Cultural heritage institutions will need to navigate multiple dimensions of privacy rights, particularly if they are considering developing commercial and marketing activities. For the past 15 years, I’ve worked as a Data Protection Officer (DPO) across a range of sectors; more recently, I’ve had the privilege of delivering training to and working with museums, archives, and cultural organisations — spaces where data protection is both complex and critical. From implementing robust cybersecurity controls (as highlighted by incidents at the British Library and the British Museum), to ensuring lawful marketing practices under PECR and UK GDPR, to managing archival data that forms part of the nation’s historical record, the challenges are diverse and evolving.
This year, the Data (Use and Access) Act 2025 introduced significant changes. While most media coverage has focused on its implications for copyright and AI, there are important updates that cultural institutions should be aware of particularly in the areas of digital marketing and archiving.
The Data (Use and Access) Act 2025 is a piece of legislation that introduces new provisions, but its primary function is to amend existing legislation, including the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). This means it does not replace these laws but modifies and supplements them, especially in areas like lawful grounds for processing, marketing, and archiving in the public interest.
Lawful Digital Marketing: What’s Changing?
One of the most significant developments is the confirmation that direct marketing can be considered a legitimate interest under UK GDPR. However, this doesn’t override the Privacy and Electronic Communications Regulations (PECR), which still requires consent for most forms of electronic marketing, such as emails and SMS. So, while the legal landscape is evolving, the need for careful compliance remains.[1][2]
One particularly positive development is the extension of the soft opt-in to charities. The soft opt-in rule means you may be able to email or text customers without their consent. This is a meaningful change for many of the museums I work with, allowing them to communicate more effectively with supporters, provided they meet the necessary conditions.
At the same time, the stakes have been raised: PECR fines are now aligned with UK GDPR, meaning organisations could face penalties of up to £17.5 million or 4% of global turnover. So, while there’s new opportunity for cultural enterprises to expand their marketing efforts, the law demands a nuanced understanding of the rules. It’s a timely moment for organisations to review their practices and where needed, seek out training or expert guidance.
Archiving: What’s Changing?
Archivists often receive personal data from a wide range of sources, but they typically have little control over the legal basis under which that data was originally collected. Under data protection law, any use of personal data must be based on a legal reason known as “lawful basis” to use it. This can be a problem when trying to reuse that data for archiving purposes, even when the intent is to preserve information for the public good; because often the data collection happened in the past and the reasons for archiving that data may be different to the original data use.
To resolve this, the Act has been updated to allow the reuse of personal data for archiving in the public interest, regardless of the original lawful ground. This change provides much-needed clarity and flexibility, enabling libraries, museums, and public archives to expand their collections and preserve a broader range of materials.
As these changes take effect, it’s a timely opportunity for cultural institutions to revisit their data protection strategies. Whether it’s refining marketing consent processes or expanding archival collections, staying informed and compliant is key. If your organisation needs support navigating these updates, now is the time to invest in training or expert guidance.
Naomi Korn Associates is a UK-based leader, specialising in data protection, intellectual property, copyright, and licensing. We offer in-house and public training courses including Lawful Digital Marketing and Consent[3] and Data Protection Law for Archives, Museum’s and Library Collections[4] both of which have been updated to reflect these latest developments. We also provide an Outsourced Data Protection Officer service to several cultural enterprises.[5]
[1] The British Museum Incident: A Stark Reminder of the Importance of Access Controls – Naomi Korn Associates
[2] British Library Cyber Attack – Naomi Korn Associates
[3] Lawful Digital Marketing Courses | Naomi Korn
[4] Archives & Museums Data Protection Law Courses | Naomi Korn
[5] Outsourced Data Protection Officer – Naomi Korn Associates
