The New Government Data Protection Regulations And Your Photography Business

General Data Protection Regulation (GDPR)

All the information below has been sourced from the Information Commissioner’s Office Website.

You may or may not be aware that in May 2018 the  European union are introducing new rules that will govern how business handle their customer’s personal data. These new rules, the General Data Protection Regulation will replace the previous regulations, The Data Protection Act Of 1998.

Personal data is defined as any data, which can identify someone, such as name, date of birth, address, age and more relevantly images. Images on your website ARE classed as data for instance! So you will need a GDPR compliant model release which includes specific consent.

As many photographers work with sensitive personal data, it is important to understand the changes that are being made and steps that your business will need to take to comply with these new regulations.

Before we get into the change in individuals rights its worth looking at some changes in definitions under the GDPR.  There are three main sections here:

  • Processing of data
  • Consent
  • Children’s personal data


In this instance when GDPR refers to processing it is not as we understand it the editing of an image, but refers to any operation or set of operations, which you perform on data. For instance your client’s data for marketing analysis, or a mailing list. As the person that holds this data your are referred to as the data controller.


Consent has changed slightly under the GDPR as you no longer allowed to automatically opt in clients to data storage or processing. This is mainly applicable if you provide a newsletter or other form of communication where currently the client would have to opt out, the client must now clearly consent to their data being processed. This does not mean that current members of a mailing list or marketing analysis will need to re-consent but it does mean that any future members will need to consent so no need to throw out your mailing list just yet!

Children’s Personal Data

While children’s personal data rules are being changed under the GDPR which may seem worrying on the face of it. Much of the changes will not affect children’s photographers. Many of the rules are designed to target online websites used by children, however the one section that will affect photographers, and probably something you are already doing in your business is that in order to process a child’s data you must have consent from a person holding parental responsibility, for example a model release.

The GDPR makes some changes and adds new rights for individuals.

Such as:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • And rights in relation to automated decision making and profiling, (less likely to apply to photographers this is for business’s where computers analyze information and make decision, such as a bank or insurance companies.

Rights to be informed.

The Right to be informed regards a business’s obligation to provide fair details of how data is used. This is typically addressed through a privacy policy. Something all photographers should now have in place.

This includes any information on how data will be processed, how long data will be held, if the information is transferred to a different country, ie is your website hosted outside of the EU. Are images being transferred out of the EU for product fulfillment such as albums etc. Are images transferred outside the EU for digital retouching these are all things that should be considered when writing your privacy policy.

Right Of Access

Under GDPR individuals are allowed to request access to their personal data. This includes confirmation that their data is or is not being processed. Access to personal data that you hold on them, this does not mean you have to give them all the photos if they ask, nor do you have to give them access to your studio management software, but it would just mean you would have to show them in a useable format what data you hold (See the right to Data Portability).

This information must be provided free of charge and within one month of the receipt of request. However you do have the right to refuse to respond to a request, if you do you must respond explaining to the individual why you cannot provide this. Although as a photographer I cannot see any instances where you would have good reason to refuse.

See chapter 3 section 1 article 12 #5 of the GDPR.

The Right To Rectification

This is simpler than previous rights, it simply states that individuals have the rights to amend or correct any details, which you have on file, which may be incorrect.

The Right to Erasure or the right to be forgotten is a right provided to consumers where by upon request a business is required to delete all personal data held by the business, providing there is no compelling reason for its continued processing. The business does in some circumstances have the right to refuse this request, for example if the data is required for completion of a contract.

The Right To Restrict Processing

This is very similar to the previous regulations under the Data protection act.  Individuals are allowed to request that processing is not performed on their data, unlike the right to erasure you are still permitted to hold the data you just can’t process it, i.e. use it.

Right To Data Portability

This right is in relation to an individuals right of access. The right of access allows an individual to request access to their data, the right to data portability allows individuals access to their data in a portable format in order to use themselves. The business is required to provide the data in a format that is portable between platforms for example a CSV file.

The Right To Object.

This is related to the right to restrict processing and the right to erasure, individuals have the right to object to processing of their personal data or direct marketing, which may bring into effect their right to restrict processing or even erasure. In the case of direct marketing, ie email newsletters you are not allowed to refuse. Customers must be made aware of their right to object in your privacy policy.

The Right Related To Automated Decision Making And Profiling.

This should not impact many if any photographers but a brief overview is that in the case of any data procession or decision making by an automated process an individual has the right to request human intervention. For instance you put in for a loan and that process is decided by a computer, you have the right to request that an actual person reviews the decision.

Transfer Of Data

The GDPR much like the DPA imposes restriction upon transferring data outside of the EU. This is mainly relevant for photographers in the case of website hosting being out of the EU. You may transfer data where the business receiving the data has provided confirmation in the form of a contract or agreement that they are compliant with the GDPR. So for instance I contacted my website hosting company, Photobiz, in the US and sent them the entire GDPR document and I now have in writing (email) that they comply with the relevant regulations.

In terms of your business, what other instances are there where by you might be transferring images outside of the EU.  I have listed a few below.

  • your website servers
  • retouching services
  • album fulfillment and design
  • purchasing of products, wall art etc, where you are uploading images online
  • if your client purchases session fees via an online store like BigCartel.
  • email marketing such as Mail Chimp
  • studio management software such as Lightblue, Tave, 17 Hats.
  • cloud storage

As a photographer ask yourself the following questions to gauge what you still need to do.

If you are like me and run your business single handed you are considered a data controller. ICO have a controller checklist that is very helpful: Controllers Checklist

If you are holding data on your clients even if you don’t do anything with it, you are processing it. Complete the Processors Checklist here.

Asses your compliance with data protection, complete the information security checklist here.

Complete the Direct marketing checklist here.

You will need to assess your records management procedures and risk to your client’s personal information. Records Management

Have your communicated your policies on your website, such a terms of use, privacy policy. Is your contact for GDPR compliant? Complete a Data sharing and subject access checklist here.

Do you have a GDPR compliant model release?

Is your insurance adequate