The General Data Protection Regulation (GDPR) came into force on May 25th, 2018 and it affects your photography business.
What is GDPR then?
The GDPR directive sets out the new European framework for data protection. It is a replacement of the previous data protection laws, set almost twenty years ago, and is concerned with how personal data is obtained, used, handled and stored.
Who does the GDPR legislation affect?
This new data protection legislation came into force in the UK and across Europe. It’s a European-wide policy, and it affects the UK regardless of the outcome of the (currently unresolved) ‘Brexit’ issue.
Since in your business you’re storing personal data about your clients, and will likely have an email marketing database of clients and prospective clients too, GDPR concerns you and your photography business!
And it affects you even if you are a photographer based outside Europe, but who has data about clients or prospects within Europe.
What is classed as ‘data’?
To clarify, personal ‘data’ is classed as any information that could be used to identify an individual; that could mean an email address, a name, a date of birth, a postal address, a national insurance number or a bank account number, for example. Photographs are also considered ‘data’.
What are your responsibilities regarding data protection?
As a business which collects personal data – in the form of names and email addresses typically, when people sign up to join your email marketing list or becomes a client – or, in the form of photos you create when hired by your photography clients, you’re effectively the ‘Data Collector’. And as such, you have a responsibility to ensure that you are compliant with data protection law.
Essentially, you must protect the consumer and prevent their data getting into the wrong hands and being abused.
And if you share access to that data with a third-party company or individual (perhaps, someone who assists you with your email marketing or has access to your mailing list database), they are the ‘Data Processor’.
The GDPR legislation affects both parties; Data Collectors and Data Processors. Both have responsibilities in regard to the use of the personal data and are legally liable for ensuring there are no unlawful data breaches, and to report one to the Information Commissioner’s Office (ICO) if it does occur.
What are the main changes that you need to know about?
In regards to the personal data that you hold within your business about any living individual, the main changes you need to know about are that:
1. You need to document and maintain records about your data processing activities
How you obtain personal data, what you are using it for and how you store and use it should be documented. This is so that you can demonstrate that you comply with the data protection rules if you’re ever required to prove this.
2. You’ll need to ensure you have secured informed consent
‘Informed consent’ is crucial and a key part of the new GDPR legislation.
The ICO explains that “Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.”
- Permissions
You must be able to prove (with evidence, if required) that you have obtained data as a result of each individual having proactively opted in to receive that specific type of (marketing) communication.
While the ‘double opt-in’ process as part of the sign-up is not specifically required under GDPR, it would be wise to ensure you use it anyway. This two-step process allows you to ask the person to verify that they definitely want to be added to the mailing list that they have requested to sign up to.
Email marketing providers such as MailChimp offer the double opt-in process, so if you use an email provider like that, it’s easy to have this part covered off.
And in regards to photographs, you’ll need to get written client permissions and potentially those of others who will be in your photographs (if you are a wedding photographer, for example). (Please seek expert guidance for further clarification on this as this article is only intended as an introductory overview and is not intended as legal advice.)
- Tick boxes to prove ‘granular’ consent
Another thing to be aware of is that you now need to be transparent about what people are signing up for when they complete a form on your website.
Specifically, you’ll need to provide tick boxes on your sign up forms that clearly state the sign-up options available to them. Blanket or presumed consent will not be allowed under GDPR.
Which means it’s no longer permitted to automatically add people to your on-going marketing mailing list (to receive your monthly newsletter, for example) if they wish to request a freebie download or ‘lead magnet’.
- The ability to opt out
You also need to give subscribers the opportunity to opt-out. And you must ensure to immediately delete their data if they do opt-out.
The crucial point is that they must have given informed consent.
If you aren’t sure, or can’t prove, that people on your current marketing database or mailing list gave their informed consent, and this is the key point – to the recently-introduced GDPR-required standards – you’ll need to get them to re-opt in to receiving marketing communications from you.
3. You’ll need a GDPR compliant Privacy Policy
You need to have a Privacy Policy on your website that outlines your identity (as the Data Collector) and how you intend to use personal data that you collect.
And that needs to explicitly state “your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.” (Source: ICO website).
So, if you haven’t already done so, now is a good time to review your current data processes;
- to document what data you are keeping,
- to check whether you really need all the data that you are currently collecting (do you really need to know their postal address if you won’t ever be sending them anything in the post, for example?)
- and, how you are using and managing it (is it safe by being protected by encryption or is a password required to access it?).
