How New GDPR Laws Affect Photographers

The General Data Protection Regulation (GDPR) went into effect this year.

If you’re a freelancer or small local studio, there’s a good chance you have no idea what I’m talking about. Fair enough. GDPR is a new law regulating the way businesses collect, process, and use data from citizens in the European Union. “At its core,” states one source, “GDPR is designed to protect personally identifiable information by strengthening and unifying the standards for data storage.” The law covers any business with EU customers, no matter where or how big the business is: even tiny photography studios in St. Podunk, Kansas, can be affected.

Of course, if you are a freelancer or small shop, it’s unlikely that you have any customers in the EU … or have any real prospects of ever GETTING one. Nevertheless, I still say you need to think seriously about implementing the tenets of this new law.  Not only is basic concept–getting a tighter rein on how companies use customer’s personal data–a good idea, it is an idea I expect to spread: it wouldn’t surprise me to see the US adopt similar regulations soon–within the next five years, even. My advice is to start planning now.

A High-level View of GDPR

There are three primary areas where the GDRP will have the most dramatic effect. I won’t go into heavy detail (I’m not a lawyer and this isn’t a technical blog), but I’ll highlight the major points of impact.

1.       You Must Have a Lawful Basis

GDPR requires that merchants have a “valid lawful basis” for processing personal data. There are six lawful bases, and mostly they get down to whether the processing is necessary: in other words, if there’s some feasible way to accomplish the same goals without processing personal data, you probably won’t legally be allowed to  process it.

2.       You Must Have a Clear Privacy Policy

Having a privacy policy has always been a good idea; now, it’s mandatory. Said policy must thoroughly explain all the ways you’re planning to collect and use the personal data of EU citizens. It must be written in clear and simple language and provide information for who users should contact to review, change or delete any of their data.

3.       You Must Have a Data Processing Contract

If you take credit or debit cards and use a third-party data processor like PayPal, you need to have a written contract in place to ensure that “both parties understand their responsibilities and liabilities.” The GDPR lists what needs to be included in this contract, typically a Data Processing Agreement (DPA).


Are You Sure This Really Affects Me?

If you do absolutely no work with European citizens, there is a chance the GDPR doesn’t apply to you … yet. If you sell prints to someone in London over your website, though, or do any kind of email marketing that might go overseas … well, sorry, you’re in the loop: if you collect, process, or use personal data of any EU citizens, you are liable. Not complying to GDPR can result in fines–some of them fairly steep. EU regulators are allowed to fine US companies for GDPR violations; in some cases, US authorities may even help.

No Time to Be Complacent

Feeling a bit overwhelmed by all this? While that’s understandable, it’s good to keep in mind that the end goal is relevant: the protection of personal data. We all want our customers to feel confident that their information is safe in our hands, so the laws make sense. Plus, as I mentioned, there’s a good chance a version of these regulations will make it over here to the States, so I recommend you go ahead and bite the bullet: start implementing the GDPR protocols into your business right now.


The Man

The creative arts involved in photography and film are astounding. Do you have what it takes to live up to these works of art? Well, with the information I can provide - you most certainly can! Check out my articles and start Workin' For The Man!

More Posts