UNDERSTANDING WHAT THE GENERAL DATA PROTECTION REGULATIONS (GDPR) AND THE DATA PROTECTION ACT 2018 (DPA) ARE ABOUT
In today’s world personal information (from our buying habits through to browsing trends) has become a very valuable commodity.
The GDPR applies in Europe and the UK GDPR applies in the UK where it is tailored by the Data Protection Act 2018. They exist to ensure that the laws overseeing our personal data are current and fit for purpose – the intention being to enhance individual rights and freedoms, reinforcing the understanding of privacy as a fundamental human right.
In basic terms, the UK GDPR and DPA regulate, among other things, how individuals, businesses and organisations within the UK may obtain, use, store, and eliminate personal data.
Let’s be honest, this isn’t a bad thing. It’s good to know that your personal information is being looked after and your privacy respected!
The GDPR and DPA is all about protecting “personal data” - what is that?
“Personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual”
Just for a moment, consider the extremely broad reach of that definition. Personal data is not only data that is commonly considered to be personal in nature (e.g., national insurance numbers, names, physical addresses, email addresses etc), but also data such as IP addresses, behavioural data, location data, biometric data, financial information, and much more!
Does the EU GDPR, UK GDPR and DPA affect me and my business?
The UK GDPR and DPA applies to all UK based businesses, regardless of size.
Basically, if you are collecting, managing, using or storing any personal data (such as the above) from anyone who lives in the UK you are processing personal data within the meaning prescribed by the GDPR and DPA so you need to comply with the Regulations and Act or risk the potential of prosecution.
You will need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.
It’s also important to know that the GDPR and DPA apply to all the personal data you hold even if it was obtained in the past. In brief, if you hold personal data they apply!
How can I use “personal data”?
Under the UK GDPR and the DPA, any data you have as a business has to be ‘adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed’
Are images “personal data”?
The GDPR and the DPA specify that photos can be personal data. To be so, they have, of course, to meet the definition of personal data mentioned above. Photos ARE therefore personal data IF they are of a person or persons and can be used to identify them (whether directly or indirectly).
We spoke to the Information Commissioners Office to try to get absolute clarity about what and when images of people are personal data. They explained that there are no set or defined circumstances of when they are as “the same piece of data may be personal data in one party’s hands yet not personal data in another party’s hands”.
With all the above in mind, an image of a customer will be Personal Data for the photographer who took the image as they can directly identify the person from it, whereas it won’t be for anyone that doesn’t know the subject by name eg a printing lab that just deals with order numbers.
Even if an image is classified as ‘Personal Data’ in the GDPR and DPA do not stop you using it as long as you obtain or have obtained active consent to do so (ie permission is given to use the image in the way you are using it).
Obviously, active consent can typically be implied by a subject if they stand in front of a camera and allow an image to be taken, but a wise step for photographers is to seek written consent to use a person’s image for specified purposes … If you think about it, that has been the case for years. Most professional photographers have permission or consent built into contracts or model release forms in order to meet the requirements of the Data Protection Act.
In short, it appears that little changed with regards to the use of images since the introduction of the GDPR and photographers have little to worry about. It’s business as normal as long as you ensure that when you use or process images you consider the privacy rights of the subject.
It is good practice to add specific consent based tick boxes for clients as part of your booking process (eg I give permission for my images to be used in the following ways – on your Website, in Sample Albums, in Competitions, on Social Media etc..)
Retention of Images
Your photographs are your assets. You have a legitimate interest to retain your own work and Copyright legislation supports that fact, so you can keep them forever.
The use of Cookies
Cookies are small pieces of data that websites send to a user's computer and are stored on the user's web browser to enable the website to remember information about that visit and more.
If you want to find out what cookies your site is using you could use a cookie checker such as the chrome extension ‘Check My Cookies’.
If your website collects Cookies and you haven’t got a ‘we use Cookies’ type pop-up on your website linked to your Privacy Policy consider having one added
Don’t be too concerned about Google Analytics as Google states that whilst it collects IP addresses from your website visitors Google truncates this data before it enters your analytics reports, making it non-identifiable. To play it safe, you could simply add Google to your Privacy Policy (we cover Privacy Policies later on)
THE RIGHTS OF THE INDIVIDUAL
These are -
• The right to be forgotten: A person may request that a business or organisation deletes
all data about them without undue delay.
