By Charles Oppenheim, Senior Consultant, Naomi Korn Associates


 Image credit: Aymanjed

I’ve been in the licensing of digital resources business for nearly 40 years (I first started in 1980); the first twelve years I worked for electronic publishers (Thomson-Reuters, and Elsevier), negotiating licences with other database producers and with libraries.  The subject areas ranged from scholarly information, via business information through to real time financial information.  Since 1992, I’ve been on the other side, negotiating licences (or advising on such negotiations) on behalf of users or libraries with electronic publishers. One great advantage of my experience on both sides of the fence is that I can recognise phoniness when I see it.  On that basis, I offer the following tips to anyone entering into negotiations with a vendor of electronic information, whether on a small scale (maybe subscribing to a single publication), or large-scale (such as “Big Deal” negotiated between a group of Universities and a major digital publisher).

  1. The first, and most important thing is: prepare, prepare, prepare. Think about what you want to achieve in the negotiation, how much you are willing to pay, and so on before you start talking to the vendor.  Identify what is “must have” and what is “nice to have” for you or your patron.
  2. Many vendors will tell you “these are our standard terms”, implying that they are non-negotiable. Now of course, if you are small beer for the vendor (maybe you want to get an eBook for your own private use), you may have to swallow what is on offer. What follows is my advice for cases when you represent a potentially significant income for the vendor, or a potentially prestigious client for the vendor. In such cases, we are talking about negotiating with the vendor.
  3. NEVER accept any oral licence, or any oral assurances “that won’t be a problem” or similar. Have everything confirmed in writing.
  4. As a first stage, it is normal for the vendor to send you a draft contract. Read through the draft contract carefully.  If there is any wording you don’t understand, or if you don’t understand the implications of a particular clause, ask for a written explanation.
  5. Be prepared to push back against any clause you don’t like. “But these are our standard terms”, “no one has ever complained about this before”, “that’s our standard price” etc., are inadequate responses – keep pushing – and of course, if need be, walk away.
  6. Consult with others (personal contacts, email discussion lists) to see if they have thoughts about a particular clause that concerns you. The Liblicense discussion list is very US-oriented, but it may be useful to join it. The JISCMail library licensing discussion list is less active, but is UK-oriented.
  7. Be prepared to insist on insertion of clauses along the lines of “for the avoidance of doubt, nothing in this contract shall prevent a user from…..” For example, insist on a clause that nothing in the licence shall prevent a user from taking advantage of an exception to copyright built into the law. A surprising number of draft contracts do not include such a clause.
  8. Make sure you cover everything you need or want – there is no point in avoiding possible confrontational issues for a quiet life, or tin your anxiety to conclude a deal.
  9. Be prepared to bargain – “if you give way on point A, I’ll be willing to give way on point B”. The books mentioned below both cover negotiation skills, something that is beyond the scope of this blog post, but which is an essential skill for anyone who has to conduct these sorts of negotiations; of course, there are numerous popular books on how to negotiate as well.
  10. If there are words in the draft contract you do not understand, ask for clarification and if need be, rewording.
  11. You will have two concerns about the negotiation: your concern about the outcome (“substance”), and your concern about the existing and future relationship. Make sure neither concern dominates your thinking and actions.
  12. A collaborative approach offers the greatest chance of producing good results; the skills associated with such a collaborative approach include assertiveness (NOT the same as aggressiveness), supportive climate building, active listening, sensitivity to non-verbal behaviour, empathy, and confronting (not avoiding) differences before working through them. Face to face meetings are much preferable to email for these reasons. Skype or Facetime are not as good as face to face, but better than just email.
  13. Remember that the parties are neither friends nor adversaries; they are problem-solvers. The goal is a good outcome reached efficiently and amicably. So try to avoid offering or demanding concessions too often.
  14. Always separate the person from the problem. Conflicts with someone you dislike might lead you to miss the solution.
  15. Keep copies of all written communications, including emails, and notes from meetings. Of course, also keep copies of all drafts, and the final agreed licence; when it comes to renewal time (and therefore renegotiation), these will prove invaluable for reminding yourself of the issues and personalities involved, and what clauses proved contentious or have turned out to be unhelpful.
  16. Above all, be prepared to postpone discussions, or even walk away if there are terms that are unacceptable to you, your employers, or patrons.

There are two excellent books giving further advice on these topics. Fiona Durrant’s Negotiating licences for digital resources, Facet, 2006 (the key points do not date that much), and Lesley Ellen Harris, Licensing Digital Content (3rd edition), American Library Association, 2018. Another useful resource is the summary of an important IFLA report at The full report can be downloaded for free at, which makes important points about what licence terms to be wary of.

