Helping the V&A navigate GDPR


Founded in 1852, the V&A is a hybrid organisation, comprising a non-departmental public body of the Department for Culture, Media and Sport, a charity exempt from registration under the Charities Act of 2011, and a company limited by guarantee.

The museum has a permanent collection of over 2.2 million objects and a related paper-based archive dating from its foundation. In 2018, the V&A welcomed almost four million visitors across its locations, including the Museum of Childhood. It hosts dozens of ticketed exhibitions each year and has commercial operations that include museum shops and an online store.

As part of its public task the museum operates an education programme for schools and young people. Individuals may support the work of the V&A by becoming a member or patron, making a donation or leaving a legacy in their will.

The V&A looked to Corrick Wales to steer them through GDPR compliance in 2018.

“The V&A looked to Corrick Wales to steer them through the uncharted waters of GDPR compliance in 2018. They were a delight to work with – rigorous, professional, unafraid to tell truth to power, knowledgeable and above all pragmatic. They provided us with the foundation on which we are now building a culture change regarding data processing in a national museum.”

Alex Stitt, Director of Commercial, Digital & Exhibitions, V&A


Across 2018 we worked with the V&A on data protection and privacy regulation compliance, working closely with key staff and the V&A’s nearly 50 departments and teams.

To understand the V&A’s public task, we examined the museum’s purpose, laid out in the 1983 National Heritage Act, and its mission: “to enrich people's lives by promoting research, knowledge and enjoyment of the designed world to the widest possible audience”.

Our work included fully assessing how personal data was processed and protected across the organisation, putting in place a robust process for implementing changes, updating procedures, and conducting tailored training.

To embed the requirements of modern data protection and privacy regulations, our approach considers a whole organisation and its culture, across processes, systems, skills and technology. For the V&A, the foundations we helped them to lay allow such an approach to continue.