We all remember the emails. It was late April 2018 when every day for a month our inboxes steadily filled up with GDPR-related messages from all of our subscribed mailing lists (ones you remembered, most that you didn’t).
A milestone in how data and information could be used in the EU, the General Data Protection Regulation came into effect in May 2018, and whilst perhaps we might have an idea of what it means for us as consumers, what about as business owners and stakeholders in the film and photography industry?
There is no question that this is an important directive to get right, and with the potential fines and penalties that GDPR can impose, you and your business can’t afford to get it wrong.
In this article we’ll look at what GDPR means for those in photography and film, and how to be GDPR compliant.
Before wandering into the GDPR points specific to photography and film, let’s quickly go over the main points of the regulations (just in case you didn’t get round to reading all those “We are GDPR Compliant” emails back in 2018…). The aim of GDPR was to give end-users (i.e. those who actually use a particular product) more control over their data.
The main points of GDPR are:
1) Individual rights
Consumers are allowed, at no cost, to ask via an SAR (Subject Access Request) what data is held on them and, if they want, have it removed.
2) Compliance
Businesses need to have relevant data policies in place
3) Obtaining Consent
Users have to positively opt in and agree to the use and processing of their data. For businesses this requires consent forms and explanations as to what you will do with the information.
4) Breach reporting
If any data breaches do occur, you need to report these to the people affected and the Information Commissioner’s Office (ICO) within 72 hours
5) GDPR fines
Serious violations of these regulations can see fines of up to twenty million euros or 4% of your business’s global turnover, whichever the greater.
Most people associate GDPR with online data collection, but it’s very much technology-neutral, applying to how personal data is processed, however it takes place.
Photographs and video footage of people is considered personal data, so what steps can you take to make sure you are being GDPR compliant when filming and photographing?
We’ll first look at what you can do to be GDPR compliant when out on location and on a shoot, before moving on to remaining compliant post-shoot, when using and storing your final cuts.
On Location
Get Written Consent
With GDPR, you need to prove you have consent from every identifiable individual in the shots you’ve taken.
In smaller settings such as advertorial videos using a client’s own staff, or perhaps out on location in a cafe-environment with a small group of people, this shouldn’t be too difficult.
In these situations, participants should sign a consent form stating they are aware filming/photography is taking place, and they have given permission for you to use such “personal data” (i.e. their wonderful faces) in the ways you’ve described on said consent form. Consent forms must include what the use of the images will be, who is doing the filming/photography and how the image/data will be stored and processed.
If you are filming staff-personnel for a PR clip, their consent to appear might already be part of their employment contract, in which case no further agreement is necessary. However, if you are unsure, it is always best to err on the side of caution and get clear affirmative consent instead. It’s also important to note that if you are recording and publishing images of minors, then you must get permission to do so from their parent or guardian.
There are many consent forms available online.
Do be aware that with GDPR, even though you might have obtained written permission from an individual, they have the right to withdraw their consent at any time - if that occurs you must cease using their data immediately, which usually translates to deleting their image.
Do be aware that with GDPR, even though you might have obtained written permission from an individual, they have the right to withdraw their consent at any time - if that occurs you must cease using their data immediately, which usually translates to deleting their image.
Put Up Clear Notices and Signs
Of course it might not always be practical to get written consent for every person who appears on camera, such as filming at public events. In this instance, it’s still imperative that audiences are aware filming/photography is taking place. In that case, let people know with a notice in the event program, ticketing information, or announcement at the event’s start. In more informal settings like a park or museum, clear notices and signs should be placed around the filming/photography area’s proximity. These notices should state that:
Video and photography is occurring
Who will use said personal data
What they will use said data for
Who individuals can get in touch with if they have any concerns on this
These signs typically read as follows:
"Please note that photographs and footage will be taken throughout [Event Name]. These will be used by [Company] for marketing and publicity in our publications, on our website and in social media or in any third party publication. Please contact the event organiser if you have any concerns or if you wish to be exempted from this activity.”
It should be noted that filming large crowds that don’t focus on one individual or a small group of people probably won’t produce identifiable images of individuals, in which case GDPR would not apply, and consent forms would not be needed. Consent forms are also not needed in situations where filming might be expected (e.g. spectators in a stadium or out in a public park). Nonetheless, we would always recommend taking a cautionary approach, playing it GDPR-safe rather than GDPR-sorry.
Take Focused Shots
If you do find yourself in a setting where it is practicable to get consent but you are unable to do so, then you can avoid the risk of GDPR violations entirely by directing the camera solely on your subject, shooting at tighter angles with close-ups instead of the wide-shots, or looking to achieve a bokeh/blurred background. A person’s consent is only necessary when they are in the shot itself, rather than in the vicinity of the camera, so by excluding or blurring them out permissions will not be needed.
Post Shoot
Once you have your shots, you’ll need to make sure you are managing the data (i.e. photos and videos) properly, together with a website that is also up to GDPR-code.
Stored Personal Data
When it comes to data management and GDPR, you must make sure all personal data, files and information are stored securely, with mitigated risk of unauthorised access. With film and photography, this includes the memory cards you use as the images they have on them constitute personal data too.
Privacy Policies and Cookies
Under GDPR, individuals need to be aware of what you will be using their data for when they access your website and how you will be processing it.
This is usually expressed through a Privacy Policy and Cookies Policy that is visible on your website. Like consent forms there are numerous privacy notice templates available online, but here’s an example to show you what to look for:
Breaches
If you do have a breach of personal data, it is imperative that both the ICO and people affected are notified as soon as possible, and certainly within the mandated 72 hours. Sitting on the problem won’t make things any better, and could see a larger penalty given.
In Conclusion:
GDPR might seem daunting (especially if you happen to read all eighty-eight pages of it), but when it comes to photography and filming, much of the regulation comes down to consent of the individuals on-camera. This is nothing too different to how professional photography and film have operated in the past, so whilst GDPR might demand more documentation and form-filling, it shouldn’t stop you from continuing to produce the great results you always have done.
