Fed up of GDPR yet? Unless you’ve been hiding under a rock (and with the amount of scaremongering going on I wouldn’t blame you) then you’ll know that the GDPR is a European Union privacy law and the deadline for businesses around the world to be fully compliant is 25th May, 2018.
But what do you have to do to be compliant? In this blog post I’m going to explain what GDPR means for photographers like you in as simple a way as possible and without making you want to head to a park bench with a bottle of gin and a funnel. Just me…?
But before I do that, a disclaimer: I’m not a GDPR expert. If you want an expert please peruse the riveting ICO website. What I do know though is that the ICO is made up of human beings and despite what you might be hearing, they’re not out to get you. They don’t want to hit you with a big fine and shut down your photography business.
So you’re not going to read any scary stuff here. If you like the scary stuff and you want to indulge in a bit of juicy ‘‘What if Mary’s cousin’s best friend’s boyfriend is in the background of my photo and I don’t manage to get explicit, written consent from him to take his photo – will I go to jail?’’ then you’re in the wrong place. I suggest you stop reading now.
But if you’re living in the real world and you want to take a commonsense approach to this whole GDPR sh*t storm then let’s dive in, shall we? I might even suggest you take the odd, small GDPR risk or two – let’s live life on the edge!
I know you might be pretty clued up about some stuff by now so let’s do it like this. I’ll pop some questions below and you can choose what you want to get stuck into.
Do I need to register with the ICO?
It’s highly unlikely that you’ll need to register if you’re a typical, small photography business. But if you’re in any doubt just do the self-assessment on the ICO website right here.
Check out this piece of brilliance from Marianne Chua for inspiration (Is it compliant? I have no idea. Will anyone care? Doubtful.)
How likely is it that I could be fined for non-compliance?
Flying pigs come to mind…
Last year only 38 monetary penalties were issued by the ICO. And check out the companies who got fined. This isn’t going to change under GDPR. These fines are not for you and me. They’re for the big companies who flout the rules and carelessly mishandle personal data with their relentless spamming.
If Jimmy, a headshot client from your email list, is having a grumpy day and reports you to the ICO for emailing him when he didn’t give you his clear, specific consent to do so – the ICO will simply reach out to let you know that this has happened and issue you with the appropriate guidance that you need to become compliant.
That being said, if Jimmy, Nora, Frankie, Sally and 3000 others reach out to the ICO to complain about you then you have a problem (and an astoundingly large email list!).
Do I need to have a person’s consent to lawfully process any personal data on them at all?
Under GDPR you must identify your reason for collecting and handling personal data so that you can then decide which lawful basis you are using to do so.
Consent is just one lawful basis. You can read about them all here.
Another that us photographers will most definitely use a lot is legitimate interests. The ICO say:
‘’Legitimate Interests is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.’’
If you feel confident that you can rely on legitimate interests to process personal data then you do not need consent.
Can I just use ‘legitimate interests’ as a basis for collecting and handling all the personal data I deal with?
No. Be careful.
If in doubt – run things through this Legitimate Interests Assessment to make sure.
Do I need to get specific consent from my clients and potential clients to contact them about their shoot or enquiry?
NO! That would be weird.
Imagine you went into a restaurant for a meal and the waitress refused to approach you until you gave her permission.
This is an example of processing personal data on the lawful basis of legitimate interests because your client/potential client will reasonably expect this and it will have a minimal privacy impact. Of course you need to communicate with them about their shoot or their enquiry. They will expect it!
As for processing their personal data for marketing purposes, please see the ‘marketing emails’ section below.
What about my website contact form? Do I need to add anything to it?
How should I be storing the personal data I have?
Let’s all take a moment and consider what an absolute hellish nightmare this must be for software companies who have a part to play in the storing and processing of personal data. I bet it’s been a barrel of laughs getting ready for GDPR.
BUT they’ve been working super hard behind the scenes to become GDPR compliant so… make use of them!
Firstly, make sure you have a great photography business management system in place. I have it on good authority that Studio Ninja will be fully GDPR compliant in time. (Yes, that’s an affiliate link. These guys are absolutely amazing. You’ll struggle to find a more responsive and customer-focused team.)
And be sure to have a good email marketing system that’s fully GDPR compliant too. Mailchimp, ConvertKit and ActiveCampaign all are (or will be).
As long as you take the time to set these systems up and use them properly you’ll always know how someone came into your world because these systems are going to have a record of it. You’ll know if they’re a past family shoot client, a wedding fair lead or someone who downloaded your eBook.
You’ll also have a record of whether they gave you consent to send them marketing emails or to use their images in your marketing (more on that below).
Stop collecting information manually using your own systems. It’s just not worth it.
Having these paid systems in place will also take care of other aspects of GDPR such as a person’s right to access, rectify, erase or move their data. If you store data using GDPR compliant software and not using your own systems then you should be able to breathe a little easier.
