Andrew Miller Photography: WEDDING PHOTOGRAPHY BUSINESSES AND THE GDPR

WEDDING PHOTOGRAPHY BUSINESSES AND THE GDPR

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. So in effect, you have to think seriously about implementing some security to look after your client’s data.

The GDPR applies to ‘controllers’ and ‘processors’.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU.
It also applies to organisations outside the EU that offer goods or services to individuals in the EU. So if you are in the US and photograph weddings or run training workshops in the EU you are involved with this.

WEDDING PHOTOGRAPHY BUSINESSES AND THE GDPR – WHAT YOU NEED TO THINK ABOUT.

Personal data

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

The GDPR includes certain rights for your clients:

the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.

Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR. So the chances are small business won’t be affected too much, however it is best to review your arrangements anyway.

SOME SIMPLE SECURITY MEASURES

Use a multi layered approach!

“Perimeter Security” – All of your IT infrastructures should be stored in a secure and alarmed location. The alarm is monitored 24/7 and where a key holder does not answer a call the Police will be instructed to visit the site.

“Network Security” – All of the IT is further secured using strong password protection, using a mixture of alpha numeric and symbols. This is NOT written down.

“Privilege Based” – Only those who need to access your information will be able to access it. In 99% of cases that should be just you, or possibly an assistant.

More information can be found on the ICO’s website and in this .pdf

WHAT ABOUT YOUR CLIENTS?

Your clients should be made aware of your requirements under the GDPR and the DPA anyway. You should have a privacy policy in place on your website and also should have a postal address listed on your website as well as contact telephone numbers.