The Data Protection Act (1988-2018) regulates the collection, processing, keeping, use and disclosure of personal data, both manual and electronic. Cultural institutions must take account of this. The application of the General Data Protection Regulation (GDPR) (EU) 2016/679 in 2018 has greatly changed data protection in Ireland. A new Data Protection Commission was established. It replaces the previous data protection directive in force since 1995. The transition to the new regulations in 2018 greatly affected the cultural sector. The majority of cultural organisations operate with a small adminstrative office and many organisations struggled to deal with the administrative burden of the changes. While many organisations were prepared for the legislative change, a number of organisations’ audience mailing lists had to be started afresh.