GDPR and Your Photography Business

If you are a photographer, the General Data Protection Regulation (GDPR) may have become a reality for you. After its implementation in May this 2018, it has changed the way pictures are treated.

According to this new data protection law, images that contain people who can be identified will be considered a form of personal information. Therefore, they should all be handled with care.

There are some exceptions with GDPR, which is why it is essential that you should know the fundamentals of GDPR.

What DGPR means for photographers and a photography business - Shootfactory

Get Consent First

While it is true that GDPR will handle photos with people as personal information, it is still possible to use their photos and publish them for your business. The requirement is to get permission from the person or group of people who are in the picture before you post it.

If you have been working as a professional photographer for some time now, you know that some scenarios may require you to get consent from your subject first. For example, you want to take pictures of a specific company’s staff. They should permit you to post the pictures first before you can do so. Additionally, you should get the consent from all the individuals present in the photo. It means it is not enough that the company has an agreement with you.

Your responsibility does not end with the permission given to you. It is vital that you keep track of the pictures for a long time, which can pose a considerable challenge. Managing the photos can be cumbersome and time-consuming. If you are not careful, you could end up being subject to hefty fines.

What is the Purpose of the GDPR?

A lot of photographers asked why they have to change how they operate. It used to be so easy and straightforward with no worries if you use photos of people for your business. However, things have changed, and it is crucial you abide by the new GDPR rules.

Faces of the people in your photos can be processed to identify who those individuals are. If you have been using Facebook, you may have seen the auto-tagging feature of the popular social media app. The same goes for the smartphones we have today, which also have tagging capabilities.

Most of the time, as a photographer, your subjects involve people. These individuals typically show their faces on the images, and you cannot process them like how you did before, mainly if they can be identified. However, it does not mean that you have to delete all the photos with faces. You are still allowed to utilise them if you have the person’s explicit consent to use his or her image for your business.

Aside from the permission of the individual, there are other conditions that you should meet, including:

  • It is in compliance with a legal responsibility
  • Processing is necessary to provide protection to the interests of the person or another individual
  • There is a contract that you have to fulfil with the individual in the photo
  • It can help perform a task carried out in the interest of the public

It is also permissible to process the image for the purpose of legitimate interest, which is pursued by a third party (known as the controller). The exception is if the arrangement overrides the rights, freedom, and interest of the data subject or the person in the picture. Note that this requirement is not allowed if public authorities are involved.

On top of all the conditions listed above, it is necessary that you always inform the persons about their data privacy rights, which include:

  • The right of access, which denotes that the individual can receive a copy of the personal data the business holds about him or her
  • The right to rectification where the data subject can request for their personal information to be accurate and updated
  • The right to erasure where seeking to have all personal data removed unless it will void a legal obligation
  • The right to restrict processing where the person in the photo can request the business or organisation to halt the processing of personal data
  • The right to data portability in which the person can ask to receive information in a structured format
  • The right to lodge a complaint that allows the person to file a complaint regarding the processing of the image
  • The right to withdraw consent where the person can take back the permission given as easy as giving it to the photographer

The General Data Protection Regulation already came into force before the end of May, and all 28 European Union countries are affected. If you have a photography business, it will undoubtedly impact you and how you handle photos. The changes can even influence your services, including how you collect and manage the data you have stored about your clients and those who interact with your business or website.

While it affects the companies in the European Economic Area or EEA, you may be wondering whether it would affect your photography business if it is based somewhere else outside of the European Union, such as the United States. To make the answer simple, GDPR applies to all the private data you collect using your site, mainly if you have traffic coming from a European country.

It means that where you are based, along with where your site is hosted, the location of your business – even if you do not sell anything online or offline, the GDPR will still affect you. This law is designed to provide clarity to the consumers about their rights. It should also make the standards clear to help protect consumer data.

Provisions are outlined in GDPR requiring businesses to safeguard the personal data and privacy of all European Union citizens for their transactions that occur within the member states. It is also important to understand that the GDPR also regulates personal data exportation outside the European Union. In this regard, businesses that operate outside the EU are also affected.

