GDPR

Messages
22
Name
Sharon
Edit My Images
No
Hi all, can anyone assist with my question please. I have over the last couple of years done some portrait and party photography. Should I be contacting these clients re the GDPR. I use their photos for my own advertising/publicity and always get them to sign a disclaimer when I provide them with their images on a USB. Other than the images the only other data I have for them is name, address and contact number purely for my use.

I can't seem to find an answer to this question anywhere and not sure if I am getting concerned about nothing

Many thanks in advance.

Sharon
 
As per the old DPA you need to keep your data secure and only keep it if you’ve a genuine business need. You probably don’t need most of that data anymore.

GDPR adds a requirement not to share that data without consent, and that you really need explicit permission to contact those people for marketing reasons.
 
As per the old DPA you need to keep your data secure and only keep it if you’ve a genuine business need. You probably don’t need most of that data anymore.

GDPR adds a requirement not to share that data without consent, and that you really need explicit permission to contact those people for marketing reasons.

If there's something specific please ask, we do a fair bit of GDPR work here, aside from that Phil is pretty much bang-on here.
 
I have been building up a portfolio over the last couple of years with the intention to set myself up as part time photography business soon, so the work I have done so far I have just got people to sign a disclaimer agreeing for me to use images for my own publicity, with the exception of family and close friends that's been an agreement on Facebook chat . The disclaimers just have their name and address so at this point am I okay and not needing to do anything. Going forward with a business I guess I just need to be clear in T&C's that I will hold their images for my own publicity and their personal info name, address contact number I hold private and will not supply to anyone?
 
Leaving GDPR aside.

The CDPA states that whilst you hold the copyright of any privately commissioned work, you need the subjects permission to use that work to promote your business.

Most UK boilerplate contracts include that clause.

Again though, don’t mix up copyright, permission / releases and GDPR, they’re specifically separate issues.
 
Phil is right, furthermore, you are holding onto data, therefore you need to establish a legal right to hold it. The ICO can help:

https://ico.org.uk/for-organisation.../accountability-and-governance/documentation/

With all this being said, you are an extremely teeny tiny fish in an absolutely gargantuan ocean, making steps to achieve GDPR is good, I doubt the ICO jack-boots will be kicking down your door anytime soon.
 
Just a small point to note, the data protection act will change from the Data Protection Act 1998 to the Data Protection Act 2018 from tomorrow (assuming Royal Assent) when GDPR comes into force.

James
 
Sorry to @Shazza for potentially hijacking this thread, but I thought I would post here rather than creating yet another GDPR related thread.

I've been doing wedding and portrait photography for a few years now. All my clients' data are stored in Lightblue software. If I've read the guidelines and posts correctly, I'm thinking that as long as that data is not used for marketing and once I have completed each project I remove their data, and providing the data is secure (I.E password protected), then I am all good?

Would really appreciate if someone could tell me if there is anything else I need to do and how to go about doing it.
 
Sorry to @Shazza for potentially hijacking this thread, but I thought I would post here rather than creating yet another GDPR related thread.

I've been doing wedding and portrait photography for a few years now. All my clients' data are stored in Lightblue software. If I've read the guidelines and posts correctly, I'm thinking that as long as that data is not used for marketing and once I have completed each project I remove their data, and providing the data is secure (I.E password protected), then I am all good?

Would really appreciate if someone could tell me if there is anything else I need to do and how to go about doing it.

Sounds good to me, all I would recommend is adding a statement to your documentation when booking clients informing them of this and how long you will potentially keep the data for, it gets a little more difficult if someone doesn't agree, but you would have to make a judgment call on whether to take the job, record the details anonymously etc.
 
The rules are reasonably simple.

1. you have to tell people what you're collecting and why
2. you have to keep it safe (and there are rules about how quickly you have to alert the ICO if you believe it's been lost / taken / stolen)
3. you can only use it for the purpose you originally collected it
4. specifically around marketing, you can only market to people who's data you've collected if they had a clear, explicit opt-in choice.
5. you can keep data for as long as it is required, defined by a number of purposes.

So, you don't need to remove their data once the project is complete. If you believe you need to keep contracts or consent forms (and in some cases, you're legally required to), then it's fine to keep that data. What you must do is keep it secure, and not use it for marketing, or sell it to someone else if you never said you would, etc., etc.

