top of page
Search

Bev/Art Commits to Data Protection; Earns Cyber Essentials Certificate

  • Writer: Bev/Art Team
    Bev/Art Team
  • Oct 6
  • 2 min read

At Bev/Art, protecting heritage means more than monitoring temperature and humidity. It also means protecting the data our clients and employees trust us with. 


That’s why we’re proud to confirm Bev/Art boasts the Cyber Essentials certification — a U.K., government-backed standard for defending against common cyber threats. This standard affirms our commitment to safeguarding digital information with the same care we bring to safeguarding cultural treasures.


Cyber Essentials: What It Covers


The Cyber Essentials framework is built on six core principles of responsible data handling and security:


  1. Lawfulness, Fairness, and Transparency: Data must be collected and used legally, fairly, and with clear communication.

  2. Purpose Limitation: Data is only collected for legitimate purposes and never used in ways that are incompatible with those purposes.

  3. Data Minimization: We only collect the minimum amount of data necessary to get the job done.

  4. Accuracy: Data is kept up-to-date and corrected or deleted if inaccurate.

  5. Storage Limitation: Personal data is not held longer than necessary.

  6. Integrity and Confidentiality: Strong technical and organizational measures are in place to prevent unauthorized access, loss, or damage.


Going Beyond Certification: GDPR at Bev/Art


“Cerifications like Cyber Essentials only reinforce what is already the practice at Bev/Art,” said Chief Technology Officer Martin Barthel. “Since the beginning, we’ve followed robust GDPR and data protection guidelines across all operations. Compliance isn’t just a policy to us – it’s part of our culture.”

Here’s how we put data privacy into practice:

  • Transparency: We clearly document what personal data we collect, where it’s stored, how long it’s retained, who has access, and why it’s processed.

  • Lawful Basis: All processing is tied to one of four grounds: contract, legal obligation, legitimate interest, or consent. As an example, newsletter subscriptions require active consent.

  • Retention Rules: Data is never kept indefinitely. For example, client contact information is on file until the end of a contract, plus two years, at which point it’s deleted.

  • Rights of Individuals: Anyone can request access, correction, deletion, or transfer of their data. We respond within one month, as required by law.


Sales Prospecting & Communication

As a growing company, we carefully balance outreach with privacy:


  • Prospecting data is collected under legitimate interest, reviewed regularly, and deleted if unused after 6-12 months.

  • Sales emails are treated as personal data: archived or deleted after 18-24 months if no contract is formed.

  • Clients’ data and communications are retained only as long as legally required.


Shared Responsibility

Every Bev/Art employee is responsible for handling data with care. For us, data is a shared responsibility across our entire team.That means:


  • Respecting retention periods.

  • Using only approved vendors and EU-based storage whenever possible.

  • Reporting GDPR-related requests promptly.



For museums, libraries and archives, trust is everything. Institutions that safeguard humanity’s most fragile treasures deserve partners who treat their data with equal care.


By earning the Cyber Essentials certification and embedding GDPR principles into daily operations, Bev/Art reaffirms its commitment to reliability, transparency, and stewardship — values that extend from the climate around artifacts to the digital infrastructure behind the scenes.


bottom of page