The GDPR is a European Union privacy law and the deadline for businesses around the world to be fully compliant is 25th May, 2018. But what do you have to do to be compliant? In this video and blog post I’m going to explain what GDPR means for photographers like you in as simple a way as possible.
Watch or read – whichever is your preference!
The GDPR stands for General Data Protection Regulation and although it’s a European Union law it doesn’t just affect businesses in the EU. It affects any business holding personal data from EU citizens. The UK government has also made it clear that even when the UK leaves the EU, our own law will mirror the GDPR. So it can’t be ignored.
The GDPR is mainly aimed at bringing much larger businesses and corporations into line. However, don’t make the mistake of thinking it doesn’t apply to you just because you’re a small to medium photography business. It does. If you hold and use personal information such as names, addresses, email addresses of EU citizens then you are subject to certain requirements. But not all of them.
I’m only going to talk about the parts of the GDPR that will affect you and your business and nothing more. I promise to use human language 😉 .
The GDPR has two main objectives:
1) to give citizens and residents control of their personal data
2) to put a single set of rules in place instead of the mess of different laws that exist right now
The GDPR is about privacy by default. Instead of privacy only if you opt out, you will have privacy unless you decide to opt in. You will also have more rights on how businesses use your personal data.
As a citizen it’s good news. As a business owner you might have a little work to do.
The good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises. The GDPR ensures that we respect, value and protect people’s personal data. As long as you genuinely do your best to do that you should have nothing to worry about at all.
It’s possible that you’re already doing enough to comply with GDPR or it might be that you just have to do some light tightening up. But if you’ve been pretty lax with your contacts’ data up until now then it’s time to sort that out.
A hefty fine is unlikely for a small photography business but you can guarantee that citizens are going to be getting a whole lot more serious about their right to privacy and you don’t want to be dealing with the wrong end of that.
To be clear, the GDPR applies to all the personal data you hold. Suppliers, past and present employees, networking contacts as well as clients and leads.
So let’s break down the two main parts of the GDPR that you need to concern yourself with and what you need to do. You’ll be glad to know it’s not going to be too much of a headache at all.
1.YOU MUST KNOW AND UNDERSTAND ALL OF THE DATA YOU HOLD. WHERE DID THE DATA COME FROM, WHERE IS IT STORED AND HOW ARE YOU USING IT?
So let’s start with question one, where does the personal data you hold on people come from? Is it wedding fairs, email opt in forms, contests, past clients, email enquiries? Under GDPR you must know how you ended up with each piece of personal data.
If you don’t want a huge headache from this then now is the time to make sure you have both business management software like Studio Ninja, Dubsado, 17Hats, Tave AND an email marketing system like ConvertKit or MailChimp or ActiveCampaign.
As long as you take the time to set these up and use them properly and you will always know how someone came into your world because your software is going to have a record of it. You’ll know if they are a past family shoot client, a wedding fair lead or someone who downloaded your eBook. Stop collecting information manually using your own systems.
Having business management and email marketing software in place means you’re taking care of question two which is knowing exactly where your data is stored. Your data is all within these two systems… and nowhere else.
Part of the GDPR is tighter security measures for personal data.
Whichever software you use will have to be GDPR compliant by the deadline in May. So do yourself a favour and only keep personal data inside your paid software. Let them take care of those security measures so you don’t have to.
Having these systems in place will also take care of other aspects of GDPR such as a person’s right to access, rectify, erase or move their data. If you store data using GDPR compliant software and not using your own systems then you’re covered. You’ll be able to quickly download a simple file with all the information you need.
That brings us to question three which is ‘how are you using this personal data that you hold?’ What are you doing with it? This now needs to be crystal clear.
You have to remember that people have given you their details for lots of different reasons.
Someone might get in touch to enquire about your wedding prices. That’s a clear lead for you. You now have lots of personal data on them but under the GDPR you can only use that to contact them about your wedding prices and services. Nothing else. This applies to any enquiries that come in. Same goes for past and present clients – you can only use their data to communicate with them about their shoot or their wedding. That’s all.
The days of automatically adding clients and leads to your email marketing list are over. Technically those days have been over for a while in lots of countries but with the GDPR things are going to be a lot stricter and your contacts are going to be a lot less tolerant of you doing this.
For this reason I’d recommend you use your business management software to store data from clients and enquiry leads. Keep them away from your email marketing system. You don’t want to pay for subscribers you can’t market to.
