It’s almost like it’s 1999 again and the Y2K bug – except this time you have Facebook and everyone and ramming GDPR compliance at you. The scare tactics are working – people are running around dazed and confused. The headlines of fines of 4% of global turnover and 20M euro fines are enough to scare anyone – but, what is the risk to a small business owner – and what should wedding photographers be doing?
This post details some of the discussions we’ve been having with some of our small creative clients around GDPR.
For those who have managed to ignore it so far. The General Data Protection Regulation is a set of legislation introduced across Europe to harmonise privacy and data handling rules across the EU/EEA. It is going to be adopted into UK Law on 25th May 2018 – so not that far away! In short, the regulations tighten up how businesses are using people’s personal data within the business and introduce greater transparency to how people can see what a company is doing with their personal data.
The GDPR is not something that you do once and forget it – and as a business owner, it means understanding the processes and procedures within your business and what that means to the handling of your data. GDPR affects several areas, but for the sake of simplicity, I’m going to address the specific areas that apply to photographers and what they can do quickly to start to move towards compliance
Our Privacy policies
Add a GDPR compliant Privacy notice to our website.
You need to inform our subscribers how you are processing/storing and managing their data. At the same time, you could also ask them to confirm their consent to whether they still want to remain on the list and being specific about what we are going to send them (see below for more on this)
The econsultancy website provides some great examples of privacy notices and how this can be displayed and used.
Telling our clients about 3rd party suppliers
As I mentioned previously, the need for consent in certain activities has become greater under the GDPR. Mainly around the grounds of mailing lists etc, we need to start being more granular with the consent and transparent as well. Again the econsultancy website has some good details in this area.
You also need to remove any implied consent clauses from our terms and conditions. for most of you, you have a clause in our contracts that says to our clients that you may use the images for marketing purposes. Under GDPR, this isn’t allowed anymore. Consent must be explicit and granular, and we must have a record of when we obtained that consent. This means that we can’t bury a consent clause in the small print.
So, in essence, this means taking the consent clause out of our terms and conditions and making it clear to our clients what we are asking:
I/we consent to the following use of the wedding photographs:
On the website of Fred Bloggs Photography Yes/No
On the Social media (Facebook/Instagram/Twitter) Yes/No
In print for promotion material e.g. brochures Yes/No
Signed ________ Date
The above example breaks down how exactly we want to use the images and gives the couple control over what they are agreeing to (btw, you can’t make consent a condition of the contract). In this example, if we wanted to use images on a wedding blog, we’d have to ask the couple later to obtain their consent for that.
In terms of our marketing, we can’t automatically add people to our mailing lists – so just because someone has sent us an enquiry on our website, that doesn’t mean that they want to receive our newsletter.
This is a mammoth topic in its own right but basically, the GDPR says that we should be adhering to best practice in terms of information security. A strong password, two-factor authentication on email and online services were available, keeping our websites up to date and things like WordPress plugins are up to date. We have backups which are secured, we’re using encryption where necessary on devices like laptops and USB drives. We’re transferring data to 3rd parties in a secure manner e.g. over https/sftp.
These areas cover the majority of what first steps you should be doing as photographers right now. As part of the ongoing work you need to be looking at areas such as data retention, and identifying how you would report on or delete our clients data if they should ask you to (covered under subject access requests and the right to be forgotten), however, if you’re using a CRM system that is compliant with GDPR then this becomes straightforward.
There are some aspects of photography which fall into a grey area – such as consent from 3rd parties in our photographs – as technically you can’t rely on our couples do give consent on their behalf. The ICO says that is okay you don’t need consent– some lawyers argue you need consent – other say you don’t. Along with GDPR, there are also changes to the PECR (Privacy and Electronic Communications Regulation) which also have an image on some of your activities – but that needs another post to delve into that.
For us as small businesses, the risk doesn’t come from the massive fines – it potentially comes from people trying their luck complaining to the ICO that their privacy has been breached in some way. If we can show that we are doing our best to be compliant and working towards addressing any gaps, it’s unlikely that any small business will face large fines.
So, don’t panic, read around the subject and start to understand it. The ICOs website is very good and provides great examples. GDPR is a good thing moving forwards and highlighting a lot of issues that business haven’t addressed under the current Data Protection Regulations. Every business needs to look at the GDPR and be pragmatic in their approach to it, and the risk level that they want to run. A wedding photographer is not handling the same volume of personal data as say a large charity – but doesn’t mean we should ignore it. Start putting a plan in place to address what you need to do and work through it. GDPR is here to stay so building compliance into your business is the way to go.