APV Services GDRP Policy
At APV Services we are committed to be compliant with the new General Data Protection Regulation (GDPR) with became law on 25th May 2018.
If you opted for yes in your contract, you agreed for your image and your names to be associated with an album of images purchased by yourself to be available for view online and shared on social media. Certain images may contain personal information of clients and guest such as names (in title sequences for example) or place names on tables. You must be aware that anyone can opt out at any time. If you opt out then related images will become unavailable on our website. We have no control or responsibility for images shared on social media by third parties, excepting copyright.
If you wish to opt out then email us at [email protected]
What is the GDPR?
Regardless of whether Brexit does or does not happen, the UK Government has confirmed it will implement the EU General Data Protection Regulation (GDPR), which will take effect from 25th May 2018. So it is time to start preparing. The GDPR is the new framework for European data protection laws, replacing the previous 1995 data protection directive (implemented in England as the Data Protection Act 1998 (DPA)), upon which current UK law is based. It is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. GDPR is only part of the overall data protection framework – there will be a new Data Protection Act implemented in the UK later this year which will go further – detailing derogations from GDPR obligations, contain other national implementing measures such as commissioners powers, implement the Law Enforcement Directive and cover those areas of data processing that are not covered by GDPR.
How will this affect small businesses?
Small or medium sized enterprises (SMEs) not only collect personal data but store, move, share and access it online. Personal data is used for many activities including but not limited to customer relationship management and marketing. Quick to see opportunities for exploitation, cyber crime has increased and major data breaches have provided access to data including names, birthdates, social security and pension information. The Federation of Small Businesses (FSB) claims that SMEs are now more likely to be targeted than large corporations and they are viewed as ‘soft targets’ for such activity. This is why the GDPR is considered long overdue by many authorities, and ignorance will be no defence for SMEs who fail to comply.
How does this affect photographers?
Anyone in possession of “data” belonging to another has an obligation to ensure that such data is stored in a secure manner, and that it is not used for any unlawful purpose, (such as identity theft) and not for any legitimate purpose other than that which has been explained to the data subject. The GDPR explains how companies can demonstrate compliance, and imposes strict financial penalties for non-compliance – up to €20,000,000 or 4% of turnover, whichever is the greater. Many photographers operate as a SME and will collect and store personal data about their clients. In addition to the obvious data such as names, addresses, credit card details, bank details etc other genres of photography will collect more sensitive personal data. For example, dates and venues of weddings, religious or cultural information, full names, maiden names, personal details and family relationships. Portrait photographers may store details of children along with dates of birth. Social documentary photographers may produce projects that could include, for example, details of subjects’ imprisonment, social status, cultural or religious beliefs, political views, sexual preferences, medical or other sensitive information. Others may include race or ethnicity or include subjects that suffer from specific conditions such as dementia, diabetes, cancer, epilepsy and so on. Whilst others may identify those who associate with being LGBT, all of which can be sensitive information. Images and social media posts are included within GDPR. If an image contains personal data, then it will be caught by GDPR. If you hold an image in conjunction with other personal data such as subject name etc then it is also caught. Any such images are to be treated as personal data in the same way you treat other data. So the principles apply in the same way relating to security, time you keep them what you use the image for etc. In addition to obtaining a model release, it would also be wise now to prepare for obtaining consent to store that data, as one of the major changes in the GDPR is concerned with that consent and how it is obtained.
What does the GDPR involve?
