The General Data Protection Regulation (GDPR) is coming into force on May 25th, 2018 and you and your photograph business need to be ready.
If you haven’t heard of GDPR yet, now is the time to get clued up. There is only a matter of months before the law is changing and mark my words, this is not something that you can afford to ignore!
Every business owner will need to ensure that their business is GDPR compliant from the date that the legislation is introduced, and the penalties for non-compliance are going to be steep, apparently. Whispers of penalty fees up to 4% of turnover, and up to tens of millions of pounds in some cases, have been rumoured!
What is GDPR then?
GDPR sets out the new European framework for data protection. It is a replacement of the current data protection laws, set almost twenty years ago, and is concerned with how personal data is obtained, used, handled and stored.
Who does the GDPR legislation affect?
This new data protection legislation is coming into force in the UK and across Europe. It’s a European-wide policy, and it affects the UK regardless of the outcome of the currently unresolved ‘Brexit’ issue.
Since in your business you’re storing personal data about your clients, and will likely have an email marketing database of clients and prospective clients too, GDPR concerns you and your photography business! And it affects you even if you are a photographer based outside Europe, but who has data about clients or prospects within Europe.
What is classed as ‘data’?
To clarify, personal ‘data’ is classed as any information that could be used to identify an individual; that could mean an email address, a name, a date of birth, a postal address, a national insurance number or a bank account number, for example.
What are your responsibilities regarding data protection?
As a business which collects personal data (usually when people sign up to join your email marketing list or becomes a client), you’re effectively the ‘Data Collector’. And as such, you have a responsibility – even under current data protection rules – to ensure that you are compliant with data protection law.
Essentially, you must protect the consumer and prevent their data getting into the wrong hands and being abused.
And if you share access to that data with a third-party company or individual (perhaps, someone who assists you with your email marketing or has access to your mailing list database), they are the ‘Data Processor’.
The GDPR legislation affects both parties; Data Collectors and Data Processors. Both have responsibilities in regard to the use of the personal data and are legally liable for ensuring there are no unlawful data breaches, and to report one if it does occur.
This sounds like a lot of work!
The good news is that if you are compliant with current data protection laws there is not actually a huge amount of change. And small businesses, such as yours, which hold a relatively limited amount of data, will have less to sort out than larger companies and big corporations.
Be assured, GDPR is certainly not something to fear. And it is feasible to see it as a positive change since it will help to ensure that all of our personal data is better protected by the companies whom we have entrusted it to.
What are the main changes that you need to know about?
In regards to the personal data that you hold within your business about any living individual, the main changes due to the incoming GDPR legislation are that:
1. You need to document and maintain records about your data processing activities
How you obtain personal data, what you are using it for and how you store and use it should be documented. This is so that you can demonstrate that you comply with the data protection rules if you’re ever required to prove this.
2. You’ll need to ensure you have secured informed consent
‘Informed consent’ is crucial and a key part of the new GDPR legislation. The ICO explains that “Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.”
Going forward, you must be able to prove (with evidence, if required) that you have obtained data as a result of each individual having proactively opted in to receive the information. You can do this by ensuring that you are providing a ‘double opt-in’ process as part of the sign-up. This allows you to ask the person to verify that they definitely want to be added to the mailing list.
Email marketing providers such as MailChimp offer the double opt-in process already, so if you use an email provider like that, chances are you already have this part covered off.
But, one thing to be aware of is that if people are joining your mailing list – perhaps to receive a specific freebie download or ‘lead magnet’ – that they must be made aware that they are also signing up to your on-going email marketing list. If this is the case but it’s not very clearly spelt out to them, you’ll need to make this more obvious.
You’ll need to be transparent about what they are signing up for, and give them the opportunity to opt-out. And you must ensure to immediately delete their data if they do opt-out.
The crucial point is that if they are going to continue to receive marketing emails from you, you must have made that clear at the point of opt-in. They must have given informed consent and have the opportunity to withdraw from your list, either immediately or at any point in the future, if that isn’t something that they want to continue receiving.
If you aren’t sure, or can’t prove, that people on your current marketing database or mailing list gave their informed consent, you’ll need to get them to re-opt into receiving marketing communications from you – again, using a double opt-in process.
So, this is a good time to review your current data processes;
- to document what data you are keeping,
- to check whether you really need all the data that you are currently collecting (do you really need to know their postal address if you won’t ever be sending them anything in the post, for example?)
- and, how you are using and managing it (is it safe by being protected by encryption or is a password required to access it?).
- to review who (if anyone) you are sharing the data with,
- and, how long you are keeping data for (longer than is really necessary?).
For privacy notices and T’s and C’s documents to be GDPR compliant they must also be concisely and clearly written, in easy-to-understand language. The days of complicated legal jargon and tiny illegible print being legally sufficient will soon be long gone.
Why GDPR is a good thing though!
GDPR is being introduced to make personal data safer. So, although this could sound quite complicated (and yes, extra work for you while you get your photography business compliant), you’ll also benefit personally from the changes.
That’s because any companies which store information about you will need to ensure that they are GDPR compliant too. Which, in the long run, means fewer unsolicited emails coming into your inbox and that your personal data will be less likely to be subject to potential misuse.
Where can I find out more about GDPR?
There has been a lot of speculation over the past few months about what businesses need to do to ensure they are GDPR compliant. This article has only skimmed the surface of what is a very complicated piece of legislation, and I have not covered off everything in this article that you need to be aware of.
Please ensure to do further reading of your own about GDPR and to spend the time researching and fully understanding how the legislation affects your specific business. There are many resources online that can help you understand what GDPR is and how it will affect your photography business.
The ICO (Information Commissioner’s Office) website is a great place for you to start. They have prepared resources which include this one, which gives an overview of the ways in which you can be preparing your business for the new GDPR legislation now, ahead of May 2018.
You can also find GDPR support groups and forums online. But be wary of whose advice you take – only implement advice shared in these forums if you can be sure that the person sharing tips and advice is an expert on the topic.
The information I share here is based on knowledge I have obtained from reliable sources such as the ICO and other GDPR experts, but please note that the content contained in this blog is not a full rundown on the GDPR legal requirements and does not constitute legal advice.
I’ve written this article in the hope that I have helped you by introducing the GDPR legislation if you hadn’t been aware of it already, and by giving you an indication of what you’ll potentially need to do as a photography business owner to ensure your compliance from May 2018.
But to ensure that you and your photography business are fully covered in advance of the GDPR legislation coming in, please seek your own independent legal advice. Zoe Hiljemark and Sixth Sense PR will not accept liability for any outcomes whatsoever that arise as a result of you implementing the information or advice shared in this article.