Not only that, your desk will be tidier and your workflow will be more automated. Everything can be electronic now, including signing a contract. Storing bits of paper is a bit of a PITA under the GDPR. So go digital!
How long can I store clients’ data for?
I have searched and searched for a definitive answer to this and it has eluded me so far! The most likely answer I’ve found to this question is 7 years. The reason being that you should keep the data relevant to a contract with a client for 7 years after the contract has ended. If you happen to know for sure – please tell me.
Marketing emails and newsletters – do I need to email everyone on my list asking them if they still want to hear from me?
Please don’t. You might be tempted to do it because I bet your inbox is literally bursting with emails from other businesses asking you to opt in so you can continue to hear from them. How many have you chosen to continue hearing from? Thought so.
Here’s the deal. You need to sit down and check through all the email addresses you have and divide them into groups. If you’ve been using an email system such as mailchimp or ConvertKit this should be relatively straightforward. If you’ve been using Gmail – I wish you luck…
GROUP 1 – You already have active, clear consent to send them newsletters & marketing and you can prove it. E.g. they filled in your email sign-up form on your website.
Could they have been any more clear that they want to hear from you? Leave them alone and don’t go annoying them with another stupid GDPR consent email!
GROUP 2 – You have no idea where you got these email addresses or how.
You really shouldn’t be storing or using these email addresses at all. Especially to send a GDPR opt-in email. It’s just not cool. Best thing you can do with these is completely delete them.
GROUP 3 – You know how you got the email address BUT the person didn’t actually give you the necessary GDPR consent to send them marketing emails. E.g. they entered a giveaway you ran last year but you didn’t make it crystal clear that in doing so they were opting in to your email marketing.
Yes, you should send them an email to ask them if they’d like to continue hearing from you.
I know it’s a bit crap having to send out that re-permissioning email and you’ll be worried about losing lots of your subscribers but, remember, 10 subscribers who want to hear from you is a zillion times better than 1000 subscribers who couldn’t care less.
GROUP 4 – Your past clients who didn’t actively give you consent to market to them.
This is where legitimate interests might apply again (I say ‘might’ because it’s such a grey area!). If someone has hired you in the near past it is reasonably safe to assume that they would reasonably expect to hear from you about your services and products.
This is a quote directly from the ICO on this, ‘’Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.’’ Read the rest of this article here.
As long as you’re sending good emails and not spamming them every day with crap then don’t bother these guys with that daft permission email either. Or if you want to play it safe – why not send them an ‘opt out’ email instead?
For you risk-takers out there I’m going to stick my neck out here and say that there are some people I would make exceptions for. Let’s say you have some email subscribers who haven’t given you that active, specific consent that you need BUT they open almost every email you send to them. I reckon it’s fair to say that they kinda like you and want to hear from you. Maybe you could send them a cheeky ‘opt out’ email instead of an ‘opt in’ one?Go on – be a daredevil! These are not people who are going to complain about you, right?
But remember – I’m no GDPR lawyer and I can’t help you if the ICO fine you £500,000 for being so disgustingly brazen…;-)
Are photographs of people considered personal data?
However, your photographs are also your intellectual property and they are essential to you in the running of your business. For that reason, there are lots of scenarios in which you should be able to cite ‘legitimate interests’ as a basis for storing and using photographs of people.
Do I need my client’s clear, specific consent to use photographs of them in my marketing?
Yes. It’s likely you’re already doing this anyway with a model release but you may need to get more ‘granular’ about it.
Put together a simple consent form for your clients to complete that is separate from their contract. Ask them to sign it and place a tick against the ways in which they’re happy for you to use their images (web pages, blog posts, social media, studio samples, competitions, share with suppliers, submit to magazines/blogs etc…).
I don’t have recorded consent for everyone I’ve ever taken photographs of. Should I be reaching out to get this retrospectively?
Oh that sounds like so much fun.
I’m sure you have better things to do – like earning a living!
Under the strictest letter of the law – maybe. But what do you think will happen if you don’t? Probably nothing!
If someone complains that you’re using an image of them on your website without their consent, just remove it. If they report you to the ICO, the worst that will happen is that someone will get in touch and ask you if you need any help becoming compliant with respect to the photographs you take.
The best thing you can do is protect yourself going forwards with consent to use images.
And don’t forget, there is scope to say that it’s impossible for you to run your business without being able to use the photographs you take of clients in your marketing. That old ‘legitimate interests’ chestnut again…
What about the ‘right to be forgotten’? Can a past client revoke consent and demand that I delete stored photographs of them?
They can try but deleting your intellectual property and your art is very different from deleting someone’s name and email address from your files, isn’t it? it’s likely that you could cite legitimate interests as a basis to refuse that demand.
And honestly, how likely is this to happen?
