Wedding Photography Businesses and the GDPR (General Data Protection Regulation)
The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. So in effect, you have to think seriously about implementing some security to look after your client’s data.
- The GDPR applies to ‘controllers’ and ‘processors’.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU.
- It also applies to organisations outside the EU that offer goods or services to individuals in the EU. So if you are in the US and photograph weddings or run training workshops in the EU you are involved with this.
Wedding Photography Businesses and the GDPR – What you need to think about.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address or IMEI number (form mobile devices) or possibly photographs – can be personal data. Why photographs? Because many applications now allow the use of facial recognition, i.e. Lightroom. If you use this facility then the photograph could be classed as personal data when used in conjunction with Google’s Reverse Image Search or Google Images
The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The GDPR has a wider scope in detailing what is included.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The GDPR includes certain rights for your clients:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Article 30 of the regulation declares that organisations with fewer than 250 employees will not need a dedicated Data Protection Officer, so this role can be done by anyone in your organisation. For sole traders, it just means wearing yet another cap!
GDPR will now regard sole traders as individuals.
Which means that AFTER 25th May 2018, you can’t send Business to Consumer (B2C) marketing to private individuals or to SOLE TRADERS without having obtained and recorded their prior consent. So if you attend networking events getting a business card or telephone contact details from someone does NOT give you the automatic right to email or call them. You NEED to get consent to contact them. Maybe change your business card to have a tick box saying “Yes” or “No” to contact when you hand it over?!! 😉
If you are marketing to corporate bodies you don’t need prior consent from them, but you must follow the opt-out rules.
- If you gather contact details via your website or at wedding fayres etc then you MUST let people give explicit consent. Implied consent is no longer allowed. In other words, you will need something like:
- “By giving me your email you agree I can send you photography related marketing material. You may opt-out at any time. You can ask for your data to be deleted or you can ask for a copy of the data held to be given to you.” Something like that on your website contact forms and sign in forms at wedding fayres basically.
- You need to be able to have a “right to be forgotten” clause – i.e. EVERYTHING on that individual will be totally and utterly deleted from all current systems and previous backups. If that includes images… it will mean deleting RAW files and backups etc. I’ve not found anything specific on images counting as personal information but seeing as though they could be used to identifying someone the option may be there.
- You need to tell people how long you will keep the information and what you will be using it for. As an example, I’ve just got an email from a business contact who I last worked with 8 years ago, under GDPR that isn’t allowed.
- You need to be able to give information to people who request in a form they can read, and that they can transfer it to other suppliers if required. So on a basic level, we are looking Microsoft Excel spreadsheets in .csv format I’d say.
- You will need to be able to prove that you gather and process information legally, according to the GDPR regulations to the relevant UK authority – the ICO.
So the chances are the small business who currently follow ethical and moral standards and best practise outlined by the ICO won’t be affected too much, however it is best to review your arrangements anyway.
What is “Explicit Consent”?
Explicit consent can be looked at in the same way as the GDPR’s standard requirements for obtaining normal consent. The difference is that it must be obtained in a way that leaves no room for misinterpretation. This means it must be provided in a clear statement – whether written or spoken.
The ICO’s guidance explains that consent requests must be:
- Unbundled: ensure that consent requests are separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service. Make sure that you have a separate tick box on your contracts or web forms.
- Granular: give a thorough explanation of options to consent to different types of processing wherever appropriate.
- Named: state which organisation and third parties will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. I don’t use a professional CRM, but if you do I’d suggest getting in touch to see if this can be added or is already included! I record this bit on my contact details from wedding fayres and contracts and websites as a separate tick box.
- Without an imbalance in the relationship: check that there isn’t an imbalance in the relationship between the individual and the controller (such as an employee and employer, or a tenant and a housing association).
Some Simple Security Measures
Use a multi-layered approach!
“Perimeter Security” – Physical based.
All of your IT infrastructures should be stored in a secure and alarmed location. The alarm is monitored 24/7 and where a key holder does not answer a call the Police will be instructed to visit the site.
“Network Security” – ITC based.
All of the IT is further secured using strong password protection, using a mixture of alphanumeric and symbols. This is NOT written down. Consider encrypted hard drives etc. Be aware that if you use a cloud storage system (DropBox for instance) then that system has to be GDPR compliant also. DropBox by the way pretty much is GDPR compliant.
Basically ANYTHING you store electronically, either directly by you or by companies you pay for storage, need to be GDPR compliant.
“Privilege Based” – People based.
Only those who need to access your information will be able to access it. In 99% of cases that should be just you, or possibly an assistant. They need to be a named individual though. In the case of my own business, the named person is Andrew Miller.
More information can be found on the ICO’s website and in this .pdf
What if you screw up and lose data?
The GDPR has some damned hefty fines! You inform the ICO immediately, although I do believe they say within 72 hours. There is a bit of interesting wording on this and how the business that has lost data decides if it is important enough etc.
- Tier 1 Data Breaches are the most serious and could lead to fines of up to 20 million Euros or 4% of GLOBAL turnover.
- Tier 2 Data Breaches could lead to a fine of up to 10 million Euros or 2% of GLOBAL turnover.
As a wedding or photography related business, it’s hard for me to envisage coming close to those fines for being hacked and losing personal data. However – it’s the EU. You never know!
What about your clients?
Use of facial recognition technology
Adobe Lightroom and Apple Photo both have built-in facial recognition features. I’ve not seen anything in the GDPR that specifically highlights this, however with the now widespread use of facial recognition software and devices I would recommend that you don’t use these features at all.
Why is that?
A persons face is considered as biometric information or data. The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
It is one of the “special categories of personal data” that can only be processed if:
- The data subject has given explicit consent
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary for the establishment and exercise of defence of legal claims; or
- Processing is necessary for reasons of public interest.