From 25 May 2018 all businesses need to prepare for the General Data Protection Regulation (GDPR). Actually GDPR “works”for two years now, but not many people hear about that. Even these days, from time to time you can see on Facebook Groups or photography forums that people mention GDPR… and right after that few comments with questions about that… and finally, one person comment that “you don’t need to worry about that” and discussion is being archived. Well, we will see what will happen after 25th May. For now, I will share what I know and how I prepared my business for GDPR. The sad thing is… it will cost you some extra money… to get a software, to protect, to store files online etc… but at the end of the day, you will see it was worth to clean up your business and to set some rules.

Do I need to be GDPR compliant?

That depends. If you deal with EU clients and collect their personal data then YES, you are under GDPR. So what exactly do they mean by personal data?

  • Name
  • Date of birth
  • PPS number
  • Address
  • Medical details
  • IP address
  • Photograph
  • Phone Number

Now answer yourself, do you need GDPR?

GDPR for Wedding Photographers

First of all, GDPR is not a set of documents that people can buy and use on the website. It’s not a copy & paste privacy policy or terms of conditions. If you were thinking about those actions it might be very risky and it’s wrong. GDPR comes with a huge penalty fee. I’m sure verification will start with bigger companies, but what if someone reports us anonymously? Mess! So for GDPR set of proper documents visible to the public is must have, but what else? Well, it’s much more. GDPR is not only changing the law, it’s changing the way how we think about privacy.

gdpr

In the example, we, wedding photographers, are usually doing the business from home. Our home is our office. So in that case, on our GDPR checklist we should put questions like:

  • do I have a security door?
  • do I have CCTV? or is the CCTV on my surrounding?
  • do I keep all client agreements/contracts password protected?
  • do I have an agreement with the accountant? is there a point for my client privacy?
  • do I have password protected disks, NAS, usb sticks, mobile phone etc?
  • is my file cloud GDPR compliant?

You see, GDPR is an individual thing. You can’t copy and paste it from other photographers… You need to think about your and your client’s privacy.

GDPR for Photographers

I am GDPR compliant

I’m proud to say, I am GDPR ready. With a help of awesome solicitors, I’ve created a full record for my GDPR. Starting with home security – that’s the place where all decisions are made, where I keep one backup copy of all files (NAS) etc.

My storage system is Synology NAS. It’s now fully password protected. Those passwords are not saved for quick use, so every time I need to access files on my NAS I need to type it manually. I got rid of all external hard drives. I moved all images and other files into Dropbox Unlimited (which is GDPR compliant). For external disks that I still want to keep or USB sticks, I did FileVault – encryption software available on all Apple computers. So to access files I need to decrypt disk or USB stick. Using that disk on other computer is simply impossible. That’s why it’s secured.

The computer itself is protected too. Strong passwords for the desktop computer, a fingerprint reader on MacBook. Solid security. There is an awesome password checker. Try it for yourself, it will say how strong is your password and how long does it take to crack your password. I’m sure my passwords are fine because those numbers are crazy to me:

bruteforce password

Data systems. For GDPR I keep all records clean. I have set procedures for adding and removing privacy data of my clients. I’ve secured all my websites and I wrote a separate set of documents to inform clients about rights and procedures. I’ve collected all agreements for 3rd party services like Dropbox, Google Drive, Hosting, GSuite, accountant, picture editors, etc. They are now stored online on the Dropbox and locally on encrypted NAS. I’ve even written procedures for CCTV footage access, which is in my building. I’ve sent a confirmation link to all my newsletter subscribers – this is also one of the tricky topics, especially how we confirm subscribers, how they can unsubscribe etc.

In terms of analytics for my websites, I’m not collecting IP addresses anymore. Individuals can now request that their data is deleted after it has been used which is called the “right to be forgotten”. The same rule applies if they withdraw consent or dislike the way it is being processed. I am responsible to delete links to copies of the data and copies of the data itself.

To achieve all documents GDPR I did one simple solution. I am paperless! All records are securely kept online.

To resume. I confirm that:

  • I collect personal data in a fair, lawful and transparent manner;
  • I explicitly specify the purpose of why I am collecting the personal data. And this purpose is legitimate;
  • I have limited the amount of information and data I request and collect to what is relevant and necessary for my processing;
  • I ensure that the personal data I gather is kept for as long as it is necessary for processing;
  • I guarantee that the personal data is held in a manner that is deemed secure.

Is that all?

No. The idea of GDPR is to keep looking for better protection. I’ve mentioned few changes I did. For security reasons I can’t share all steps I took. I hope you will take care of your GDPR. Penalty fees introduced to us are a bit crazy… Failure to comply will cost you. Those who fail to meet GDPR compliance may face in hefty fines, many of which some smaller companies can’t afford to pay.

  • Failure to Comply / Technical measures = up to an amount that is the GREATER of €10 million or 2% of global annual turnover (revenue) from the prior year
  • Data Breach / Key provisions = up to the GREATER of €20 million or 4% of global annual turnover in the prior year

GDPR compliance will be a top priority for many companies in 2018. And with just a few months to tackle compliance, it’s important you understand what GDPR is, how it affects your business, and more importantly, what you need to do about it.

Phorest.com made a basic GDPR tutorial. Have a look, download their PDF. Let me know your thoughts about GDPR. Are you GDPR compliant?

GDPR for WordPress – coming soon!