How many professional photographers out there are ready for GDPR? How many actually know what GDPR is? 2 weeks from now the new General Data Protection Regulation will come into effect – on my birthday – and if you run a business, no matter how small – you’ll need to comply with the new rules on data privacy.
Thanks to my ever-vigilant girl-friend, I’ve had GDPR on my radar for a while, and am nearly fully set up now. This post is an attempt to decipher some of the confusion out there, which seems to be quite prevalent. Many of the articles I’ve read only refer to large organisations, which obviously have different needs, some only deal with the marketing side of photography businesses, and some are so laid back and cavalier about the requirements that I’ve chosen to pretty much ignore their advice!
I shall make this disclaimer now, and repeat it at the end – I AM NOT A LAWYER – nor do I ever pretend to be one. The advice I’m setting out here is the result of reading many different articles, watching several videos and webinars, and drawing my own conclusions, although there is some conflicting and slightly confusing information out there. Do not take what I say as gospel, but use it as a springboard to go out and start your own research.
The essence of GDPR is to do with protecting people’s data, and making sure that it’s used in ways that people consent to. “Data” in their definition is essentially any information relating to a person. That can be an address, email, phone number, or an image of them. As a photographer you are almost certain to have lots of contact details, either of clients, or potential customers, and you’re certain to have lots of images too. So, GDPR applies to all this “data” you’ve got, and you must use this data in ways that comply with GDPR.
The two issues about data seem to be:
That you hold that data with the subject’s consent, and use it in ways they consent to.
That it can’t go wandering off anywhere – namely that your systems are secure and protected.
After much rummaging around online, I think I’ve drilled down to the 10 things you’ll need to do as a professional photographer:
Conduct an information audit – what data do you already hold? How did you get hold of it, how is it stored, and how do you use it? Hold a complete inventory of the data you hold – include things like your personal phone if you’re a solo operation. Make sure you a) are legitimately OK to hold it – namely that you have their permission, and that b) it’s secure. This generally means it’s simply behind some sort of password protected system – many existing setups will be absolutely fine on this score, although usual suggestions about making sure your passwords are strong and changed periodically should apply. Don’t get me started on passwords….
Next, review how you gained this data. Is it contact details accumulated through working with people, or emails you’ve gathered through a marketing campaign? The first comes under the legal heading of “contractual data usage”, and the second is consent – the biggie. Generally, with contractual stuff you can carry on as before – if you’ve been emailing someone who you’re doing a shoot for over the past month, you don’t suddenly need to request their permission to carry on emailing them. Marketing emails and the like are different though – that’s the whole “opt-in” bit.
Ensure that images are handled in a similar fashion. Essentially, you need to be certain that only yourself, or people you specifically authorise, can access images you create. Anyone you give authority to handle this “data” will need to be a “data processor” and will need to comply with GDPR as well.
Ensure that any third parties you entrust with data comply with GDPR, even if they’re based outside the EU/EEA. So, if you use cloud storage, you’ll need to check, if you send images off to get retouched somewhere, you’ll need to check, or if you use someone like Mailchimp to handle your emails, you’ll need to check. Most of these companies are (finally) issuing GDPR statements, and complying, so the odds are you’re good to go.
Register yourself (if you’re just a single-person business) as a data controller with the ICO. If there’s more than one person in your business, and someone else if your “Data Controller” – register them. It costs £35, per year, and all you have to do is fill in a fairly straightforward online form. Interestingly, whilst there are a host of very obscure jobs and careers in the drop down menu, there’s no option for “Photographer”, so I ended up with a “general/other” one, and removed some options from the spiel it spits out.
If you have a marketing list of emails you’ve harvested over the years, then you need to send out an email requesting that they confirm they want to stay on the list. Unlike lots you’ve probably received, it’s not legal to assume that silence implies consent – they need to actually “opt-in” rather than just carry on as before. What you send out must be very clear about what you’re going to do with their data, and what they’re going to receive. If they sign up for one thing, and you start spamming them with something else, you’ll get in trouble.
Make sure you’ve got systems in place so that people can request what data you hold on them, and you can delete it if required. Unless you’re running an antiquated system, or an enormous one, this is pretty easy, and lots of systems (like Mailchimp) have this built-in. If people request their data, you must respond within a month, and you can’t charge them for processing the request.
