GDPR & Photography

And now for something a little dry, but relevant for Photographers who wish to freelance.  This post is part of the DMU summer blog and primarily intended for that audience.  I thought I’d share it to my followers here.. What do you think about GDPR and Photography?

If, like me you’re receiving a lot of emails about the new General Data Protection Regulations you should be aware that data laws are changing across the EU.  This is good news for most of us because it helps to unsubscribe from junk emails.

However, you should be aware of your obligations for any clients you engage with, how you use their data, what your privacy notice should say on your website, when you can and can’t contact them and what to say if they ask you to delete their information (including photographs).

In my regular job, I’m an office administrator and I’m the ‘Data Controller’ for our organisation.  I’ve had training on GDPR and implemented these changes in a health care office environment.  I’m not providing a full run down on GDPR here, but the same information can apply to us as we work as a freelance photographers.

In short, GDPR replaces the Data Protection Act and has new rules for personal data.  Personal data can be anything which can identify someone and used to be defined as Name, Address, Phone Numbers, Email Addresses etc..  This data (which can identify someone) is now called ‘Special Category Data’ and includes photographs, moving film, someone’s hair colour, someone’s political beliefs etc..

As photographers, we all hold special category data in the form of photographs and contact information for our clients.  We may wish to use their photos on our websites to help promote our services.  In this case, under GDPR, we must inform our clientele that we will only hold their information for the correct reasons.  In most cases, we will have their consent because they have signed a model release form.

New rules around marketing also apply.  If you already have a mailing list you use to market yourself, you need to ask permission (again) to use their email address, just like the GDPR emails we’ve all been receiving.

I contacted my clients today with the following self-explanatory information

I hope this note finds you well, I’m contacting you now because we have exchanged emails in the past and I’ve provided photo or video work for you.  I’ve never sent newsletters, nor do I use your information for marketing.  I’m simply a freelance photographer.  Apologies if this appears to be spam. I promise you are not on any mailing lists or database

Under the new GDPR rules, I need your permission to continue contacting you if I ever market myself in the future, which is something I intend to do. 

If you don’t want me to contact you again, please just ignore this email and I’ll delete your details from my address book.  Otherwise, please drop me a quick note to say it’s ok.

If you use a website for your commercial work, under GDPR, you need to have a privacy policy online which states what you are using client’s personal information for.  Different organisations will have different privacy policies, depending on the nature of and needs of their business.  There’s not many freelance photographer examples around so I’ve created my own.  It’s available here.

Under GDPR, your clientele have the right to request that you delete their information.  In practical terms, this normally means contacting a company and request your contact details be removed from their database or even deleting all mention of you from their records.  (This is new under GDPR).  So what then if a client asks you to delete photographs you have of them?

Your photographs of them is special category data because it can identify them however, your photographs are also your own intellectual property and they are essential to you in the running of your business. For that reason, there are lots of scenarios in which you should be able to cite a legitimate interest as a basis for storing and using photographs of people.  This is important for us photographers as we may publish their image within our art, or to help sell our services.

These are examples of changing laws that we should know about.  We’re on a photography and video course, not a data protection course.  However changes in the business environment will have an impact on our photography work.  I hope, that providing these examples and templates, we can all be more efficient photographers and understand not only the creative, fun side of our practice but to understand our responsibilities in a work place environment.  Thanks for reading, and if you have any GDPR questions, I’ll do my best to answer them.