There’s a lot of talk about GDPR (General Data Protection Regulation), and a lot of confusion. Whilst we can’t give you legal advice, we can share with you some of the things we think you should consider so that you’re prepared for when GDPR comes in May 2018.
What is it and why do we need to comply?
In 2012 the EU announced an intention to update the 1995 Data Protection Act law due to technological advancements, especially in mobile phones and tablets, and the rise of consumer concern in regarding Personal Data.
The 1995 law (which became the UK’s 1998 Act) allowed for a lot of varied interpretation across the EU member states. GDPR is a harmonised data protection law across all member States, and whether Brexit happens or not, GDPR will transfer to British law with the creation of the Data Protection Bill. The Information Commissioner’s Office (ICO) will also be given new powers to issue eye watering fines for non-compliance or mis-use.
It’s incredible to think of how far technology and data privacy has come in that space of time. Hands up who hasn’t read the Terms and Conditions when installing a new app? And even if you have read it, did you understand it all? This is why GDPR is here; to protect the individual.
News headlines are constantly referring to data losses, hacks and theft, not to mention the ‘fake news’.
Where does photography fit into this?
Are you running a business? Do you have clients and do you photograph people or children? If you answer yes to any of those questions, you should be paying attention to the ICO. You are probably holding names, addresses, email addresses, bank details and things like that. If you can identify a person from the data you hold, GDPR applies.
The ICO use the word ‘process’ to describe anything to do with data from storing to analysing it. For example, if you are collecting consent forms from people, you are ‘processing’ data.
Perhaps a special note of caution should be given to semi-professional or amateur photographers who are aspiring to start a business or do odd jobs on the side. GDPR really does apply to you too, so it’s wise to be aware of what it all means.
Here are some things you need to consider:
Be fair and transparent, tell people what you are doing with their data. This is where Privacy Policies are enormously important.
Consent to use data, where required, must be freely given, so don’t be trying to incentivise people to give it because you’ll find yourself in very hot water.
Purpose limitation and minimisation. Are you using the data for a specific purpose? Only process the data you need in order to fulfil a contract or project. Don’t store anything ‘in case it might be useful one day’.
Accuracy. Keep data up to date. If you send newsletters, this is the perfect way to encourage people to opt-in and to update their details with you. Everyone should aspire to have an active and engaged readership, client or fan base.
Storage limitation. As part of your spring cleaning, think about a data retention plan. How long will you keep something before safely deleting it?
Integrity and confidentiality; You might be working on incredibly sensitive projects for clients. 'Special category data' might even apply (you can read more on special category data from the ICO here), so you'll definitely need consent for that data and you'll need to keep it secure. You have the responsibility to ensure all data you hold can’t be stolen or accidentally lost. If you transfer data regularly, you should be considering how best to do this as securely as possible.
Children and consent; If you are taking photographs of children, are you obtaining parental consent? GDPR is rightly taking child data very seriously. If you have been hired by a company to take photographs at an event where children will be, don’t be afraid to ask how the consent forms are being handled; and if indeed there are any. Not all consent forms will need to be retained after an event and you might want to consider how you can keep consent without holding onto child data.
We are expecting to see some clarity on the way in terms of exemptions in artistic and journalistic work. Until then we will update this post with new info and potential case studies as and when we think there’s something relevant to share.
We at Shutter Hub feel ready for GDPR, but we’re keen to hear about good practice over the coming months. We are in this together, so let’s share the wisdom and keep everyone’s privacy safe.
Images © Christiane Zschlommer