- to review who (if anyone) you are sharing the data with,
- and, how long you are keeping data for (longer than is really necessary?).
For privacy notices, T’s and C’s documents and cookie policies now must also be concisely and clearly written, in easy-to-understand language. The days of complicated legal jargon and tiny illegible print being legally sufficient are long gone.
I recommend you purchase this GDPR pack (affiliate link*) by Suzanne Dibble, a small business lawyer and GDPR expert to obtain a GDPR compliant Privacy Policy and other useful documents.
*I am promoting this GDPR pack because I have purchased it myself and highly recommend it. If you choose to purchase the GDPR pack using the above link, please note that I may receive a thank you payment from Suzanne.
Why GDPR is a good thing though!
GDPR has been introduced to make personal data safer. So, although this could sound quite complicated (and yes, extra work for you while you get your photography business compliant), you’ll also benefit personally from the changes.
That’s because any companies which store information about you will need to be GDPR compliant too. Which, in the long run, means fewer unsolicited emails coming into your inbox and that your personal data will be less likely to be subject to potential misuse.
Where can I find out more about GDPR?
There has been a lot of speculation about what businesses need to do to ensure they are GDPR compliant.
And even now, as I write this – just days after GDPR has been introduced – there remains much confusion and discussion online about what individual business owners need to do to get GDPR compliant.
This article has only skimmed the surface of what is a very complicated piece of legislation, and I have not covered off everything in this article that you need to be aware of.
I have also updated this article since it was first written as I personally am learning more and more about GDPR as time goes on.
Please ensure to do further reading of your own about GDPR and to spend the time researching and fully understanding how the legislation affects your specific business.
There are many resources online that can help you understand what GDPR is and how it affects your photography business.
The ICO (Information Commissioner’s Office) website is a great place for you to start. They have prepared resources which include this one, which gives an overview of the ways in which you should be managing your data protection obligations in light of the new GDPR legislation.
You can also find GDPR support groups and forums online. But be wary of whose advice you take – only implement advice shared in these forums if you can be sure that the person sharing tips and advice is an expert on the topic.
Again, I would recommend Suzanne Dibble. She has a free Facebook group ‘GDPR for online entrepreneurs’ that is definitely worth joining.
Disclaimer: The information I share here is based on knowledge I have obtained from reliable sources such as the ICO and other GDPR experts, but please note that the content contained in this blog is not a full rundown on the GDPR legal requirements and does not constitute legal advice.
I’ve written this article in the hope that I have helped you by introducing the GDPR legislation if you hadn’t been aware of it already, and by giving you an indication of what you need to be aware of as a photography business owner to ensure your compliance from May 2018.
But to ensure that you and your photography business are fully covered, please seek your own independent legal advice. Zoe Hiljemark will not accept liability for any outcomes whatsoever that arise as a result of you implementing the information or advice shared in this article.
This post was originally published on January 11th, 2018 and was updated on March 14th, 2018.
Please note: This article contains affiliate links. If you choose to make a purchase via a link shared here, I may receive a small commission at no extra cost to you. I only recommend products and services I have used and found beneficial.
Hi Corinne and Zoe, once the image is on Facebook, local\national newspaper or other website under the laws in place at the time (consent list etc) then you won’t need retrospective consent as it would be unreasonable to do so. As a school your existing policies around data are fairly robust and you wouldn’t publish an image if you didn’t have permission anyway.
You will need to be prepared to remove them if the subject withdraws consent, but as it was agreed to do so when it was published, you should be ok.
You must though have that clear retention policy and adhere to it. That would mean deleting the stored copy after a period of time and ensuring that the data subject or their parent or guardian is aware of that.
I am in charge of the Marketing for a secondary school in Bristol and have found this article really interesting – thank you very much. One thing for which I still remain unsure – are the photographs already on our website OK to keep on there? Parents/carers have signed a permission for use in school publications/website etc but as of 25th May 2018 I will be having to ask permission for each specific photograph (including permission from the young people themselves aged 13+). So are those photos already on the website OK to stay there?
Thank you in advance
Hi Corinne, Thanks for your kind words about the blog. I wouldn’t be able to advise you on that as I’m not GDPR expert and have stated that in this blog, but you’re doing the right thing to try to get clarification on this. Suzanne Dibble is a small business lawyer and GDPR expert. I’d recommend you join her free Facebook Group and seek legal advice in there if you’re not sure who else to ask. Hope that helps.