There are two broad definitions of companies as far as the GDPR is concerned, which are ‘controllers’ and ‘processors’. The definitions are not dissimilar to those in the DPA in that the controllers have control over how and why the data is used, whereas the processors process the data and so act on the behalf of a controller. If you are currently subject to the DPA the chances are that you will also be subject to the GDPR. Processors GDPR places specific legal obligations and liabilities on processors such as maintaining records of personal data and activities. If you are responsible for a breach however, under the GDPR you will have significantly more legal liability than under the DPA. Controllers In addition to the processor obligations, the GDPR places additional obligations to ensure that controllers’ contracts with processors comply with the GDPR. Whilst the principles are similar to those in the DPA, there are additional requirements that UK companies need to be aware of, the most significant of which is accountability. By design, the GDPR requires a demonstration of compliance, so that means ensuring effective systems and contractual provisions are in place, along with training and documented decisions about processing. In short, anyone who sub-contracts work needs to ensure that contracts are updated to cover these obligations. Personal data As with the DPA, with regards to Human Resources, the GDPR will apply to personal data held about employees but the definition is broader and includes any data that could be used to identify an individual and/or be regarded as personal data. This can include cultural, social, economic, mental or genetic information and also includes IP addresses. Mostly, organisations keeping HR records, customer lists, or contact details etc, should find the change makes little practical difference so can assume that if information is held that falls within the scope of the DPA, it will also fall within the scope of the GDPR. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to any system, automated or manual, where personal data is accessible according to certain criteria. This is wider in scope than the DPA definition and could include chronologically ordered sets of manual records. Depending on how difficult it may be to identify an individual, even pseudonymised data may fall within the scope. Sensitive personal data Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data and or biometric data for the purpose of uniquely identifying a natural person. Data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
A significant development is with regard to consent where it is used to validate the use of personal data. Consent must now be explicit as inactivity or silence from an individual will no longer be regarded as consent. When seeking consent, individuals must be advised how that data may be used and ensure that they give their consent with evidence that they have done so. Under the new regulations, a thorough record must be kept of how and when an individual gives consent to store and use their personal data and this means an active, explicit agreement. It can no longer be inferred from, say, an individual simply continuing to use a website. Those who control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms. Withdrawing consent The GDPR gives individuals the ‘right to be forgotten’ which means the right to withdraw consent at any time, easily and swiftly. When consent is withdrawn, that individual’s details must be permanently erased - deleting from a mailing list is not sufficient. However, GDPR does not mean you can breach other laws. If you are required by law to keep certain financial records which include personal data, you must comply by keeping that information but in a way that complies with the rest of GDPR. I.e. in a safe and secure manner and not use it for other purposes.
The penalties for non-compliance with GDPR are significant and increase substantially depending upon the tier of the breach. Fines can be up to EUR20,000,000 or 4% of the preceding financial year annual global turnover (not profit), whichever is greater. The GDPR requires that in certain circumstances local data protection authorities are notified within 72 hours of discovery of any breach of privacy along with proposals for mitigating the effects. These new conditions, along with many more, illustrate just how demanding the new regulations are for companies of all sizes and for SMEs in particular. The GDPR forces a requirement to know exactly what personal data is being held and where it is located, whether in a filing cabinet, on a local hard drive or server, or in the Cloud. It also forces a requirement to have procedures in place to ensure complete removal when such a request is made. It also requires monitoring protocols to recognise and act on any breaches as soon as they happen, and to put in place an incident recovery plan to deal with the repercussions. A full information audit will be required in preparation for this, along with a complete change of culture for many SMEs. Personal data is key to the successful operation of many SMEs in both target marketing and customer retention and the GDPR means it must be handled with care. Planning should therefore start now, with implementation ahead of the 2018 deadline.
EU GDPR http://www.eugdpr.org CIPD http://www2.cipd.co.uk/pm/peoplemanagement/b/weblog/archive /2017/03/27/get-readyfor-2018-s-changes-to-data-protection-laws.aspx ICO 12 steps https://ico.org.uk/media/for-organisations/documents/1624219/ preparing-for-the-gdpr-12-steps.pdf ICO GDPR Overview https://ico.org.uk/for-organisations/data-protection-reform/overview-ofthe-gdpr/ ICO Self-assessment checklist https://ico.org.uk/for-organisations/resources-and-support/dataprotection-selfassessment/getting-ready-for-the-gdpr/ ICO Consent guidance https://ico.org.uk/media/about-the-ico/consultations/2013551/draftgdpr-consentguidance-for-consultation-201703.pdf