How to get GDPR ready

A straight forward, easy list of GDPR tasks for photographers

Hands up if the GDPR deadline is looming and you still haven't done much about it? 

*raises hand*

Today is 'get our GDPR shit together' day at SNAP Towers and I thought I'd share some information about the steps that I'm taking, both for SNAP and Babb Photo, to make sure I'm GDPR complaint.

This post includes
a short overview of GDPR rights
a list of activities I'll be taking to get my photography business compliant

I've tried to keep this as simple as possible, as there are hundreds of posts about this doing the rounds.  From my perspective, I want a simple plan that I can implement right now, to make sure I'm complaint by the 25th May 2018 deadline.  

Rights under GDPR

So what rights do our clients and potential clients have under GDPR?  For each right, you can read the specific details on ICO (Information Commissioner's Office) website.  Head here to read through the rights and requirements in full.  

Clients rights under GDPR include

The right to be informed: 

The right to access:

The right to rectification;

The right to erasure;

The right to restrict processing;

The right to object to processing;

The right to data portability;

The right to complain to a supervisory authority; and

The right to withdraw consent.

You should note that these rights don't supercede other legal requirements.  An example of this is our legal obligations to provide information to people like HMRC if requested.  In the case of financial information (invoices etc) there is a legal requirement to keep records until the statute of limitations expires.  
 

What does this mean in practice?

Here are my thoughts about the steps we need to take.  I'm not a solicitor - and this is not legal advice, so please ensure you take any steps you deem necessary to be satisfied that you're GDPR compliant.  That said I've cross referenced several checklists I found on line, one of which was written by a Data Protection lawyer.  
 

Get a privacy policy

1.  Put in place a privacy policy that covers all of the above rights, the type of data that will be collected / processed and that specifies retention periods for each type of data

I used a privacy policy template that I bought here, for £10.  You can read my amended version here.

Make sure clients and potential clients are aware of your privacy notice

I'll be sending an email to all of my clients and former clients, with a link to my new privacy policy.  I'll also be adding it to my email footer and to my website footer.

Audit the data you collect and formulate an action plan

Make a list of each type of data you process, where you store and what the basis is for you retaining it.  Once you have an idea of the type of data and how you store it, you can identify actions to ensure you're GDPR compliant

Example 1

I collect personal data including names and email addresses through my website enquiry form
I store it in my email system and website
The legal basis for processing is 'consent'

Action:  To be GDPR compliant I need to add a box to my contact form where explicit consent is given for me to store the information provided as part of the contact form and to reply to any enquiry.  I also need a mechanism in place where enquiry data is deleted after a reasonable period of time, if the enquirer doesn't go on to book.  

Example 2

I collect personal data through my Mailchimp newsletter.  I store details in my Mailchimp data base. 
The legal basis for this is consent. 

Ok, hands up: I have been that person who's automatically added anyone who accesses one of my galleries to my mailing list.  I now need to data cleanse my database to ensure anyone who's in there has double opted in.

Action: send a mail out to my whole list, asking them to re-opt in if they want to remain on my list.  This needs to be set up for double opt in (asking people to opt out, if they DON'T want to stay on the list is a big NO) so anyone who opts in gets an email asking them to confirm their opt in.

Ensure your contract is GDPR compliant

My contract already covers image use and copyright but I'll be adding a tick box for explicit consent, under each paragraph that covers the way I use images.  I'll also be amending the existing paragraph that covers the Data Protection Act to reference my GDPR privacy notice.

AMENDED:  I have been advised that this isn't needed because the legal basis for usage (copyright + the contract) covers this. 

Confirm third party sites and applications are GDPR compliant

Technically you need a processor agreement with anyone who you transfer data to. 

I use QT Albums for my albums, Pic-Time for my gallery hosting and print sales, Wufoo for forms and Light Blue to manage my workflow.  I'll be contacting each of these companies directly to obtain information about how they're ensuring compliance and I'll store each of their policies so I have a record.   

With Pic-Time for example they pass on the data I provide to Loxley Colour who fulfil orders, so there is an added step that requires compliance.  

I'll be adding a consent request to my album process, as I'll effectively be passing my client's personal data (name, address and telephone number) over to QT. 

I'll also need to check that any second shooters I work with are GDPR compliant and obtain explicit consent from my clients before passing over any personal information to them.  

Put in place a process for data subject requests

As a tinnnyyyy business in the scheme of things, I don't think this requires a specific policy and procedure.  My clients can request data under my privacy policy and my contact details and the process for contacting me is detailed there.  

Ensure you're secure

I'll be obtaining the privacy policies of services like Backblaze, Dropbox and Google Drive, as well as ensuring any information I'm storing there is properly encrypted.

I'll also be obtaining encryption software for my laptop and portable hard drives.  

A word on images 

I've done a bit of reading up on this and from what I've found this isn't something we need to worry too much about.  When photographing at a wedding people have a reasonable expectation of being photographed and we're also fulfilling contractual obligations to the clients who commissioned us. 

From what I gather, unless facial recognition software is being used, it's not possible to identify people from an image, so there's not much to worry about from a GDPR perspective.  It is worth keeping in mind your client's right to privacy under Human Rights legislation though.  
 

ICO registration

This is an amendment, as someone asked me about the requirement to be registered with the ICO.  The ICO doesn't require you to register if your business only processes personal data for core business functions including

- Staff administration (including payroll);
- Accounts or records (ie invoices and payments);
- Advertising, marketing and public relations (in connection with your own business activity).

I've linked to the ICO's self assessment below, if you want to double check this in relation to your business.  You can take the ICO's self assessment here, and double check you're exempt. 

What else?

This was a whistle stop tour through the steps I'm personally taking towards GDPR compliance.  I'd love to hear from you below if you think I've missed anything!