GDPR stands for the General Data Protection Regulation. And many photographers wonder if GDPR will have any impact on the way they run business. The short answer is YES, so you should get prepared.
What Exactly is GDPR?
It’s a European Union policy on data protection, and it will come into force across the UK and European Union on May 25th, 2018.
I’m Not in The EU, So How Can it Affect Me?
This seems to be a common misconception. This legislation change affects photographers worldwide, not just in the EU. If you are a photographer from outside the European Union, it could affect you if you hold data about clients or potential clients residing in European Union countries.
Why is There a Need for it?
All of us are consumers, and have likely signed up to websites and social media, or bought things online with our credit or debit cards. These companies store names and addresses etc. You’ve probably been contacted by telemarketers or marketing emails too, and they may have got your details from a third party.
Because the online world and technology is moving at such a fast rate, the powers-that-be in the European Union want to protect consumers, and this new regulation focuses on data protection and the privacy of individuals.
This means that as consumers our sensitive personal information will be better protected. However, as business owners we need to ensure we comply with the new rules, and understand the reasoning behind them.
What is Classed as Sensitive Information?
Sensitive information is any kind of data that can be used to identify an individual, such as name, surname, address, email address, date of birth, bank account details and so on.
The law has been changed now to include photographs where it is possible to identify the subject. Facial recognition software is becoming more advanced, and even Lightroom and Apple Photo have facial recognition abilities now.
This affects how sensitive information is collected, stored, filled up and shared, and it means your photography or video clients will have these rights:
- The right to be informed – the client has the right to be informed about the collection and use of their personal data. This also covers permissions and consents.
- The right of access – the right for clients to access the personal data the photographer holds on them.
- The right of rectification – for clients to have their data corrected if it is inaccurate. Businesses will have a month to make rectifications on the client’s request.
- The right to erasure – for the clients to have their personal data properly deleted or removed.
- The right to restrict processing – the clients can restrict the photographer from processing their personal data.
- The right to decide on data portability – for or against the client’s data being stored in closed platforms, which are usually mailing lists or databases.
- The right to object – the client has the right to complain and object to the photographer processing their personal data
- The right not to be subjected to automatic decision making, including profiling – the client has the right not to be added automatically to third party files, platforms or systems.
How Does This Affect Photographers?
Photographers and videographers are affected – especially wedding, sports or event photographers - because they store sensitive data like other businesses. Every recognizable image of someone is data, even if they are in the background of the image. If you are photographing a wedding, event, or doing some street photography, you’re collecting people’s personal data without knowing it.
So What Can You do to Get Things Right?
Changes in the law like this don’t make for an easy transition, but hopefully the steps below will help you and your business to smoothly make the change to the new regulations.
- Get explicit consent: You will need to get used to asking for explicit consent from clients before contacting via email or phone, or filling, sharing or storing their data. If, for instance, you were at a photography fair and someone asked you for a shoot, or a quote etc. you’d need to make sure they give you their permission to contact them in the future, and that you can add them to your database.
- Data storage duration: You need to tell your clients how long you will be storing their personal data – and that includes images – and you need to ask for their consent. You need to have a data lifespan of 1, 6 or 20 years, and if you reach the end of the agreed time period, you can’t contact them to ask permission to renew. You have to do that before the time ends.
- Sharing: If you are asked not to share a client’s images or details, you have no choice but to agree. This affects any way of sharing, such as email, social media, printing, exhibiting, photography contests and so on.
- Right to delete: Hopefully this won’t happen to you, but if a client asks you to delete all of their information and the photos you took of them – it means you delete everything. Even the RAW files! If they ask, you must do it, and prove that you have done it.
- Storage and access: You need to make sure your computer and hard drives are encrypted, and that external hard drives are stored in a locked space. Passwords must be strong, too. If you can, keep one computer just for business and another for personal use.
- Storage format: the information needs to be stored in a format that can be shared with clients if they ask. If you have Microsoft, use Excel, for Apple, use Numbers. You could also use Google Drive, which may be easier. Your files need to be encrypted or password protected, and stored in your secure computer!
- Using Google Drive: This is a hack that can make GDPR go a bit more smoothly. ‘https’ sources, such as Google Drive, are considered perfectly safe because https sends data over an encrypted source. Conveniently, you can store sensitive information in your Google Drive because it’s cloud based and encrypted. Dropbox could be an option as they are compliant with GDPR too. If you don’t know a lot about a cloud platform, or whether they are GDPR compliant, then don’t risk using them.
- Contracts: Now is a good time to give your contracts a bit of an overhaul to match the requirements. If you don’t already do it, consider using digital contracts. This type of contract is encrypted, and can be filed on your encrypted cloud platform. Add a consent/permission clause to your contract. Separate this from your Terms and Conditions, as they refer to a service agreement, and consent/permission refers to sensitive information. It may be good to ask also if you can have permission to use the images on any channel, including exhibitions or contests.
- Who has access to the data? Do you have an assistant or other employee, and if so, do they need access to sensitive data? It must only be available to those who need it in order to do their work, and no one else should have access.
The only way to be sure you’re ticking all the boxes to be GDPR compliant is to refer to the ICO Documentation . ICO are responsible for implementing GDPR in the UK. EU GDPR is a useful website containing more information. Also, if you have a lawyer, check all these questions with him/her.
Hope this helps.