I always found licence negotiations to be interesting and were frequently fun.  So enjoyment is the key word to remember…..

© Naomi Korn Associates, 2018. All Rights Reserved. The image is available under a CC Zero Licence.

Invitation to a Data Protection Officer (DPO) Workshop, 2 October 2018, Imperial War Museum, London

StartupStockPhotosPhoto by StartupStockPhotos

Naomi Korn Associates is delighted to offer a Data Protection Officer Workshop for cultural heritage organisations, schools, further and higher education institutions, charities and other public sector bodies. The training will take place at the Imperial War Museum, London on 2 October 2018, 10am to 4pm. Please see below for details! This comprehensive, specialised and interactive training day will outline the role and responsibilities of a Data Protection Officer as well as provide top tips for success.

  • £250 per ticket and 10% off if you book multiple tickets
  • Includes all training, lunch, refreshments and materials.

 Key training objectives include:

  • Exploring the essential role of a DPO – Who, what, how?
  • Implementing practical strategies to remain compliant with your legal obligations.
  • Developing model policies and templates for your establishment.
  • Understanding related areas of information management, PECR, cyber security, risk and governance.
  • Promoting high data protection awareness across your organisation.
  • Your Action List – Essential steps for your organisation to achieve full compliance

What is a Data Protection Officer (DPO)?

This is the role in an organisation which has responsibility for ensuring that personal data is protected and that the organisation is compliant with the legislation. There should be a degree of independence so the DPO reports direct to the highest management level of the organisation as a part of the organisation’s governance. They are part of the enhanced focus on accountability.

Organisations must have a named DPO if they:

  • Are a public authority
  • Carry out regular and systematic monitoring of data subjects on a large scale as core activities
  • Carry out large scale processing of sensitive personal data relating to criminal convictions and offences

Public authority is defined by Freedom of Information legislation and for bodies performing a task carried out in the public interest or in the exercise of their official authority, e.g. the administration of justice, the Houses of Parliament, ministers or a government department, or activity that supports or promotes democratic engagement. There are some exceptions, e.g.  parish councils.

Every organisation that processes personal data should have a named data protection lead. It is open to any organisation to appoint a DPO voluntarily. They may be employed in the organisation or with a service contract to fulfil the role. It may also be practical for there to be a shared DPO across related bodies, e.g. a central government department with separate agencies, or a Multi-Academy Trust across a number of schools.

Requirements of the DPO

  • Informs and advises the organisation about your obligations to comply with the GDPR and other data protection laws.
  • Monitors compliance with the Data Protection Act 2018 and GDPR.
  • Has appropriate expertise or experience.
  • Is the primary Data Protection contact point in the organisation.
  • Advises on, and monitors, Data Protection Impact Assessments.
  • Cooperates with the Information Commissioner’s office (ICO) and is the first point of contact.
  • Can carry out other tasks and duties, provided there is no conflict of interest, so the DPO may hold the asset register and records of the organisation as the central point for ensuring that the organisation is compliant.
  • Understands and advises on a risk-based approach to data processing in their organisation.

By attending our DPO workshop you will:

  • Be updated by Data Protection legislation and your obligations.
  • Consider other related statutory, regulatory and operational requirements.
  • Learn in a powerpoint-free interactive learning environment.
  • Network with other delegates also in a DPO position.
  • Receive full access to learning materials within a delegates pack.
  • Receive a certificate of completion for your CPD file.

Seats are limited so we advise you to book yours soon. Lunch and refreshments provided. For further information contact Patrick Ibbotson:

© Naomi Korn Associates, 2018. All Rights Reserved. The image is available under a CC Zero Licence



Welcoming Jeremy Ottevanger as a consultant

Jeremy Ottevanger

Naomi Korn Associates is excited to welcome Jeremy Ottevanger as a consultant to our expanding team! Jeremy is a technologist, having started his career in what came to be called “digital heritage” in the 1990s. Since then he has spent long spells at the Museum of London and Imperial War Museums, as a developer and as technical lead, where he was responsible for the architecture and production of web platforms and for the delivery of the data and media that they rely on.
Twitter: @jottevanger

Jeremy Ottevanger: I’ve worked for a long time in a couple of larger organisations, and with great big partnerships, and one of the constants has been the tension between the desire of cultural bodies to open up as fully as possible, and the legal and commercial constraints that can seem to work against this ambition. Reducing this apparent contradiction usually comes down to a combination of a deep understanding of the institution’s goals, of the nature of the material, of audience needs, and of the available technical solutions. I’m looking forward to helping small and large organisations to think creatively about the technology part of this mix in particular, so they can control the risks around intellectual property and data privacy whilst still doing what they exist to do: sharing their unique assets with a hungry public worldwide. Joining Naomi Korn Associates means that I can be part of a holistic approach to this whole agenda, and it’s really exciting to think about what we can achieve by putting our heads together.

