The General Data Protection Regulation (GDPR) is coming into force on May 25th, 2018 and you and your photograph business need to be ready.
If you haven’t heard of GDPR yet, now is the time to get clued up. The law is changing and mark my words, this is not something that you can afford to ignore!
Every business owner will need to ensure that their business is GDPR compliant from the date that the legislation is introduced, and the penalties for non-compliance are going to be steep, apparently. Whispers of penalty fees up to 4% of turnover, and up to tens of millions of pounds in some cases, have been rumoured!
What is GDPR then?
GDPR sets out the new European framework for data protection. It is a replacement of the current data protection laws, set almost twenty years ago, and is concerned with how personal data is obtained, used, handled and stored.
Who does the GDPR legislation affect?
This new data protection legislation is coming into force in the UK and across Europe. It’s a European-wide policy, and it affects the UK regardless of the outcome of the currently unresolved ‘Brexit’ issue.
Since in your business you’re storing personal data about your clients, and will likely have an email marketing database of clients and prospective clients too, GDPR concerns you and your photography business! And it affects you even if you are a photographer based outside Europe, but who has data about clients or prospects within Europe.
What is classed as ‘data’?
To clarify, personal ‘data’ is classed as any information that could be used to identify an individual; that could mean an email address, a name, a date of birth, a postal address, a national insurance number or a bank account number, for example. Photographs are also considered ‘data’.
What are your responsibilities regarding data protection?
As a business which collects personal data – in the form of names and email addresses typically, when people sign up to join your email marketing list or becomes a client – or, in the form of photos you create when hired by your photography clients, you’re effectively the ‘Data Collector’. And as such, you have a responsibility to ensure that you are compliant with data protection law.
Essentially, you must protect the consumer and prevent their data getting into the wrong hands and being abused.
And if you share access to that data with a third-party company or individual (perhaps, someone who assists you with your email marketing or has access to your mailing list database), they are the ‘Data Processor’.
The GDPR legislation affects both parties; Data Collectors and Data Processors. Both have responsibilities in regard to the use of the personal data and are legally liable for ensuring there are no unlawful data breaches, and to report one to the Information Commissioner’s Office (ICO) if it does occur.
What are the main changes that you need to know about?
In regards to the personal data that you hold within your business about any living individual, the main changes due to the incoming GDPR legislation are that:
1. You need to document and maintain records about your data processing activities
How you obtain personal data, what you are using it for and how you store and use it should be documented. This is so that you can demonstrate that you comply with the data protection rules if you’re ever required to prove this.
2. You’ll need to ensure you have secured informed consent
‘Informed consent’ is crucial and a key part of the new GDPR legislation.
The ICO explains that “Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.”
Going forward, you must be able to prove (with evidence, if required) that you have obtained data as a result of each individual having proactively opted in to receive that specific type of (marketing) communication.
While the ‘double opt-in’ process as part of the sign-up is not specifically required under GDPR, it would be wise to ensure you use it anyway. This two-step process will allow you to ask the person to verify that they definitely want to be added to the mailing list that they have requested to sign up to.
Email marketing providers such as MailChimp offer the double opt-in process already, so if you use an email provider like that, chances are you already have this part covered off.
And in regards to photographs, you’ll need to get written client permissions and potentially those of others who will be in your photographs (if you are a wedding photographer, for example). Please seek expert guidance for further clarifation on this.
- Tick boxes to prove ‘granular’ consent
Another thing to be aware of is that you’ll need to be transparent about what people are signing up for when they complete a form on your website.
Specifically, you’ll need to provide tick boxes on your sign up forms that clearly state the sign-up options available to them. Blanket or presumed consent will not be allowed under GDPR.
Which means it will no longer be permitted to automatically add people to your on-going marketing mailing list (to receive your monthly newsletter, for example) if they wish to request a freebie download or ‘lead magnet’.
- The ability to opt out
As is the case now, you also need to continue to give subscribers the opportunity to opt-out. And you must ensure to immediately delete their data if they do opt-out.
The crucial point is that if they must have given informed consent.
If you aren’t sure, or can’t prove, that people on your current marketing database or mailing list gave their informed consent, and this is the key point – to GDPR-required standards – you’ll need to get them to re-opt into receiving marketing communications from you.
My advice would be to do at least one ‘re-engagement’ email campaign before May 25th to secure that GDPR compliant consent.
So, this is a good time to review your current data processes;
- to document what data you are keeping,
- to check whether you really need all the data that you are currently collecting (do you really need to know their postal address if you won’t ever be sending them anything in the post, for example?)
- and, how you are using and managing it (is it safe by being protected by encryption or is a password required to access it?).
- to review who (if anyone) you are sharing the data with,
- and, how long you are keeping data for (longer than is really necessary?).
For privacy notices, T’s and C’s documents and cookie policies to be GDPR compliant they must also be concisely and clearly written, in easy-to-understand language. The days of complicated legal jargon and tiny illegible print being legally sufficient will soon be long gone.
Why GDPR is a good thing though!
GDPR is being introduced to make personal data safer. So, although this could sound quite complicated (and yes, extra work for you while you get your photography business compliant), you’ll also benefit personally from the changes.
That’s because any companies which store information about you will need to ensure that they are GDPR compliant too. Which, in the long run, means fewer unsolicited emails coming into your inbox and that your personal data will be less likely to be subject to potential misuse.
Where can I find out more about GDPR?
There has been a lot of speculation over the past few months about what businesses need to do to ensure they are GDPR compliant.
And even now, as I write this – just 71 days away from the GDPR deadline – there remains much confusion and discussion online about what individual business owners need to do to get GDPR compliant. Not helped by the fact that large companies such as MailChimp are still yet to finalise their GDPR implementation plans. It’ll be next month (April 2018) before people like you and I will have access to the tools we need to create GDPR approved sign up forms for our email marketing, for example!
This article has only skimmed the surface of what is a very complicated piece of legislation, and I have not covered off everything in this article that you need to be aware of.
I have also updated this article since it was first written as I personally am learning more and more about GDPR each week.
Please ensure to do further reading of your own about GDPR and to spend the time researching and fully understanding how the legislation affects your specific business. There are many resources online that can help you understand what GDPR is and how it will affect your photography business.
The ICO (Information Commissioner’s Office) website is a great place for you to start. They have prepared resources which include this one, which gives an overview of the ways in which you can be preparing your business for the new GDPR legislation now, ahead of May 2018.
You can also find GDPR support groups and forums online. But be wary of whose advice you take – only implement advice shared in these forums if you can be sure that the person sharing tips and advice is an expert on the topic.
Again, I would recommend Suzanne Dibble. She has a free Facebook group ‘GDPR for online entrepreneurs’ that is definitely worth joining.
Disclaimer: The information I share here is based on knowledge I have obtained from reliable sources such as the ICO and other GDPR experts, but please note that the content contained in this blog is not a full rundown on the GDPR legal requirements and does not constitute legal advice.
I’ve written this article in the hope that I have helped you by introducing the GDPR legislation if you hadn’t been aware of it already, and by giving you an indication of what you’ll potentially need to do as a photography business owner to ensure your compliance from May 2018.
But to ensure that you and your photography business are fully covered in advance of the GDPR legislation coming in, please seek your own independent legal advice. Zoe Hiljemark and Sixth Sense PR will not accept liability for any outcomes whatsoever that arise as a result of you implementing the information or advice shared in this article.
This post was originally published on January 11th, 2018 and was updated on March 14th, 2018.