This May – a piece of legislation comes into force called the European General Data Protection Regulation and there’s been much talk – and confusion – among the wedding film industry about what this will mean.
Any company, big or small, will have to comply with new regulations. And, what’s more, violations will be met with fines – GDPR will be able to fine up to €20 million or four per cent of annual turnover!
But, GDPR compliance has become a bit like the ‘Millennium Bug’, with scare tactics and conflicting information about what and what doesn’t need to be done.
To help us fully get to grips with GDPR, we’ve spoken to leading experts, including The Information Commissioner’s Office and Briffa – the Intellectual Property and Information Technology Law firm -and these are our key takeaways.
What is GDPR?
The European General Data Protection Regulation (or GDPR for short) covers how we handle and protect personal data – eg how we collect, store and use it.
It is so important to know all the data you hold, where this data came from, where it is being stored and how you are using it.
Organisations need to keep records of all personal data, be able to prove that consent was given, show where the data’s going, what it’s being used for, and how it’s being protected.
It’s all about giving people more control of their personal data and simplifying regulations for international businesses who work with people within the European Union (EU).
GDPR will apply to any business that processes the personal data of EU citizens which means that even if you are based outside the EU, it will still apply if your clients are based in the EU.
What exactly is personal data?
Personal data means any information relating to an identifiable person who can be directly or indirectly identified – eg, any information that is clearly about a particular person, such as phone numbers and email addresses.
By definition, this also means that imagery (still and video) of clearly identifiable individuals is also classed as personal data.
In some circumstances, imagery can also be seen as sensitive personal data if it provides identification of an individual.
What are ‘controllers’ and ‘processes’ the GDPR
refers to, and do I need a data protection officer?
According to the GDPR, it is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing. So, what does that mean?
Well, a controller determines the purposes and means of processing personal data. Whereas, a processor is responsible for processing personal data on behalf of a controller.
As a small business owner, you may be both a controller and a processor, but you may also store personal data with a third-party IT provider, such as MailChimp for mailing lists, or services like Google/ Dropbox for spreadsheets with the contact details of your clients and family members involved with the wedding planning.
You choose what details you are providing, for example to MailChimp, to send emails and marketing campaigns – so you are a ‘data controller’ and MailChimp is acting as a ‘data processor’ by providing its services to you.
Under the GDPR you must obviously take measures to ensure the security of any personal data being processed, so will need to ensure you have a contract in place with a processor, who also complies with GDPR.
There is a great blog by the Manchester Chamber of Commerce that explains these two data ‘roles’ really well.
What can I use personal data for?
Under GDPR, you must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing – the basis will depend on your purpose and relationship with the individual.
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Visit the ICO blog for more useful information on these six lawful bases.
What rights do my clients have in regard to the data I have?
Under GDPR, EU citizens will have several important new rights, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability.
• Right to be forgotten: An individual may request that you delete all data on that individual without undue delay
• Right to object: An individual may prohibit certain data uses
• Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
• Right of access: Individuals have the right to know what data about them is being processed and how.
• Right of portability: Individuals may request that personal data held by one organisation be transported to another.
How do I ensure I obtain consent?
Under GDPR, consent is defined as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
Pre-ticked opt-in checkboxes and brief references to terms and conditions will no longer be allowed.
With videography, you may have a consent form where individuals agree that you can use their personal data in social media and on your website.
However, an individual can withdraw their consent, even if they originally gave it.
But how does that work if I produce a wedding film and spend money on marketing material around this?
If you produce a wedding film on the basis that your couples have consented for you to use their imagery, but they then withdraw consent, there are circumstances where you can still use your film.
Tom Broster at Briffa explains: “You may be able to continue to process personal data even if an individual has withdrawn their consent for your business to do so, on the basis of having another legal basis for doing so. For example, you may be pursuing a ‘legitimate interest’ or processing of the personal data is necessary to perform a contract with the individual.”
“You are likely to have a legitimate interest if you are pursuing a lawful business interest, and the way in which you are processing the data is necessary in pursuing that interest. Your interest must also be balanced with the rights of the individual. They will likely be balanced if the personal data is being used in a way they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”
“You may be able to rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate and an individual has been given the option to opt-out of receiving such marketing at the time of collection and does not impact the fundamental rights of an individual. Individuals should also be able to opt-out of receiving such communications at any time.”
We strongly recommend you read these blogs by Tom at Briffa on this subject.
- Moving Image Guide to GDPR
- General Data Protection Regulation (GDPR) – No consent required – but what is ‘legitimate interest’?