 Naomi Korn: We are delighted that Jeremy is joining our team. He will be bringing fantastic knowledge and technical expertise to support our clients privacy and rights requirements. Integrating technological know-how into our core offer means we can provide our clients with holistic support which is needed more now than ever.

 (c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence.


GDPR and Top Marketing Tips for Professional Membership Bodies

By Lisa Goldsmith, Consultant, Naomi Korn Associates

As the new GDPR (General Data Protection Regulation) law is upon us, professional membership bodies must, if they haven’t done so already, consider their marketing practices and ensure that they are compliant with both the GDPR and the EU e-Privacy Directive PECR (Privacy and Electronic Communication Regulations). The PECR sits alongside the GDPR and governs/promotes best practice for organisations sending electronic direct marketing communications (e.g. email, telephone, text, fax and other digital communication channels – e.g. websites using cookies etc). With this in mind, it’s important to ensure that current marketing practices are compliant with the GDPR and PECR. This post highlights some of the challenges faced by professional membership bodies and offers some helpful tips to boost your business to customer (B2C) marketing capabilities (e.g. to current and potential members) in a compliant way using email and telephone marketing and postal marketing to increase your reach.

Requirements of the GDPR/PECR:

A very brief outline of the legal requirements for direct marketing are:

Telephone marketing:

  • You can make live marketing calls (e.g. not automated) calls to individuals providing you:
    • Screen against the Telephone Preference Service (TPS). You can only call individuals who are registered on the TPS if you have their prior consent to call them
    • Exclude anyone who has told you they don’t want to receive calls
    • Ensure that your number is displayed to the caller
  • You can only make automated calls to individuals with their prior consent. In line with the GDPR, consent must be freely given, explicit, unambiguous and informed (i.e. the individual(s) know they’re signing up to automated calls)

Email marketing:

  • You can send email marketing messages to individuals if you have captured their prior consent (in line with the GDPR requirements for capturing consent) to do so
  • For existing customers purchasing commercial products only; you can send email marketing messages if you used the soft opt-in method when the individual purchased a product providing you have given them the option to opt-out at the time of purchase and with every communication thereafter

Postal marketing:

Many non-profits are looking to use postal marketing using ‘legitimate interest’ as their legal basis under the GDPR. It is acceptable for organisations to market to individuals by post providing:

  • Individuals can reasonably expect to be marketed to (e.g. sending a lapsed campaign inviting them to re-join)
  • You screen against the Mailing Preference Service (MPS)
  • The legitimate interest pursued by the organisation does not outweigh the rights and freedoms of the individual receiving the direct marketing
  • Individuals are given an opportunity to opt-out and those who have already opted-out are excluded from receiving those communications

It is advisable to read the full guide on the PECR and the GDPR on ICO website. When capturing consent, organisations must be able to demonstrate that GDPR compliant consent was captured and that sufficient measures are in place for individuals to withdraw consent.

 (c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence


Myths Associated with the GDPR

By Charles Oppenheim, Senior Consultant, Naomi Korn Associates


Photo by Dennis Kummer on Unsplash

No doubt every reader of this blog post will have received emails asking them to confirm they still wish to receive mailings, because of changes to the law introduced by the EU’s General Data Protection Regulation and coming into effect on May 25th 2018.  I suspect in the vast majority of cases, these emails were not needed.  Too many organisations are assuming GDPR means a massive change to their obligations, when in fact the changes introduced by GDPR to UK data protection law are modest.  Organisations must make changes to the way they operate as there are more obligations to report serious data breaches, the maximum fines for breaches of the law have gone up, there is a need to build in “privacy by design” into operations, Privacy Impact Assessments are required, and many organisations need to appoint a nominated Data Protection Officer.  But when it comes to the lawfulness of processing data, relatively little has changed.  So, advice or instructions such as “all personal data must be deleted from emails”, “you must delete someone’s records if they have not responded to your requests to confirm twice”, “you must delete all records of people who have resigned”,  “delete all electronic records, but manual records are OK”, “you are obliged to ask for permission before you can hold someone’s personal data” and the like (and I’ve seen all these, and more) are, quite simply,  nonsense.

