With the Facebook data scandal still simmering in the headlines, most people will assume that the General Data Protection Regulation (GDPR) which comes into effect on May 25th only applies to large organisations, but it also affects a great many photographers. In particular it impacts on those, like me, who regularly photograph people for business websites, press releases, social media and so on.
In a rather large nutshell, anyone who handles data has to get their house in order and register with the Information Commissioner’s Office (ICO) before the deadline or face sanctions. I’ve registered, paid the annual fee, and I’m going through the data I have to ensure it’s secure and compliant.
What this largely means for me is that I need to work through my client galleries removing old ones or ensuring they’re not accessible to anyone except the client. I also need to make updates to my website to ensure people have an understanding of what GDPR means in relation to my work and how I handle their data.
Some galleries are publicly shared because I’ve been asked to make them so, but even then I’ll be looking at closing access to the oldest ones. All this is going to take some time as I’ve been running the system for many years now, but as I add more client work to the delivery system I’ll be making sure it’s only visible to those who need to see it. The only exception to this will be where the person I’ve photographed has given permission for me to allow their images to be searchable.
There is a slight conflict around all this in that as a photographer I should have the right to use my work to promote myself, otherwise clients needing my services won’t be able to find me, but I have to balance this with keeping and handling personal data (a face coupled with a name and place of work for example) in a responsible manner.
There are ways of making all this work, but it’s going to take more than a few weeks to really hone it. Thankfully, for the most part, my entire back catalogue of digital work dating back 18 years isn’t stored online or I think I’d have a mental breakdown at the enormity of the task. While I use cloud storage to deliver images to clients and to allow them to have an online database of the images I’ve shot for them, all my original work is backed up to off-line hard drives which keeps them secure from a data breach point of view.
The other good news is that the personal work I undertake, such as the current Saxonvale project, falls under the artistic exemption of GDPR. Of course this doesn’t mean I can be slap-dash with peoples’ personal data, but because of its nature it’s less prone to result in either a complaint or an investigation by the ICO.
Even so, I have taken images for that project which will only ever see light of day in print form because they’re too sensitive to be shared online, and that raises an interesting question about the future of photography; will we find the internet a less useful space for getting important stories out if there’s a risk of a data breach in publishing online?
Only with a few judgements behind us on data breach cases will we build a true picture of what is or is not a breach of GDPR because it’s not entirely clear from the regulation text itself given the multitude of potential scenarios. In the meantime, I’ll do all I can to keep within the rules.
To be honest, it’s mostly just common sense and courtesy and of course you’ll want to make sure any photographer you work with is compliant. Well now you know of at least one photographer who is working towards that goal.