The New Government Data Protection Regulations And Your Photography Business.
General Data Protection Regulation (GDPR)
All the information below has been sourced from the Information Commissioner's Office Website. https://ico.org.uk
You may or may not be aware that in May 2018 the European union are introducing new rules that will govern how business handle their customer’s personal data. These new rules, the General Data Protection Regulation will replace the previous regulations, The Data Protection Act Of 1998.
Personal data is defined as any data, which can identify someone, such as name, date of birth, address, age and more relevantly images. Images on your website ARE classed as data for instance! So you will need a GDPR compliant model release which includes specific consent.
As many photographers work with sensitive personal data, it is important to understand the changes that are being made and steps that your business will need to take to comply with these new regulations.
Before we get into the change in individuals rights its worth looking at some changes in definitions under the GDPR. There are three main sections here:
Processing of data
Children’s personal data
In this instance when GDPR refers to processing it is not as we understand it the editing of an image, but refers to any operation or set of operations, which you perform on data. For instance your client’s data for marketing analysis, or a mailing list. As the person that holds this data your are referred to as the data controller.
Consent has changed slightly under the GDPR as you no longer allowed to automatically opt in clients to data storage or processing. This is mainly applicable if you provide a newsletter or other form of communication where currently the client would have to opt out, the client must now clearly consent to their data being processed. This does not mean that current members of a mailing list or marketing analysis will need to re-consent but it does mean that any future members will need to consent so no need to throw out your mailing list just yet!
Children’s Personal Data
While children’s personal data rules are being changed under the GDPR which may seem worrying on the face of it. Much of the changes will not affect children’s photographers. Many of the rules are designed to target online websites used by children, however the one section that will affect photographers, and probably something you are already doing in your business is that in order to process a child’s data you must have consent from a person holding parental responsibility, for example a model release.
The GDPR makes some changes and adds new rights for individuals.
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
And rights in relation to automated decision making and profiling, (less likely to apply to photographers this is for business’s where computers analyze information and make decision, such as a bank or insurance companies.
Rights to be informed.
Right Of Access
Under GDPR individuals are allowed to request access to their personal data. This includes confirmation that their data is or is not being processed. Access to personal data that you hold on them, this does not mean you have to give them all the photos if they ask, nor do you have to give them access to your studio management software, but it would just mean you would have to show them in a useable format what data you hold (See the right to Data Portability).
This information must be provided free of charge and within one month of the receipt of request. However you do have the right to refuse to respond to a request, if you do you must respond explaining to the individual why you cannot provide this. Although as a photographer I cannot see any instances where you would have good reason to refuse.
See chapter 3 section 1 article 12 #5 of the GDPR.
The Right To Rectification
This is simpler than previous rights, it simply states that individuals have the rights to amend or correct any details, which you have on file, which may be incorrect.
The Right to Erasure or the right to be forgotten is a right provided to consumers where by upon request a business is required to delete all personal data held by the business, providing there is no compelling reason for its continued processing. The business does in some circumstances have the right to refuse this request, for example if the data is required for completion of a contract.
The Right To Restrict Processing
This is very similar to the previous regulations under the Data protection act. Individuals are allowed to request that processing is not performed on their data, unlike the right to erasure you are still permitted to hold the data you just can’t process it, i.e. use it.
Right To Data Portability
This right is in relation to an individuals right of access. The right of access allows an individual to request access to their data, the right to data portability allows individuals access to their data in a portable format in order to use themselves. The business is required to provide the data in a format that is portable between platforms for example a CSV file.
The Right To Object.
The Right Related To Automated Decision Making And Profiling.
This should not impact many if any photographers but a brief overview is that in the case of any data procession or decision making by an automated process an individual has the right to request human intervention. For instance you put in for a loan and that process is decided by a computer, you have the right to request that an actual person reviews the decision.
Transfer Of Data
The GDPR much like the DPA imposes restriction upon transferring data outside of the EU. This is mainly relevant for photographers in the case of website hosting being out of the EU. You may transfer data where the business receiving the data has provided confirmation in the form of a contract or agreement that they are compliant with the GDPR. So for instance I contacted my website hosting company, Photobiz, in the US and sent them the entire GDPR document and I now have in writing (email) that they comply with the relevant regulations.
In terms of your business, what other instances are there where by you might be transferring images outside of the EU. I have listed a few below.
your website servers
album fulfillment and design
purchasing of products, wall art etc, where you are uploading images online
if your client purchases session fees via an online store like BigCartel.
email marketing such as Mail Chimp
studio management software such as Lightblue, Tave, 17 Hats.
As a photographer ask yourself the following questions to gauge what you still need to do.
If you are like me and run your business single handed you are considered a data controller. ICO have a controller checklist that is very helpful: Controllers Checklist