If you have a data breach, you must notify the ICO within 72 hours
Be thorough about how you use imagery of people, and what you have permission to do with their image. Under the terms of GDPR someone can request that you stop using their “data” (which can obviously include images of them) and can sue you quite spectacularly if you don’t comply. For example, you may use an image you took of someone to promote yourself on social media, but they may not have signed an agreement to this effect. They can request that you take this down, and depending on how you interpret GDPR, could even sue you for having done so in the first place. You may find that more thorough use of model releases and other forms are the way forward here.
Regarding this last point, I think it’s quite an interesting situation. There’s a general understanding across the industry that it’s OK for a photographer to use an image they created to promote themselves and their work, usually without any direct payment to the subject, and sometimes even without explicit consent. The consent is generally understood to be implicit in the case of the subject working with the photographer to create the image. As long as the image is not used in a way that is defamatory or derogatory, or crosses some major commercial boundary, photographers generally are well within their rights to use work they’ve created on websites, social media, brochures, mailouts etc.
There are previous, and well-established issues of intellectual property and copyright at work here – as the photographer, you are the author of the work, and as such, unless you sign anything to the contrary, you can effectively do what you want with it within the bounds of the law (see above about not being libellous or defamatory, or crossing commercial boundaries). If you were to take someone’s picture, as part of a commercial job, and then use it in your promotional materials, you don’t strictly need to have their permission to do so. It’s your intellectual property, not theirs. Standard practice is to have model releases or other forms signed that explicitly state what you can and can’t do with an image, but self-promotion is usually a given, and I’ll admit that historically I haven’t always got these signed.
Now, under GDPR, without a model release or similar, you could be sued for putting someone’s “data” on social media, or using it in a youtube video, portfolio, website etc. My instinct is that if this were to happen, the case wouldn’t get to court, or would be chucked out. Whilst I’m obviously not a lawyer, it seems pretty obvious to me that if someone was part of a photoshoot, where everyone involved knew what was going on, and the images were obviously not going to be deleted the minute they’d been taken, then complaining afterwards that the images appear in public would be very odd. Now, this is assuming the person was aware you were taking the pictures, and was OK with it, or they were at a public event where cameras were in widespread use. If, instead you had a compromising image of them, possibly taken without their knowledge or consent, then they’d have a much stronger case.
I have had circumstances where people have asked years later if images of them can be taken down from websites because their life circumstances have changed, and I’ve always complied straight away. GDPR won’t change this, but neither is it the apocalyptic scenario I’ve seen some people rave about – of course you’ll still be able to take photographs for a living.
Essentially, like so many other legal things that touch upon professional photography, as long as you behave professionally, there should be no problem. If you pester people with marketing emails, having not explicitly got their consent, or publish images that make people look stupid in order to advance your career, then you may find yourself in hot water. Rightly so, in my opinion!
Right, that’s probably enough to keep you going. Here are some useful links – these are ones I’ve relied on, having filtered out lots of the ones I’ve mentioned above which were either too vague, too cavalier, or only aimed at huge organisations.
The official government body, who administer both current privacy laws, and GDPR when it comes into effect. This is where you’ll need to go to get registered, but they also have the supposedly definitive info about what GDPR is, and what you need to do. If you come across conflicting advice online, refer back to here, as it’s these guys who will be enforcing the law!
A lawyer, who has published some very insightful and helpful information on GDPR and offers an information pack (for a price) for small businesses. There’s a 2 hour webinar that I can recommend, as well as joining the Facebook group where there’s lots more info and business-specific videos.
Finally, DON’T PANIC! Assuming you’ve been running your business sensibly up to now, none of this should be a headache, and probably only represents a half day’s work or so. I’ve heard and read some really scaremongering stuff about how much you can get fined, and how much all this will cost, but essentially it’s long overdue, and I for one look forward to receiving less spam marketing emails! As long as you exercise a bit of the old common sense, all this should fold neatly in to your regular business admin, and you can get on with the real work of making interesting images. Remember though – I AM NOT A LAWYER!