I’m hiring a photographer – what do I need to know about GDPR?

Calling all business owners! Have you got a commercial photography project on the horizon? Are you thinking of hiring a photographer for some professional staff headshots or on-site photography? If so, it’s important that you’re up to speed on the upcoming changes to data protection laws. We never really consider that commercial photographs are classed as personal data, but, if a person can be identified from an image, it is classified as data. And wherever data is involved, it needs to be protected. This is where the new General Data Protection Regulation (GDPR) comes into play.

As the nation gears up for these new regulations to come into effect, the information about GDPR on the internet is becoming more and more tricky to unravel. Here we’re taking a look at exactly what you need to know about GDPR if you’re hiring a photographer…

What is GDPR?

Firstly, it’s worth summarising exactly what the regulation means. GDPR sets out the new European framework for data protection, covering how personal data is obtained, processed and stored. The new regulations give individuals more rights over what companies can use their data for, if at all. This new GDPR legislation will have a substantial impact on all businesses once it comes into effect on 25th May 2018.

Photography and personal data

Think of a photographer as a ‘data collector’. When hired by you, they collect personal data for their records, including your name, email address, telephone number and business address. Their data collection doesn’t stop there though. Each photograph they take that features an identifiable person is counted as a piece of personal data. In terms of commercial photography, anything from a staff headshot to a studio-based photo of a model using your product will be classed as data. A commercial photograph destined for your website or brochure can contain arguably the most sensitive of personal information about an individual – what ethnic origin they are, what job they do, who they are interacting with, where they are and what they are doing.

As well as capturing and storing your images, many photographers share photos from their jobs online. In such a visual industry, it is essential to be able to showcase a portfolio of clients across a photography website and social channels, with the aim of attracting new clients.

A photographer has a legal responsibility to ensure that they are compliant with GDPR legislation. Simply put, they must prevent your data from getting into the wrong hands and being abused. If an unlawful data breach does occur, they have a duty to report it to the Information Commissioner’s Office (ICO).

Informed consent

The securement of informed consent is a crucial part of the new GDPR legislation. According to the ICO, “Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.”

Before your photographer begins a shoot, you should make anyone who could appear in the shots aware of who the photographer is. A clear and specific statement of consent must be provided by the data subjects (the people in the photos). If you’re having formal corporate photos of your staff taken, or any photos taken around the workplace that can clearly identify employees, then GDPR regulations state that each staff member must proactively opt in to those images being taken, stored and published. Anyone appearing in photographs should be informed that these photos are being taken, they must be allowed access to the photos, and they must be able to have their data corrected or erased. A photographer may ask the data subjects to sign a photography release form which includes a clear indication of how the photos are going to be used.

If, as part of your commercial photography campaign, the photographer will be taking photos that feature children under the age of 18, full written parental consent must be provided.

Genuine choice and control

It is important that the photographer you hire offers data subjects genuine choice about and control over their data. Subjects have the right to ask that their photos remain private – they are not obliged to have their photographs shared online, whether on the photographer’s website or on social media pages. Alternatively, they might want to request that the photographer only shares photos where they are unidentifiable and that they avoid using any names or locations in their web and social copy. Whilst it is often beneficial for photographers to be able to display images online and share them with co-suppliers, GDPR regulations recognise that some clients may benefit from limitations on this sharing.

Ensure that it is made clear how a data subject can access any data the photographer holds about them. It is also important to get confirmation about how a subject can withdraw their consent if they wish. Most photographers will outline this in their privacy policy. You should be able to request in writing that commissioned images be removed from online sources at any future point in time. You need to know that you have the ultimate say in how your images and details are used.

GDPR Compliancy

Hopefully we’ve helped outline what you need to know about GDPR if you’re hiring a commercial photographer. Once you’ve found a photographer whose work you admire, check to see if they have an up-to-date privacy policy on their website. At a basic level, this policy should tell you who they are, what they are going to do with your information, how long they will keep personal data and who it will be shared with. It should also tell you whether they are GDPR compliant.

To find out more about the new GDPR legislation, you can visit the EU GDPR portal, a resource specifically designed to educate the public about the main elements of this new data protection legislation.