It’s almost like it’s 1999 again and the Y2K bug – except this time you have Facebook and everyone and ramming GDPR compliance at you. The scare tactics are working – people are running around dazed and confused. The headlines of fines of 4% of global turnover and 20M euro fines are enough to scare anyone – but, what is the risk to a small business owner – and what should us wedding photographers be doing?
For those who have managed to ignore it so far. The General Data Protection Regulation is a set of legislation introduced across Europe to harmonise privacy and data handling rules across the EU/EEA. It is going to be adopted into UK Law on 25th May 2018 – so not that far away! In short, the regulations tighten up how businesses are using people’s personal data within the business and introduce greater transparency to how people can see what a company is doing with their personal data.
The GDPR is not something that you do once and forget it – and as a business owner, it means understanding the processes and procedures within your business and what that means to the handling of your data. GDPR affects several areas, but for the sake of simplicity, I’m going to address the specific areas that apply to us as photographers and what we can do quickly to start to move towards compliance
Our Privacy policies
Add a GDPR compliant Privacy notice to our website.
This website provides a great privacy policy generator for your website and allows you to customise the policy based on what external services you use. You will need to review and make some grammatical changes to the output from this!
Send a copy of our privacy policy to our mailing list subscribers
We need to inform our subscribers how we processing/storing and managing their data. At the same time, we could also ask them to confirm their consent to whether they still want to remain on the list and being specific about what we are going to send them (see below for more on this)
The econsultancy website provides some great examples of privacy notices and how this can be displayed and used.
Telling our clients about 3rd party suppliers
In reality, we’ll probably deal with people who visit our website and people such as our clients in a slightly different way. We could have two privacy policies – but that’s just confusing so we could just combine everything into one privacy policy that addresses everything our potential clients/subscribers/clients could want to know. So, if we are using Studio Ninja/Tave to hold our client’s data, if we are using Google/Office 365 for our emails (as personal data may in emails etc), Mailchimp, The Image Salon. Any 3rd party that we use to store or process personal data with, should be in our privacy policy.
Consent
As I mentioned previously, the need for consent in certain activities has become greater under the GDPR. Mainly around the grounds of mailing lists etc, we need to start being more granular with the consent and transparent as well. Again the econsultancy website has some good details in this area.
We also need to remove any implied consent clauses from our terms and conditions. for most of us, we have a clause in our contracts that says to our clients that we may use the images for marketing purposes. Under GDPR, this isn’t allowed anymore. Consent must be explicit and granular, and we must have a record of when we obtained that consent. This means that we can’t bury a consent clause in the small print.
So, in essence, this means taking the consent clause out of our terms and conditions and making it clear to our clients what we are asking:
I/we consent to the following use of the wedding photographs:
On the website of Fred Bloggs Photography Yes/No
On the Social media (Facebook/Instagram/Twitter) Yes/No
In print for promotion material e.g. brochures Yes/No
Signed ________ Date
The above example breaks down how exactly we want to use the images and gives the couple control over what they are agreeing to (btw, you can’t make consent a condition of the contract). In this example, if we wanted to use images on a wedding blog, we’d have to ask the couple later to obtain their consent for that.
In terms of our marketing, we can’t automatically add people to our mailing lists – so just because someone has sent us an enquiry on our website, that doesn’t mean that they want to receive our newsletter.
IT Security
This is a mammoth topic in its own right but basically, the GDPR says that we should be adhering to best practice in terms of information security. A strong password, two-factor authentication on email and online services were available, keeping our websites up to date and things like WordPress plugins are up to date. We have backups which are secured, we’re using encryption where necessary on devices like laptops and USB drives. We’re transferring data to 3rd parties in a secure manner e.g. over https/sftp.
And Finally
These areas cover the majority of what first steps we should be doing as photographers right now. As part of the ongoing work we need to be looking at areas such as data retention, and identifying how we would report on or delete our clients data if they should ask us to (covered under subject access requests and the right to be forgotten), however, if we’re using a CRM system that is compliant with GDPR then this becomes straightforward.
There are some aspects of our photography which fall into a grey area – such as consent from 3rd parties in our photographs – as technically we can’t rely on our couples do give consent on their behalf. The ICO says that is okay we don’t need consent– some lawyers argue we need consent – other say we don’t. Along with GDPR, there are also changes to the PECR (Privacy and Electronic Communications Regulation) which also have an image on some of our activities – but that needs another post to delve into that.
For us as small businesses, the risk doesn’t come from the massive fines – it potentially comes from people trying their luck complaining to the ICO that their privacy has been breached in some way. If we can show that we are doing our best to be compliant and working towards addressing any gaps, it’s unlikely that any small business will face large fines.
So, don’t panic, read around the subject and start to understand it. The ICOs website is very good and provides great examples. GDPR is a good thing moving forwards and highlighting a lot of issues that business haven’t addressed under the current Data Protection Regulations. Every business needs to look at the GDPR and be pragmatic in their approach to it, and the risk level that they want to run. A wedding photographer is not handling the same volume of personal data as say a large charity – but doesn’t mean we should ignore it. Start putting a plan in place to address what you need to do and work through it. GDPR is here to stay so building compliance into your business is the way to go.
We would love to hear your thoughts on GDPR. Are you ready?
Resources
The UK ICO
Website Privacy Policy Generator
Email campaign consent examples
Example privacy notices
Thanks for this John, really useful info.
Thank you for creating this. It’s so useful to have a realistic overview specific to our industry sector and some great actionable points to get the ball rolling.
Thank you for creating this. It’s so useful to have a realistic overview specific to our industry sector and some great actionable points to get the ball rolling.
Much appreciated and that all makes sense. Thanks for the effort you put into this.
Kudos for spelling this out in a straightforward manner for us wedding photographers!
Great post, thanks for this!
This answered a lot of questions and also helped on me making amendments to both my website and contract content. Thank you 🙂
I understand getting consent from the wedding couple, but what about candid shots of guests etc? Do we need express consent from every person in an image before we post it online?
Thank you for making this easy to understand.
As if running a small business wasn’t difficult enough already. Shame that those who have abused the system have made a lot more work for us creatives.
Thanks for the simplification.
As if running a small business wasn’t difficult enough already. Shame that those who have abused the system have made a lot more work for us creatives.
Thanks for the simplification.
Great post John! Thanks for sharing this useful info