Types of Data Protected

The GDPR entails different forms of data grouped as Personally Identifiable Information or PII. The PII includes the following:

  • Name
  • Address and IP address
  • RFID tags
  • Cookie data
  • Location
  • ID numbers
  • Health and genetic data
  • Racial or ethnic data
  • Sexual orientation
  • Political opinions
  • Biometric data

As you can see from the list, the new law takes a broad take on the personal identification information. Businesses will be required to put the same level of protection, such as the IP address of an individual, just like they do with the person’s name and address among others.

Why Should Photographers Care about GDPR?

All businesses are still permitted store and process data of persons from around the European Union. However, the individual should provide consent first, and the permission should not be longer than what is necessary for the purpose of the processing of the personal data. What it means is that double opt-ins are making a comeback. Personal data should also be portable from one company to the next. If the person wants his or her personal data erased, the company is required to fulfil the request.

It does not matter if you have a small business or you have more than 200 employees. It is also not an excuse that you do not have a brand presence in the EU. You are still required to ensure that all entities that process or store data for your business complies with the GDPR.

The reason behind this is simple: the law will hold processors responsible for the non-compliance or the breaches. It is possible that you, the company, and your processing partner (for instance, the cloud providing firm) will be held liable in case you will be charged with non-compliance. It will denote that everyone involved is accountable for the penalties – even if the real fault lies entirely on your data storage or the processing partner, which can be any of the following:

  • Your website host
  • Email host
  • Software as Service applications
  • The computer programs that you utilise for your business
  • Cloud

The limitations on the collection, storage and use of data can create several sets of potential liabilities that are just connected to the accumulation of data. It is because GDPR will place the controller (the company that owns the data or your business itself) on equal blame with the data processors (the third-party organisations that assist in managing the data). Therefore, if the third processor does not comply with the GDPR law, your business is held responsible for their actions as well.

It is a huge challenge because it means you may have to check how your vendors secure and manage data from your transactions based in the European Union. This way, they will understand that there are some risks, which they may be exposing your business to. What this will likely mean is that your existing contracts with the processors, such as cloud applications, payroll service providers, or SaaS vendors, along with your customers should be revised. This way, you can spell out the duties for data you and your company collected in the EU.

If contracts have been revised, they should define the processes of how you will manage and protect data. Additionally, it should, in detail, provide information on how the breaches will be reported, if any. The GDPR requires a 72-hour window to communicate such issues, and it is essential that everyone in the company, including the vendors, understand how to report a data breach accurately.

Penalties for Non-Compliance

If your business or your data processing vendors have a problem in complying with GDPR, you may want to know what will happen to your company. According to the law, the penalties can go as much as €20 million or four per cent of the company’s annual turnover – whichever is higher – for non-compliance.

The significant penalty should be enough for you to make sure your business follows the set of regulations of this law. However, some business owners are quite unsure about the penalties, questioning the unclear method of assessing how much sanctions will be imposed. For instance, it is still confusing how the fines will differ for a particular breach of personal data that may not have an impact on the person involved. It may even be equal to a violation where the exposed PII will result in real damage.

What You Need to Think about for Your Photography Business

GDPR has a broad scope, but it affects photography business simply because it applies to personal data. The definition of this law is quite detailed, and it is clear that any piece of information, such as an online identifier can be personal data. These identifiers can be anything from the IP address of a person, the IMEI number of their mobile device, or photographs.

The photos are included and remain personal data because there are now several applications out there that can provide facial recognition. An example is Lightroom, which can be used together with Google Images or Reverse Image Search and the photo utilised can be categorised as personal data.

GDPR has a more broad classification than most other data breaches. It defines a wide range of identifiers that constitute a person’s data, which then reflects the changes in technology we have these days. Additionally, it shows that organisations today have a sophisticated way of collecting information about individuals.

As a photography business, it is almost constant that you will work with other people. As stated earlier, you will need the permission of those in your photos. If you will use the images for marketing, have a contract ready and get the consent of people who will be in the pictures.

A practical measure is to let people give their explicit (not implied) consent, including details about how you will use the image and that the person can opt-out of the agreement anytime.