• The right to object: A person may prohibit certain data usage.
• The right to rectification: A person may request that incomplete data be completed, or
incorrect data be corrected.
• The right of access: A person has the right to know what data about them is being
processed and how.
• The right of portability: A person may request that personal data held by one business or
organisation is transported to another (eg when changing banks – so this is not relevant to images).
CONSENT REQUIREMENTS
Consent is one of the fundamental aspects of the GDPR and it is based around the principle of ‘Privacy by Default’ (ie a person needs to actively opt into something, not opt out).
You need to obtain active consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis.
The surest route to compliance is to obtain explicit consent, bearing in mind that:
• Consent must be specific to distinct purposes.
• Things like pre-ticked boxes or inactivity do not constitute consent. People must actively opt-in to the storage, use and management of their personal data.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data you obtain from someone will be used when you obtain their consent.
Please note that in all cases any consent given should be separate to any other Terms and Conditions.
Please also note that the age from which an individual can give consent is 13 years. You will therefore need parental (or legal guardian) consent to photograph anyone under the age of 13 and once that individual becomes 13 they have the right to withdraw consent. With that in mind, it is a wise move to include the date of birth of any subjects aged under 13 on your consent forms.
PROCESSING REQUIREMENTS
Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
• Contact details for the Data Controller if there is one: (A controller is the responsible person in a business that determines the purposes and means of processing personal data).
• The purpose of the data: This should be as specific as possible and justify why you are collecting it.
• The retention period: This too needs to be justified and should be as short as possible
• The legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so. In other words, one of the following –
• A legitimate interest
• A Contract (so a contract or agreement)
• Consent
Bearing in mind the above wording, if you utilise model release or consent forms consider tweaking the wording to a model release or consent AGREEMENT.
IMPORTANT TO NOTE: Non-compliance can lead to prosecution and requests for personal information can be made free-of-charge. When someone asks a business for details of the data they hold, they must provide the information within one month.
There are many other principles and requirements. The above are just the key points. It is worth spending some time to familiarise yourself with all the requirements.
IN SUMMARY
The GDPR and the DPA are about the need to respect personal rights to privacy! For those in business, there is a fundamental obligation to look after people’s personal data.
Personal data is pretty much anything that can identify someone on its own or when linked to another piece of information (a name, address, postcode, photo, IP address etc)
You have to ask people for active consent before you can collect and store their personal data. In other words a positive opt-in is needed. You can’t use pre-ticked boxes or any other ‘consent by default’ setting.
Consent options must be specific and transparent eg if it’s for a Newsletter it’s for a Newsletter and nothing else. For this reason, the requirement for consent should be separate to any other terms and conditions.
Those aged 13 plus will be responsible for their own consent.
It must be easy and obvious for people to withdraw any given consent and they need to know how they can do this.
People have clear rights to access the information that’s held about them by you, and you have to tell people how they can access all the personal data you hold about them.
EVERYONE IN BUSINESS WITH A WEBSITE NEEDS A PRIVACY POLICY PAGE CLEARLY SUMMARIZING HOW THEY WILL DO ALL THE ABOVE
CREATING A BESPOKE PRIVACY POLICY FOR YOUR WEBSITE
WE RECOMMEND YOU START WITH A SIMPLE DATA MAPPING EXERCISE TO
HELP CREATE ONE
“Personal Data” is central to GDPR and DPA Compliance and every business collects different data so it’s very important that the first thing you do is undertake your own ‘Data Mapping’. This simply means listing what personal data you collect, where you get it from and why.
Once you’ve done this you then add who you share that data with (if anyone) and how long you will keep it for. An excel sheet would be good for this. You will find it simple to do if you follow these steps in order..
STEP 1 List all the personal data you obtain in the course of your business in column 1(examples being first name, last name, home address, postcode, email address, mobile number etc..).
STEP 2 Add column 2 (‘How and where you get that data’) and column 3 (‘Why you need it’).
A lot of the reasons will be obvious and no doubt the same so at this point you should have something like this ..
Data How/Where obtained Why needed
First Name They give the details when booking To provide the service they booked
Last Name " "
Email " "
Postal Address " "
Postcode " "
Phone Number " "
STEP 3 You then need to add just 5 more columns and complete them to finish your mapping. They should be pretty quick to complete ..
