said, we make our best efforts to keep that safe.
Another aspect of GDPR is the right to be forgotten, and in that regard we’ve already taken the decision to remove audience reviews from the site – so for the majority of people who have created an account on Broadway Baby to add a listing or place an advert, no personally identifiable information is publicly available anyway. If you would like to have your data removed entirely, you can do that by sending a request to firstname.lastname@example.org from the email address you used to register. For our reviewing team, they’ve always had the option of writing under a pen name but they will now also have the right to have all their author panels removed too. Note that the right to be forgotten doesn’t apply to the subject of a review (should you be thinking this new regulation is a shortcut to getting a negative review pulled), as there is a specific exemption for data that's used to exercise freedom of expression and information.