- GDPR – Why you DON’T need to obtain Consent
Do I need to obtain the consent of wedding guests to be in a film?
Most guests will expect that if they attend a wedding, there is likely to be a photographer or videographer. According to Briffa, as long as you give indication that you are filming, or likely to film in the vicinity, so that it is transparent to all guests they are being filmed, there is less likelihood of processing being considered to have no legal ‘basis’. This also gives any camera-shy guests the opportunity to express if they do not want to be included in a final edit.
Our top GDPR tips for wedding videographers
1) Limit the amount of personal data you collect and retain
Are you asking for data that doesn’t actually provide any use to your business? Perhaps you’re keeping data you no longer need? Delete or anonymise personal data which is no longer needed by an organisation.
Do you keep archived spreadsheets of old enquires and referrals, so you can compare yearly how couples are finding you and for which wedding venue they are getting married at? If you didn’t secure a booking, you no longer need to keep the names, emails and phone numbers associated with these enquiries so ‘anonymise’ that data but keep other information.
2) Be careful how you use the data you collect
On your website, you may have an online enquiry form, or someone might get in touch via email to enquire about your wedding prices. They will include personal data, such as a phone number and email address, to help you provide a quote.
Under the GDPR, you can only use this personal data to contact them about your videography prices and services. You can’t add these details to your email marketing list to start receiving marketing campaigns without specific consent for processing their data for that purpose.
3) Reconfirm consent
GDPR does not only apply to signups that happen after 25 May, it applies to all existing EU subscribers on your email list. If you know where all your data has come from and you’ve always asked for consent before adding someone to your email marketing list then that’s great. If you have a mailing list and can’t remember how you had obtained them, you need to do a bit of housekeeping.
You can run a re-permission campaign to refresh that consent or remove the subscriber from your mailing list – eg, ask a subscriber to confirm that they would still like to receive emails by clicking a confirmation link in the email.
4) Have a data compliance process in place
GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s stored offline. It is important that you document how you ensure you are caring for your client’s data. Keep evidence of consent – who, when, how, and what you told people. Review this and refresh it if anything changes.
Video recording can provide a permanent record of a wedding, so it’s important that you put in place measures to ensure there’s no risk of unauthorised access if your camera, or memory cards, are lost or stolen.
You will need to demonstrate that you have taken steps to reduce risk of theft – for example, you transfer images from the camera to a secure location and securely deleting them from the memory card as soon as you can.
5) Create a Privacy notice for your website
Under GDPR, you’re required to describe to individuals what you’re doing with their personal data. According to the ICO, your privacy notice must outline why you’re processing their personal data, including the legal basis you have and the list of any recipients you may be sending the personal data to (eg a supplier), how long you’ll be holding onto the data or the criteria used to determine these time periods. You’ll also need to notify individuals of the existence of their personal data rights.
6) Have a Cookies Policy
Where cookies are used to uniquely identify a device or (combined with other data) used to identify an individual, they must be treated as personal data under GDPR. Cookies are used by web analytics systems to show you how your web pages are performing, so it’s likely that most websites will employ them. Even IP addresses used to identify devices connected to the internet can, in certain circumstances, be considered personal data.
7) If you’re hacked, report it
Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
8) Respect the withdrawal of consent
If a client asks you not share their images or details, you will have to agree. You need to act on withdrawals of consent as soon as you can, and you can’t penalise individuals who wish to withdraw consent.
9) Review your consent practices
Make sure that how you obtain consent is in line with the GDPR’s standards. Consider using a double opt-in setting. This is where an individual, upon signing up, receives an email with a verification link to confirm that is was actually them who entered their email address to the signup box.
10) Consider a consent notice at weddings
Filming at weddings may include gaining consent from venues and authorities, but you may also make it good practice to advise guests too. When you shoot in a public area, people in the background may be captured on camera and it just isn’t feasible to get every single person who enters that area to sign a photo release form. But you can post notices at all entrances advising guests that filming will be taking place.
11) Don’t panic!
As wedding videographers, it’s important not to ignore GDPR but, in reality, we’re not handling the same volume of personal data as large organisations are so there’s no need to start panicking.
Elizabeth Denham, the UK Information Commissioner, even said: “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense. This law is not about fines. It’s about putting the consumer and citizen first.”
Get organised and address what you need to do. Read some of the useful links we’ve provided and carry on with your wonderful wedding filming!
This blog has also appeared on the Story Of Your Day website.