Column 4. Who will you share this data with if anyone eg - a printing lab
Column 5. Are those you share it with based in or outside the EU eg - Inside EU (Typically Paypal is inside the EU, whereas Google and Mailchimp are outside, and Cloud Back Up Servers vary by company)
NOTE: The ICO has advised that you do not have to name anyone who you share the data with should you wish to keep your suppliers details secret. It is acceptable just to put the service provided (eg Priniting Lab / Album Supplier)
Column 6. If you share any data justify why you do eg - to provide the service ordered (order/deliver products)
Column 7. How long will you retain that data for eg - 7 years
Column 8. Justify why you will keep it for the time specified in column 7 eg - to market further similar booking opportunities and for Tax purposes.
NOTES: 7 years from the end of a tax year is the time recommended by the Chartered Institute of Taxation to keep financially linked records as required under the rules of self-assessment – You therefore have a legitimate interest to keep details for that period.
Should you choose you could justify keeping CERTAIN data indefinitely in order to look after a customers legitimate interests too eg “We will retain your data for a period of 7 years. After this time we will archive your photographs indefinitely along with your relevant details and consent forms. This is due to requests for replacement images being made several years after being taken (If doing the latter it makes sense to add a ‘tick’ box onto your booking forms to get active consent).
YOU’LL BE GLAD TO KNOW THAT’S THE MAIN PART DONE - WE NOW HAVE TWO OPTIONS FOR YOU TO CONSIDER!
CHOICE ONE – A SEMI AUTOMATED PROCESS - CONSIDER PUTTING GDPR IN PLACE WITH PORT.IM
Port.im who offer a clever service which will ensure that you are not only GDPR and DPA compliant today but will remain so thereafter.
Port.im offer a fast and easy way to do this. You can sign up in seconds and can link all your data processing to it, such as Google, MailChimp, your website, your address lists and business accounts etc. They give you all the prompts you need to complete required tasks, including legal justification. This process creates a live Privacy Policy for you as you follow the step by step process.
By automatically linking to your website and key service providers such as Mailchimp, Port.im picks up exactly what data you collect via these platforms - things you may not have considered like cookies, longitude/latitude location data, gmtoff and dstoff (as used by Mailchimp).
ACTION: The only thing Port.im does not automatically complete is what is done with images, so if you do use this platform we suggest you tweak the Privacy policy it automatically creates for you, by adding something similar to the following –
Under Section One - Obviously being a photographic business we also create and manage images on your behalf as per our contractual agreement.
Under Section Two – Add anyone linked to for photographic purposes (eg the Labs you use or Back-Up providers).
Under Section Four – Consider adding the type of Back up Service provision you use eg Amazon uses AWS Cloud & KMS encryption keys
CHOICE TWO – A MANUAL PROCESS
COMPLETE YOUR OWN POLICY WITH THE TEMPLATE BELOW
(The black is the text to use. Simply edit the parts in red and consider the actions written
in blue)
OPTIONAL: In very basic terms I/we totally respect your personal information and will
only ask you for what information we really need from you. Will look after it in the same
way I/we would want ours looking after, keeping it secure! I/we will only share it with
others where we need their help us deliver our service to you (such as our professional
printing laboratory who may need your name and address to post your purchases). Be
assured that we will never share your information in any other circumstances – nor will
I/we sell it on elsewhere! Here are more details -
Introduction
BUSINESS NAME takes your privacy very seriously. This privacy policy has been prepared in line with the UK and EU’s General Data Protection Regulation (GDPR) as well as the UK Data Protection Act, all of which promote fairness and transparency for all individuals in respect of their personal data.
This privacy policy applies to all data we process, and by using BUSINESS NAME you consent to our collection and use of such data.
OPTIONAL: I am / We are registered with the Information Commissioners Office and If you would like to get in touch about anything in this policy or about your personal data then please contact NAMED PERSON our Data Protection Officer at EMAIL or ADDRESS
1. The Data we collect
As a data controller we collect a variety of data in order to deliver our services, and we will manage your personal data transparently, fairly and securely.
We may ask you to provide us the following data – ACTION: Add the list from Column 1 of your Data Mapping (egs First and Last Name / Address / Postcode, Telephone Number(s) / Email / IP Address etc..)
