Is your photography business GDPR compliant?

Since the GDPR first came into force in 2018, it has regulated the way that companies store, process and use data. 

Ensuring that your photography business is compliant with the rules and regulations that are integral to the GDPR is essential for the reputation, integrity and legal compliance of your business.

So, is your photography business GDPR compliant?

What is GDPR?

The GDPR, or General Data Protection Regulation, is a law that dictates how people’s personal information can be used. Although it is an EU law, it still applies in the UK post-Brexit. 

The GDPR is intended to ensure that data is kept safe, confidential and secure by any companies that use it. It is also meant to allow people to clearly understand how their data is used while increasing transparency and accountability. In essence, it gives every individual more control over their personal data.

Why is GDPR important for a photographer business?

As a photographer, you may well hold and process a significant volume of personal data. It’s likely that you’ll handle information such as the names, addresses, telephone numbers and email addresses of many of your current and former clients. 

You may sometimes use this information when you are running promotions or notifying clients of updates to your business. Therefore, if you are storing or using personal information, the idea of the GDPR is that the information is stored and used in a correct and lawful manner.

As a starting point, you need to determine the legal basis on which you’re holding data – whether it’s with the client’s explicit consent (in which case can you prove that?) or for one of the other reasons set out in the regulation, such as “legitimate interest”.  Then you need to make sure the client knows what data you’re holding and why, and has the power to access, correct or request to have the information deleted.  The Information Commissioners Office (ICO) provides full guidelines.  

Why is it essential for photographers to comply with GDPR?

Firstly, it’s important from a legal standpoint. Any entity that processes other people’s personal data must register with the ICO (Information Commissioner’s Office) to uphold the GDPR. Although there are exemptions for this, most photographers would not qualify for exemption. Consequently, to remain legally compliant, registration is imperative. It is even more important to comply if you hold children’s data on file.

Additionally, being GDPR compliant also has the extra advantage of instilling trust in customers which can help to reinforce your brand and generate an increased customer base. 

When clients are aware that you will take care of their personal data, they are more likely to have a higher level of trust in your company. 

Furthermore, they are more likely to leave you positive reviews or spread the word about your company via social media, further increasing the generation of customers.

How can your business become GDPR compliant?

To become fully GDPR compliant, the first stage is to register with the ICO. This is an independent body that regulates information rights and data privacy in the UK. As one of its principal functions, it ensures that businesses and organisations are complying with the GDPR.

You can take a self-assessment on the ICO’s own website to find out whether you need to register your photographer business with the ICO and, if you do, you will need to pay an annual fee that is renewed every year. 

The cost of registration will depend on the size of your organisation. If your photography firm is a small business with fewer than 10 employees and a turnover of less than £632,000 then you will only need to pay £40. 

However, these costs rise for larger companies. To become fully compliant, you will need to register and pay the fee.

What data should business owners take into account for compliance?

Firstly, GDPR covers personal data such as a photographer’s clients’ names, addresses and phone numbers. However, the breadth is actually much wider than this alone. 

It can also cover any other personal data that you have collected from clients such as any biometrics data, health data, any data that reveals their ethnic origin or refers to their race and data about their religion.

Furthermore, the GDPR even covers information about their political opinions or any memberships of trade unions. While it may be rarer for you to collect the latter in the course of your business, it may be possible that you have conducted photoshoots that have incorporated some of this information and you have it stored on your servers. Therefore, it is extremely important to remain GDPR compliant.

What are the legal ramifications for failure to be GDPR compliant?

In the event of any failure to properly register and comply with the GDPR, the ICO can issue penalties to businesses. Remember that even if you are a sole trader, you may need to register with the ICO and could be subject to a penalty if you fail to do so. 

Ultimately, you could be subject to a fine of up to £4,000.

Failure to correctly look after data puts you at risk of data breach, harm to your business reputation, fines and costly investigations.  At Aaduki, we provide specialist insurance for photographers and videographers, including cyber liability insurance to help with some of the costs triggered by a data breach. To enquire, please contact us and our team will be happy to help you arrange a quote.

Paul Newberry Cert CII

Lead Client Adviser