What about taking photographs in public places – do I need clear consent from anyone who might appear in my photographs?
No. This is still ok within reason.
Using your common sense is essential here. If you’re going to capture and share controversial images or images that might cause offence to the people in them, you are leaving yourself open to hassle. Just be sensible.
I take photographs at large sporting events etc – do I need consent from everyone who might appear in my photographs?
I watched a great live video from lawyer, Suzanne Dibble on this. You should most definitely join her fantastic GDPR Facebook group by the way.
When people attend an event like this do they reasonably expect a photographer to be present?
Will the photographs have minimal privacy impact on the individuals at the event?
If the answer to these questions is, yes, then you should be able to use legitimate interests as a basis to go ahead without consent.
If you want to be uber cautious then simply put up some posters asking people to make themselves known to you if they do not want to be photographed. Personally, I’d assess the risk and plough ahead without that hassle.
If you’re taking photographs of people looking happy and enjoying the event then 99.99999% of people will have zero issue with these photographs being taken and shared. And if someone does get in touch with a concern and asks for a photograph to be removed. Just remove it.
However, if you’re taking photographs of passionate encounters or little old ladies with their skirts tucked into their knickers and sharing them online then you’re leaving yourself open to a complaint (and shame on you!).
What about private events like weddings? Do I have to get consent from everyone who attends to be able to photograph them and use those photographs?
Let’s get real. Exactly how on earth can you be expected to do that before, during or after a wedding?!
When people attend a wedding, do they reasonably expect a photographer to be present?
Will the photographs have minimal privacy impact on the guests at the wedding?
If the answer is yes – then you can use legitimate interests as a basis to capture, store and use those images.
Just make sure you have the consent we mentioned above from your client. It’s a good idea to ask your bride and groom to make it clear to guests that there will be a photographer capturing their day and if any of their guests do not wish to be photographed or do not wish to appear in any of the photographs online then they should make themselves known to you.
Remember, you have a contract with your bride and groom to fulfil. That should be your number one priority.
It’s worth mentioning again that using common sense is the way forward. Sharing images of drunk guests in compromising situations online is an open invitation to complaints. Sharing great photographs of the bride and groom and their guests looking like they’re having a blast is not going to land you in any trouble. And if someone reaches out and asks you to remove a certain photograph from your blog post for whatever reason, just do it.
I have an email list opt in form on my website. Do I need to add anything to it?
You should be completely transparent about the kind of emails they’ll receive from you. This is a great opportunity to consider the emails you actually do send. No one is going to sign up to an email list that involves receiving your promotional spam. Are you sending helpful or entertaining emails to your list? Well make that clear alongside your opt in form.
If you send very different types of emails then consider adding check boxes so that the subscriber can decide which emails they want to receive. You can do this on the form itself or you can use a double opt in process and ask them to select the emails they want to receive in their confirmation email.
My website visitors can opt in to receive downloadable content from me. Do I need their consent to send them marketing emails?
Yes! By downloading your eBook, checklist or price list they are NOT automatically saying you can contact them with your marketing messages.
If you want to be super safe, you need to add a checkbox (or checkboxes) to your opt in forms asking people if they would also like to receive your newsletter or special offers or blog posts etc. These checkboxes can’t be pre-filled. They have to be blank.
Something like this…
Alternatively, you can do what I’ve done. My opt in forms don’t have a checkbox facility available yet (they promise it’s coming). So, as a workaround in the meantime, I’m directing people to their download immediately upon signing up and then I send one email (it’s linked to their download so they can reasonably expect to receive it) asking if they would also like to join my email list. They don’t get added unless they actively opt in via that email. So if you are also waiting on this checklist option for your opt in forms maybe you could try that too?
UPDATE: Shane from Thrive Themes published this very interesting blog post on how to make your opt in forms GDPR compliant without adding checkboxes. I think it’s a great read and it has certainly sparked some debate. Whether the advice contained in the post is 100% compliant or not is not clear but the risk-taker in me is willing to give it a shot until I know one way or the other. What about you?
What if someone reports me to the ICO?
Let’s face it, it might happen. People can be incurably grumpy.
However, they also might have a legitimate reason to complain about the way you’ve handled their personal data.
If the worst happens and you do get reported, what is actually the worst that can happen? Again, let me point you towards the mere 38 companies who faced monetary penalties in 2017. Look at who these guys are and what they did.
Unless you’re thinking of embarking on an unsolicited marketing attack via text, email and phone to thousands of unconsenting individuals then I reckon you can sleep soundly in your bed. The ICO have already stated that they will be trying to help small businesses as much as possible and that 25th May is only the beginning of this GDPR journey.
The likelihood is that they’ll reach out to you with help, not hellfire.
Has this helped? Is there anything you’d like added? I’ll keep this as up to date as possible. 🙂