We will also record a date of birth for all persons we photograph under the age of 13 and require the parent or a legal guardian to consent to photography.
Obviously being a photographic business we also create and manage images as per our contractual agreement(s).
2. How we use this Data
We use the above data to - ACTION: Add the list from Column 1 of your Data Mapping (egs To deliver our service to you / For marketing purposes / Personalise your experience / To provide account access etc..)
3. Why do we collect this Data?
We collect this data on the following lawful basis ACTION: Add the list from Column 3 of your Data Mapping (eg Consent / To arrange or fulfil a Contract / To meet a legal obligation other than a Contract)
When you visit our website we also collect Cookies. These are small pieces of data that websites send to a user's computer and are stored on the user's web browser. They are designed to enable the website to remember information. This helps us ACTION: List needed (egs Personalise your experience, Deliver our service to you and for Marketing Purposes)
2. Which third parties do we share Personal Data with?
We share personal data with the following third parties: ACTION: List Needed. See Columns 1 and 4 of your Data Mapping. (egs Google or other analytics provider, Gmail or other email provider, Mailchimp or other Newsletter provider service, Your Accountant, Paypal or other customer payment provider, Website manager or Hosting company, Printing Labs, Back Up Providers).
Ideally after each business or company name say where the data is transferred to. See Column 5 of your Data Mapping. Here are the three main options for this –
- Data is not transferred outside of the UK
- Data is not transferred outside of the European Economic Area.
- Data is transferred outside of the European Economic Area to United States under the protection of EU/US Privacy Shield.
(egs ABC Lab - Data is not transferred outside of the European Economic Area, MailChimp - Data is transferred outside of the European Economic Area to United States under the protection of EU/US Privacy Shield, XYZ Accountancy - Data is not transferred outside of the UK)
There are also certain situations in which we may share access to your personal data without your explicit consent; for example, if required by law, to protect the life of an individual, or to comply with any valid legal process, government request, rule or regulation.
3. Why do we share your Personal Data with the above?
We share your data in order to ACTION: List Needed. See Columns 2 and 6 of your Data Mapping (egs To deliver our service to you / For marketing purposes / Personalise your experience / To provide account access etc..)
ACTION TO CONSIDER - If you do transfer data outside of the UK or European Economic Area to the United States you could add the following paragraph -
We may transfer personal data to a country outside of the European Economic Area (EEA) if necessary eg if a third party we utilise could have servers located outside of the EEA. If this is the case, we will either obtain your consent or otherwise ensure that the transfer is legal and your data is secure by following the UK and EU's guidelines. You can see above where we send data outside of the UK and EEA and on what basis we do so.
4. How do we keep your personal data secure?
We keep your data secure by ACTION: List Needed (egs following internal policies of best practice and training for staff, Encryption, By using Secure Socket Layer (SSL) technology when information is submitted to us online (The latter is presuming you have a https website). Also consider adding your image Back-Up service provider(s)
In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we will also inform you.
5. Changes to our privacy policy and control
We may change this privacy policy from time to time. When we do, we will let you know by changing the date on this policy, notifying customers of only significant changes. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised privacy policy.
6. You have the following rights -
- the right to be informed about the collection and use of your personal data
- the right of access to your personal data and any supplementary information
- the right to have any errors in your personal data rectified
- the right to have your personal data erased
- the right to block or suppressing the processing of your personal data
- the right to move, copy or transfer your personal data from one IT environment to another
- the right to object to processing of your personal data in certain circumstances, and
- rights related to automated decision-making (i.e. where no humans are involved) and profiling (i.e. where certain personal data is processed to evaluate an individual).
We also give you the option to manage your data via: ACTION: List Needed (eg: Email, Telephone, Writing to us)
While we do not hold personal data any longer than we need to. The duration will depend on your relationship with us, and whether it is ongoing. We may keep some of your personal data for ACTION: Timescale and list needed. See Columns 7 and 8 of your Data Mapping (eg up to 7 years after our working contract with you has finished for Tax legislation purposes You could extend this if you intend to archive images indefinitely by adding After this time we will archive your photographs indefinitely along with your relevant details and consent forms. This is due to requests for replacement images being made several years after being taken.