So let’s get the facts about when you may process, i.e., obtain, record, manage, structure, store, amend or delete, or disseminate personal data correct – and as I say, the law has hardly changed in this regard.  There are six – yes, six – reasons why you are allowed to process personal data.  Any one of them or more than one will be enough reason for an organisation to be allowed to process personal data.  The six reasons, listed in Article 6 and explained in Recitals 28 – 50 of the GDPR are:

  1. The data subject has given their explicit consent – the one everyone seems to be hung up about. Permission should be explicit and unambiguous – with clear opt in preferences recorded and initiated. The fact that this has not necessarily been respected is why so many organisations are panicking now.
  2. The processing is necessary for the performance of a contract to which the data subject is a party – so, for example, if someone subscribes to a magazine, the publisher and/or distributor needs the subscriber’s details to send them.
  3. The processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. The processing is necessary to protect the vital interests of the data subject – e.g., health records, so medical and dental practices do not need to ask for permission to keep patient records, for example.
  5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  6. The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, unless such interests are over-ridden by the interests of the data subject.

Number 6 is the reason that is most likely to apply to organisations, rather than number 1.  Thus, for example, a membership organisation can keep records of lapsed members so it can subsequently analyse why it is losing them (“we seem to be losing a lot of under-40s – maybe we should improve our appeal to them” is an example.) The law states that personal data should not be kept longer than is necessary, and of course that is a rather vague restriction, but organisations should be aware of how long they should keep records, e.g., for tax reporting purposes.

So please, everyone, don’t panic about the GDPR, and don’t buy into the myths.  Having said all that, one good thing about the many emails coming your way is that it gives you a good excuse to not answer, or to reply saying you no longer wish to receive communication from the organisation, and thereby stop getting bombarded with emails and marketing stuff you’re not really interested in.  A question is whether, after May 25th, organisations really do delete you from their mailing lists!

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence

Museums and their GDPR data protection obligations

Picture12Prior to the implementation of GDPR across the UK (transposed into UK law as the Data Protection Act 2018), I wanted to address some questions that I have been asked during my recent training sessions, although the majority of these issues would have been the case already under the Data Protection Act 1998.

1.Should personal data be added to the ‘brief description’ field in a collections database as particularly if this appears on a museum’s online collections website?

It depends on what it is and also the functionality of the collections database. So, for example, if the object was an army identity card or belonged to a specific person for a specific reason already in the public domain, then reproducing this information online would unlikely cause distress to the individual. If the information was a name and an address, then the possible reproduction of this personal data may not be readily available and should not be made accessible. Remember that personal data is information about a living identifiable individual, however, even if an individual is dead, they may have relatives still living at the same address.

2. On our current Entry forms and loan forms we ask for names and addresses, phone numbers of donors/ depositors/ lenders which we store indefinitely as the information is important for our objects’ provenance. What sort of wording should we include on our forms to make sure we comply with the new regulations and that it is clear to the general public how we will use their data? 

Collecting this type of personal information is vital for the functioning of a museum and depending upon the circumstances and governance/funding of the museum, this type of processing will be covered under any one of several legal grounds for processing (legitimate interests, public interest, contractual). The forms should include a statement that the information will be used only for the purposes for which it is collected, a possible consent box if you plan to share it (with other museums if lending the item out) and/or other internal purposes and as well as link to your privacy notice. Your privacy notice should clearly articulate what you are doing with personal data, why etc. See our privacy notice for further information

3. What do we need to do with historical data we hold for acquisitions/ loans/ disposals and deposits?

Most, if not all of this information should be kept in perpetuity and reflected in your retention schedule. Because of the quantity of personal data processed by museums and the range of activities, retention schedules need to reflect statutory, regulatory obligations as well as policy decisions.

4. How will GDPR effect collections management systems (i.e. collections databases) that also store personal data described above?

Your collections management systems need to be configured to enable restrictions regarding what you hold and what you subsequently publish. So, your collection management systems should serve your needs, rather than you adjusting your needs according to your collection management systems. They also need to provide functionality for you to amend and rectify your records, respond to data subjects who may want personal data amended and/or deleted. It will be important that you liaise with your collections management system vendor accordingly, and also to check that they are compliant with their data protection obligations as your data processor

5. If someone refuses to give us permission to store their name, address etc. relating to an acquisition or a loan is there anything we could do or would we just have to refuse to take the objects?

Collecting this type of information is vital for a museum in order to comply with other statutory, regulatory and policy requirements. For example, Accredited museums must comply with specific standards of practice. Data protection legislation dove-tails into this existing framework, and the museum should think very carefully indeed about this before proceeding any further because it may then fall foul of other legal etc obligations it has.

