GDPR – The Photographer and personal data
Posted on March 14, 2018 by under
After four years of debate, the General Data Protection Regulation (GDPR) was ratified by the European Union and will now become law from 25 May 2018. The regulation purpose is to establish one single set of data protection rules across the whole of Europe. Organisations and businesses outside the EU are subject to this regulation when they collect data concerning any citizen of the EU (and the UK after Brexit). GDPR is designed to give individuals better control over their personal data held by organisations
This is by no means a definitive guide and is just the first part. It does not even attempt to cover all scenarios or information. You can read the whole 99 articles from here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr and here: https://gdpr-info.eu/
So what is Personal Data?
Personal data is defined as any information relating to a person who can be identified directly or indirectly by that data. This includes online identifiers, such as IP addresses and cookies, if they are capable of being linked back to the data subject.
Businesses will be required to “implement appropriate technical and organisational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data. A key part of the changes in the law (and one creating a lot of concern) requires consent to be given by the individual whose data is held.
Geek Alert: Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”.
WOW! To put that another way, you have to ask the person whose data you want to store if you can store it… and they have to agree by ticking a box. That person also has a right to ask what data you have on them, and for it to be removed (the right to be forgotten) and if the purpose for which it was collected is no longer valid, then you should manage that data so it is deleted.
Example: If you take pictures from a wedding and you collect all the email addresses from the guests so you can announce that the photos are available online – that’s great! The visitor can add their email address, tick a checkbox of consent and you can send them emails and offers etc when the photos of the wedding are uploaded. But if you take the photos offline after a period of time, then the guest’s data is no longer valid for the purpose it was collected so that personal data should all be deleted too. It makes sense right?
Also, when you obtain data from an individual, you must make clear who you are (or your organisation) and show your contact details as well as what the information will be used for. You must also state whether the data will be transferred internationally and the period for which the data will be stored. This can be handled in your privacy policy. We have done the work for you on this – you just need to make any additions and publish it on your website.
The persons right to access, rectify or erase the data; and these requests must be executed at the latest within one month of the request. The person has a right to withdraw consent at any time and their right to lodge a complaint. We are making a new section in your Control Panel “GDPR Tools” which will enable you to handle all of this. We will update you as soon as it has been made live on the live servers.
Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of “scaremongering” around the potential impact for businesses.
[line]
So to sum up this post let’s try putting GDPR into perspective… Most will be doing this anyway, but to be clear about the basics:
- You have to look after people’s private information. This can be a name, address, photo, IP address… you name it.
- You have to ask them for consent before you can store their data and tell them how they can access that data you hold about them should they want to.
- Every photographer’s website should have a privacy policy page.
- Access to your data – GDPR gives individuals a lot more power to access the information that’s held about them. – the GDPR Tools will do this for you
And to be clear about Consent – this means offering individuals genuine choice and control.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how
- Avoid making consent a precondition of a service.
Remember that you and your personal information is also being protected by the changes in privacy protection and GDPR – it is there for all of us.