You must be really bored if you’re reading this, but since it’s a legal requirement, here it is, my privacy statement:

In order to comply with the regulations of GDPR, I need to disclose what data I hold, and how I use it, and if I pass it on, how it’s passed on. Here’s a breakdown of that process.

What data do I hold:

  • If we’re working together on a shoot, then I will almost certainly have your contact details in their various forms. I’ll have these due to us being in communication, so there’s implicit consent in my storage of them, along with a contractual need in order to get the job done.
  • If we’re working together on a shoot, I will be generating still images, and possibly video, which are considered “data” under the terms of GDPR
  • If you sign up to one of my courses on Teachable, or sign up for my newsletter, I will have your basic contact details, usually just your email address.

How this data is handled:

  • In the case of contact details, these are stored and managed via Google, in the form of google contacts. I use 2-step authentication to reduce the risk of unauthorised access. To the best of my knowledge (as of 25/5/2018) Google are GDPR compliant in the way they store and handle their data.
  • If we’re on a shoot together, there’s a decent chance your contact data will make it onto a call sheet, which will likely be shared amongst the crew of the shoot in either electronic or printed form. This is contractual use of your data in order to get the job done, but should you wish for it not to be shared, please state this.
  • I retain contact details indefinitely due to the nature of my business – I work with some people very regularly, others less often, and some people only every couple of years. Should you wish to exercise your “right to be forgotten” please inform me, and I’ll delete all your contact details to the best of my ability.
  • Imagery (both stills and video) is stored in several ways:
  1. On my computer (either laptop or desktop). I retain image and video files on my computers in order to work on them – retouching, editing etc. Both computers are password protected. Data is moved off my computer once the job is finished.
  2. On portable hard drives. These are for archival purposes, and are protected by a password.
  3. On network enabled RAID drives attached to my office network. These are for archival purposes, behind a firewall.
  4. On cloud storage. I use Livedrive to store copies of my work, which is behind a password system, with guest access (again, password protected) given to specific clients in order for them to access the work I create for them. Livedrive have stated that they are GDPR compliant.
  5. Work (both stills and video) in it’s finished form will then find it’s way to a wide variety of final destinations, depending on the nature of the job in question. Some imagery may be published in print in national magazines, others will end up in the social media feed of a client, or as part of a video I publish on YouTube. Consent for use of your data (an image depicting you) will have been obtained via the medium of a model release form which will explicitly state what the imagery will be used for. If imagery was generated at a public event, consent for your data to be used is implicit in your attendance of the event.
  • I use Mailchimp as my email provider for newsletters and Teachable stores copies of contact details when you sign up for courses. Both of these organisations are GDPR compliant. You have the option to unsubscribe at any time, and you will have signed up with a clear statement of what you were about to receive – i.e. an occasional newsletter with information about photography and the courses I offer.

There you go, fascinating stuff. Should you have any concerns about how I handle your data, please get in touch. Despite my tone, I do take this sort of thing seriously, but I also recognise that by necessity I generate “data” and then share it as part of my job.

For legal requirements, I am Tom Miles, owner of Tom Miles Photography, trading as Photosmudger Ltd, registered address 8, Blandfield Rd, London, SW12 8BG. Registered as a Data Controller with the ICO, no: ZA360238