As I said in the other thread, for most photographers, as long as you're not using the contact details to market to people, then you've got nothing to worry about. If you do use it to market to people (including 'mailing lists'), then you should probably re-seek consent using clear opt-in language, to ensure compliance.

Otherwise, keep it secure, and keep it only for as long as you need to.

NB: I'm not a lawyer, or in any way a data protection professional. There are nuances to the act which probably don't affect photographers but people may want to be aware of (for example, your right to have your data re-processed by a human if you weren't aware it was being processed initially by an algorithm, for example, for car insurance).
 
Last edited:
Sounds good to me, all I would recommend is adding a statement to your documentation when booking clients informing them of this and how long you will potentially keep the data for, it gets a little more difficult if someone doesn't agree, but you would have to make a judgment call on whether to take the job, record the details anonymously etc.

The rules are reasonably simple.

1. you have to tell people what you're collecting and why
2. you have to keep it safe (and there are rules about how quickly you have to alert the ICO if you believe it's been lost / taken / stolen)
3. you can only use it for the purpose you originally collected it
4. specifically around marketing, you can only market to people who's data you've collected if they had a clear, explicit opt-in choice.
5. you can keep data for as long as it is required, defined by a number of purposes.

So, you don't need to remove their data once the project is complete. If you believe you need to keep contracts or consent forms (and in some cases, you're legally required to), then it's fine to keep that data. What you must do is keep it secure, and not use it for marketing, or sell it to someone else if you never said you would, etc., etc.

As I said in the other thread, for most photographers, as long as you're not using the contact details to market to people, then you've got nothing to worry about. If you do use it to market to people (including 'mailing lists'), then you should probably re-seek consent using clear opt-in language, to ensure compliance.

Otherwise, keep it secure, and keep it only for as long as you need to.

NB: I'm not a lawyer, or in any way a data protection professional. There are nuances to the act which probably don't affect photographers but people may want to be aware of (for example, your right to have your data re-processed by a human if you weren't aware it was being processed initially by an algorithm, for example, for car insurance).

Thanks guys. Makes me a bit more calm about it now. :D
 
So... say you want to email all clients on your weddings and portraits database with a special offer of framed enlargements for a Mother's Day or Xmas promotion etc. Can you do that without specific permission?
 
Yes and no, part of the problem with this legislation is peoples interpretation of it, my understanding is that if people send you an email asking about a service, then they have given you "permission" to contact them regarding the content of the email. However that would not mean you could then use it for other promotions etc.

The other thing to remember is if sending any emails to more than one person then you can not identify the other recipients (send the list Blind copy, may get you off that one)
 
So... say you want to email all clients on your weddings and portraits database with a special offer of framed enlargements for a Mother's Day or Xmas promotion etc. Can you do that without specific permission?

No. Only if you already have explicit opt-in consent to market to them.

Yes and no, part of the problem with this legislation is peoples interpretation of it, my understanding is that if people send you an email asking about a service, then they have given you "permission" to contact them regarding the content of the email. However that would not mean you could then use it for other promotions etc.

That's not the description HoppyUK's post asks about. If someone e-mails you, you can of course respond to them. You can't then keep their e-mail address and later on use it to market to them. If someone takes up your service, if you have _explicitly_ asked them if you can market to them, then you can, if not, you can still contact them, for example, if something changes and they need to know (e.g. they booked you for 10 hours and you can only do 7). You can't however, 'just drop them an e-mail saying if they invite a friend they get another 10% off'.

Direct Marketing is nice and explicit in GDPR - no, unless you got specific opt-in and you have a record of it, and people can opt-out again at any stage, for any reason.

I think a lot of organisations (including hospitals) are panicking about stuff which isn't direct marketing because they're overly paranoid, which isn't helping (my NHS trust just told me they can no longer text me about appointments I've made without me filling in another consent form, which is basically rubbish, they couldn't text me to offer me cheap rate liver transplants, but they can always text me in relation to a specific service if there's an expectation of that activity taking place).

Anyway, moving on.
 
So... say you want to email all clients on your weddings and portraits database with a special offer of framed enlargements for a Mother's Day or Xmas promotion etc. Can you do that without specific permission?

No. Only if you already have explicit opt-in consent to market to them.

Thanks. That's what I thought - and a handy takeaway I think.

