5 things you should know about GDPR for images
Whether you work in retail, education, healthcare, or something else entirely, you’ve likely heard about the General Data Protection Regulation (GDPR). Enacted by the EU in Spring 2018, the regulation aims to protect the fundamental rights and freedoms of individuals related to the protection of their personal data and its processing.
No matter the industry, almost every organization has to take the GDPR into consideration when gathering or managing any form of personal data, including images in which a person can be identified. It’s no secret that this can make your internal processes quite cumbersome, as many organizations use images of people for marketing and other purposes.
In this article, we’ll take you through 5 key facts about GDPR for images.
Table of Contents
#1 Personal data includes images
According to the European Union, personal data refers to all information that relates to an identified or identifiable living individual, and also includes pieces of information that can lead to the identification of someone when collected together. This means that assets like images and videos can also fall into this category, and may result in GDPR breaches if not managed correctly.
Today, images are everywhere - on an organization’s website, social media pages, marketing campaigns, and much more, often featuring people. With the rise of advanced technologies like Artificial Intelligence and Cognitive Services, facial recognition and image searches are more efficient than ever, resulting in most visuals containing individuals being classified as personal data.
#2 Consent must be documented when storing or managing personal data
According to Article 7, the data controller should be able to demonstrate that consent has been given when processing personal data. This means that when storing, managing, or using images or videos featuring identifiable persons, you must be able to document that they have granted prior consent.
The featured individual also has the right to withdraw their consent, meaning that you can be forced to change the consent status of all visuals relating to them. This can be a cumbersome process, as the content may be stored in different folders and drives, making them difficult to find. Additionally, everyone you store images of must know what they’re consenting to and be informed of this right, which can be difficult to document if you’re relying on informal agreements.
#3 Individuals have the right to be erased
Just like individuals have the right to withdraw their consent, they also have the right to be forgotten, meaning that they may demand you to unpublish and delete all their personal data immediately. It’s not uncommon to use the same visuals across many different sites and platforms, oftentimes leaving marketing teams with a massive clean-up process should someone withdraw or change their consent.
#4 The term ‘data controller’ encompasses a wide variety of actors
The person(s), public authority, agency, or other body that either alone or jointly determines the purposes and means of the processing of personal data, is referred to as the ‘Controller’ by the EU. As you may have noticed, the definition is rather broad and may encompass anyone who’s working with the data, including private individuals as well as enterprises. This suggests that people managing personal data can be held personally accountable for GDPR breaches, which has already happened in a German court in early 2022.
Over the past few years, we’ve witnessed an increased focus on personal privacy that shows no signs of slowing down. Therefore, it’s likely that the German court case is just one of many that apply a broader definition to the term ‘Controller’. This may result in high-level professionals being held accountable for breaches that are results of poor personal judgment or failure to abide by internal routines.
Having rules for data management is, therefore, not sufficient for effective GDPR compliance. A modern organization should also ensure that it’s easy for employees to follow these since mistakes are often made when the established processes are too inefficient.
#5 Being GDPR compliant with images is possible
After reading this, you may be thinking that ensuring GDPR compliance with your images is close to impossible. Fortunately, that’s not the case.
As the world becomes more complicated, so does technology, and we’re now at a place where many processes can be streamlined or automated. At FotoWare, we help several enterprises ensure GDPR compliance for their visuals, establishing effective routines for media management across the entire organization. If you’d like to see how it's done, click the button below to watch our 3-minute demo video.