If you want to market to these people you now have to get their explicit consent to do so. Which links me up rather nicely to the next point…
IF YOU RELY ON CONSENT TO PROCESS PEOPLE’S PERSONAL DATA, THAT CONSENT HAS TO BE CLEAR, SPECIFIC AND EXPLICIT.
But what do they mean by ‘process’. Well this just means that you’re using the data you have on someone. You’re doing something with it. So this most definitely applies to you if you’re sending out marketing emails to people whose email address you have on file.
It’s possible you’re already doing everything right here and you might not need to make any changes. But it’s also possible that you’ll have to tighten up. So let’s look at it.
You can no longer assume that anyone wants to hear from you unless you have their explicit consent and you can prove that you have it.
It’s no longer acceptable to ask people to opt out of your email marketing. They have to actively opt in and be given all the information they need from you.
So what does this mean for you going forwards?
The first thing you can do is to make sure you use a double opt in for all of your online opt in forms. So if someone visits your website and decides they’d like to download your vintage wedding checklist make sure you put an extra step between them filling in your form and being able to download that checklist.
A double opt in means an automated email will be sent to the address they gave asking them to confirm their email address in order to receive the checklist. In that email you can explain to them in a clear, specific and explicit way what it will mean when they confirm their email address so that they can make an informed decision about clicking that ‘confirm’ button.
You can show them that you respect and value their information by telling them how often they’ll hear from you and what they can expect from your emails. You can also let them know that they can opt out of your communication whenever they want with just one click. An important part of the GDPR is that we must be able to remove our consent quickly and easily. I’m sure you’ve already got this covered but just make sure that all of your email communication has a very obvious link that someone can click to unsubscribe from you.
If you have different services and aspects to your business and you send emails about different subjects then you want to look at providing checkboxes to your potential subscribers so that they can indicate to you what they do and don’t want to hear from you about. Doing this manually would be a nightmare. Again, a good email marketing system will allow you to do this fairly easily.
As for clients and enquiry leads you’ve connected with – don’t feel that you can’t try to encourage them onto your email marketing list. You can! Add them to your business management software and set up an automated email that goes out to them when they enter your database which asks them if they’d like to be added to your email list.
Again, make it VERY clear what that means and give them some opt in options if you have a multi-faceted business. If they don’t opt in then they stay inside your business management software and you can contact them about their shoot or their enquiry but you can’t market to them.
But what about the people who are already on your email marketing list before GDPR kicks in?
You might be wondering what to do about them. To be on the safe side you should seek retrospective consent for anyone who has not given it in the past. So, for example, if up until now you’ve been adding your past clients into your weekly email marketing without their permission, technically you should be reaching out to them now and getting their explicit consent to send them these emails. There are very quick and easy ways to do this with good email marketing systems like ConvertKit or Active Campaign.
Just to be clear – if you know where all your data has come from and you’ve always asked for consent before adding someone to your email marketing list then you have nothing to worry about in terms of retrospectively reaching out. Just focus on tightening things up moving forward.
Under the GDPR there has to be a clear record of how and when someone gave you this explicit consent to contact them. Yet another reason to use a digital system. Remember, most business management and email marketing software companies will be working hard to become fully GDPR compliant by May. Get in touch with them and ask for guidance on how to keep yourself on the straight and narrow using their software. If you’re one of the many photographers using Mailchimp here’s a link to one of their articles on this very subject.
Honestly, if you stay in line with all of that you’ll be absolutely fine.
Don’t stress about this. However, you might still have a few questions so let’s end with four of the main questions I’ve had from photographers like yourself.
Can I still buy email leads from a third party?
Honestly, this is a bad idea under GDPR. You will not be able to contact these people without their explicit consent. And how many will give that to you if they’ve never even heard of you?
What about photographs of clients – are they classified as personal data?
There are some concerns that photographers are going to be negatively affected by GDPR because photos have been included in the list of personal data. I’ve tried to look into this but it’s actually very unclear. As far as I can make out I don’t think you have anything to worry about unless you’re using some kind of facial recognition and your photographs are linked to actual people in your catalogues. Hopefully this will be clarified before May but I’m not concerned.
Can I still upload my email list to a Facebook custom audiences and target posts to them there?
I hope this has helped guys. Let me know in the comments if you have anything further to add. I’d love to hear from you!