Can't imagine that you'd get locked up but I'd fully expect the odd client to get all indignant about it.
 
Thanks. That's what I thought - and a handy takeaway I think.

Can't imagine that you'd get locked up but I'd fully expect the odd client to get all indignant about it.

Absolute worst case is that you get fined by ICO (up to £10m / 2% of global turnover or up to £20m / 4% of global turnover, always picking the higher of the two values, depending on the infraction), the fines are no longer trivial. They're very serious. Getting to that point is probably not the first step, but the ICO are serious about stopping direct marketing and data loss, sadly, it won't affect true spam, since those folk don't care anyway.

ICO fines are discretionary however, and they're clearly targeting large businesses which don't protect the data they collect.
 
No. Only if you already have explicit opt-in consent to market to them.

Interesting but not what Elizabeth Denham (the information commissioner) herself said on TV the other day. She stated that if you have an existing business relationship with a company or individual it is reasonable to suppose that they are interested in your products/services and no specific opt-in is required. You do, however, have to give them the option to opt out when sending marketing materials and if they do so then you can't market to them afterwards.
 
Interesting but not what Elizabeth Denham (the information commissioner) herself said on TV the other day. She stated that if you have an existing business relationship with a company or individual it is reasonable to suppose that they are interested in your products/services and no specific opt-in is required. You do, however, have to give them the option to opt out when sending marketing materials and if they do so then you can't market to them afterwards.

So here's my take. I am not a lawyer, I am more than happy to be wrong.

I have an ongoing relationship with the National Trust, because I'm a member. However, if I paid for a wedding photographer (or a portrait photographer) to take photographs once, I don't believe I have an ongoing relationship. I know they need to hold my data, because they have consent forms or contracts, but I do not have an ongoing relationship. I think it's exactly this case that the GDPR is intended to cover. One off purchases, where you have to provide some personal data, but at which point you do not consent to having marketing material sent to you later.

A database of *previous clients* who you provided services to, even if it was a number of times, do not, in my view, have an ongoing relationship. If you're contracted to take someone's photographs in 3 months, then you have an ongoing relationship, until that contract is finished, but afterwards, unless you explicitly asked 'can I keep mailing you' then you shouldn't.

This is why I think the NHS example I gave is wrong, they do have an ongoing relationship, I have an appointment, I want a text reminding me of it. I think the NHS has it wrong, but I think you can't mail previous clients unless you confirmed at the time that they were happy to be mailed.

I could be wrong.

I'm not a lawyer or data protection specialist, etc., etc.
 
Last edited:
This is why I think the NHS example I gave is wrong, they do have an ongoing relationship, I have an appointment, I want a text reminding me of it. I think the NHS has it wrong, but I think you can't mail previous clients unless you confirmed at the time that they were happy to be mailed.

I could be wrong.
I think you are wrong with your reasoning, but right with your conclusion. In the NHS example, they don't require your consent because communicating with you is operationally necessary for the provision of the service. Simple as that.
 
I think you are wrong with your reasoning, but right with your conclusion. In the NHS example, they don't require your consent because communicating with you is operationally necessary for the provision of the service. Simple as that.

Sending me the initial appointment letter is operationally necessary. Sending me the reminder text message a few days before seems to be giving them some problems. I agree, they can, whatever the reason, but they've sent us all letters saying they can't and won't unless we consent next time we're there.
 
Sending me the initial appointment letter is operationally necessary. Sending me the reminder text message a few days before seems to be giving them some problems. I agree, they can, whatever the reason, but they've sent us all letters saying they can't and won't unless we consent next time we're there.
It does sound pretty stupid. I'm sure they can point to the fact that they get fewer missed appointments when they send reminders, so there's a good business reason for doing it, so they can do it.
 
Thanks everyone. I can't see that I have too much to be worrying about. Apart from a couple of disclaimer forms with names and addresses on I don't hold much data at present. These forms I could scan in as an electronic copy and password protect. Other contacts are people I know who I only have as a name and phone number stored in my phone. Going forward as I develop providing I word something around data in my contract I guess I should be fine. This thread has been really useful
 
These forms I could scan in as an electronic copy and password protect.
You can if you want, but you don't need to. Paper storage can be just as secure as electronic storage. Arguably more secure once you start looking at backups, cloud storage etc.
 
Back
Top