6. What exactly can be recorded in our ‘visitors Book’?

Because the book is public – names, addresses, e-mails, phone number etc should not be collected. This is more certainly more than a museum needs, and also means that a museum would have increased obligations to any data subjects (individuals whose personal data you are storing) upon their request, to provide information about what they are storing, amend it, delete it etc. The less information that is held the better. So, a museum should consider why it needs to collect all this information. It is very likely that the most valuable bits are the comments and the country of origin of the individual, and/or first 3 letters of a postcode – which would likely be enough to fulfil a museum’s requirement but not be enough to constitute “personal data”.

Any more data that is collected whereby an individual could be identified, should be reflected in the museum’s privacy statement, a notice provided next to the book explaining how the info will be used and form in plain English ensure that such information is captured on a consent basis. Finally, the museum should ensure it stipulates how long such data is stored on a retention schedule.

7. My volunteers fill in Volunteer Application forms when they start with us – which includes giving an email address and phone number. I have previously taken this as consent for me to phone them or email them (generally only about volunteering at the museum). To be compliant do I now need to get in touch with them all to get specific consent to contact them by these means?

Legal grounds for processing would probably be established for this type of use (legitimate, public interest, contractual, vital etc) – but it will important to ensure the following:

  • Any other sharing or use (including sharing with other volunteers etc), must be established on a consent basis.
  • This information must be kept safe, like any other personal information.
  • A retention schedule should be used to record how long this information is kept for.
  • Your privacy notice must refer this type of data collection.
  • Subsequent agreements with volunteers should link to your privacy notice and also ensure that they take the necessary measures to comply with their own data protection obligations, such as encrypted devices, not sharing personal data etc
  • Your volunteers should be trained about data protection and their awareness levels kept high

8. Do museums need to check that suppliers they use are GDPR compliant? 

Yes, this is their legal obligation. They need to have robust contractual terms in place accordingly, and if they cannot do so, they should consider using someone else. This means that eventually, as part of a museum’s commitment to a “privacy by design” culture, they need to ensure that their procurement processes, their project initiation procedures etc, embed this consideration into the heart of their organisational culture.

(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence

Going back to School?

By Carol Tullo, Senior Consultant

The Bookshop and Lottery Agency of Jan de Groot in the Kalverstraat in Amsterdam, Isaac Ouwater, 1779

The Bookshop and Lottery Agency of Jan de Groot in the Kalverstraat in Amsterdam, Isaac Ouwater, 1779. Photo credit: Rijksmuseum.


The experience of running some Naomi Korn Associates workshops in recent months has been instructive in so many ways!  Helping a range of schools –  principals, teachers, office managers, bursars, Heads of IT and governors –  to familiarise themselves with the GDPR changes opened my eyes to the complex ecosystem of school communities.  I was struck by how seriously schools took their responsibilities for handling personal data.  The Department for Education published on April 23, a GDPR  Toolkit:

I was involved in the discussions and early drafts with DfE and, while no substitute for tailored help, this toolkit covers the basics and provides useful reassurance for each school to assess its preparations.  DfE outlines a sequence of activities that will help schools to identify and monitor their use of personal data, undertake the necessary processes for auditing and assessing risk, and assist in compiling policies to ensure schools can sustain compliance.  Mirroring the training approach from NKCC, each step is structured to provide the intended outcomes, a suggested ‘how to’ approach, top tips, case studies, and links to relevant resources.  It does not constitute formal legal guidance, and as a data controller, each school is ultimately responsible for its own data protection procedures and compliance with legislation.

My favourites of the top tips in this official guidance:

I would add that if you have started, but not yet completed your journey to compliance, consider a GDPR readiness statement explaining where you are and what you have done.  It all builds confidence.

With the publication of this guidance, an informal consultation exercise will run until Friday 1 June 2018. The initial feedback gathered will be used to inform a revised version. The guidance will be a living document and will be refreshed once the Data Protection Bill is finalised. Comments are welcome so provide feedback to with the subject heading “GDPR toolkit feedback”.  DfE asks that if your comments refer to specific content in the document, please reference the page number(s) to identify the area to which you are referring.  Keep the conversation going as we all work collaboratively to deliver this.

Naomi Korn Associates will be running a Data Protection Officer training course for schools, Tuesday 2 October, at the Imperial War Museum, London. For more information please email

(c) Naomi Korn, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is CCO, sourced from Rijksmuseum.