Wedding Photography Businesses and the GDPR (General Data Protection Regulation)
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. So in effect, you have to think seriously about implementing some security to look after your client’s data.
- The GDPR applies to ‘controllers’ and ‘processors’.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU.
- It also applies to organisations outside the EU that offer goods or services to individuals in the EU. So if you are in the US and photograph weddings or run training workshops in the EU you are involved with this.
Wedding Photography Businesses and the GDPR – What you need to think about.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address or IMEI number (form mobile devices) or possibly photographs – can be personal data. Why photographs? Because many applications now allow the use of facial recognition, i.e. Lightroom. If you use this facility then the photograph could be classed as personal data when used in conjunction with Google’s Reverse Image Search or Google Images
The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The GDPR has a wider scope in detailing what is included.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The GDPR includes certain rights for your clients:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Article 30 of the regulation declares that organisations with fewer than 250 employees will not need a dedicated Data Protection Officer, so this role can be done by anyone in your organisation. For sole traders, it just means wearing yet another cap!
GDPR will now regard sole traders as individuals.
Which means that AFTER 25th May 2018, you can’t send Business to Consumer (B2C) marketing to private individuals or to SOLE TRADERS without having obtained and recorded their prior consent. So if you attend networking events getting a business card or telephone contact details from someone does NOT give you the automatic right to email or call them. You NEED to get consent to contact them. Maybe change your business card to have a tick box saying “Yes” or “No” to contact when you hand it over?!! 😉
If you are marketing to corporate bodies you don’t need prior consent from them, but you must follow the opt-out rules.
- If you gather contact details via your website or at wedding fayres etc then you MUST let people give explicit consent. Implied consent is no longer allowed. In other words, you will need something like:
- “By giving me your email you agree I can send you photography related marketing material. You may opt-out at any time. You can ask for your data to be deleted or you can ask for a copy of the data held to be given to you.” Something like that on your website contact forms and sign in forms at wedding fayres basically.
- You need to be able to have a “right to be forgotten” clause – i.e. EVERYTHING on that individual will be totally and utterly deleted from all current systems and previous backups. If that includes images… it will mean deleting RAW files and backups etc. I’ve not found anything specific on images counting as personal information but seeing as though they could be used to identifying someone the option may be there.
- You need to tell people how long you will keep the information and what you will be using it for. As an example, I’ve just got an email from a business contact who I last worked with 8 years ago, under GDPR that isn’t allowed.
- You need to be able to give information to people who request in a form they can read, and that they can transfer it to other suppliers if required. So on a basic level, we are looking Microsoft Excel spreadsheets in .csv format I’d say.
- You will need to be able to prove that you gather and process information legally, according to the GDPR regulations to the relevant UK authority – the ICO.
So the chances are the small business who currently follow ethical and moral standards and best practise outlined by the ICO won’t be affected too much, however it is best to review your arrangements anyway.
Some Simple Security Measures
Use a multi-layered approach!
“Perimeter Security” – Physical based.
All of your IT infrastructures should be stored in a secure and alarmed location. The alarm is monitored 24/7 and where a key holder does not answer a call the Police will be instructed to visit the site.
“Network Security” – ITC based.
All of the IT is further secured using strong password protection, using a mixture of alphanumeric and symbols. This is NOT written down. Consider encrypted hard drives etc. Be aware that if you use a cloud storage system (DropBox for instance) then that system has to be GDPR compliant also. DropBox by the way pretty much is GDPR compliant.
Basically ANYTHING you store electronically, either directly by you or by companies you pay for storage, need to be GDPR compliant.
“Privilege Based” – People based.
Only those who need to access your information will be able to access it. In 99% of cases that should be just you, or possibly an assistant. They need to be a named individual though. In the case of my own business, the named person is Andrew Miller.
More information can be found on the ICO’s website and in this .pdf
What if you screw up and lose data?
The GDPR has some damned hefty fines! You inform the ICO immediately, although I do believe they say within 72 hours. There is a bit of interesting wording on this and how the business that has lost data decides if it is important enough etc.
- Tier 1 Data Breaches are the most serious and could lead to fines of up to 20 million Euros or 4% of GLOBAL turnover.
- Tier 2 Data Breaches could lead to a fine of up to 10 million Euros or 2% of GLOBAL turnover.
As a wedding or photography related business, it’s hard for me to envisage coming close to those fines for being hacked and losing personal data. However – it’s the EU. You never know!
What about your clients?