Skip to content

Best Practices for GDPR Compliance when Using Images of Employees

13. May 2022

Images of your staff are the best way to show the human side of your business, whether you’re promoting the company internally or externally. However, the General Data Protection Regulation act (GDPR), which came to force on May 25, 2018, has introduced a number of complications and many businesses are still experiencing difficulties with inefficient processes. In this article, you will discover how to ensure that the way your organization handles images of employees is compliant with the GDPR, and how this can be done most efficiently.

If you've seen our GDPR Checklist for Images, you'll already be familiar with the 6 steps that every organization should consider when storing and using images of people. However, the biggest challenge to an organization's GDPR compliance and use of images is Article 17 - the Right to Erasure.

What is the Right to Erasure?

'Sometimes referred to as the 'Right to be Forgotten’, this is the right of an individual to request that an organization erases all their personal data.

As photographs can constitute personal data under the GDPR, this means organizations must be able to quickly and easily remove all images where the individual can be identified. Failure to do so means failure to comply with the GDPR and Article 17, and the fines for breaching compliance can be seriously damaging. For most businesses, Article 17 poses an extremely difficult, time-consuming manual task when it comes to images - like finding a needle in a haystack, but worse!

Who does this affect?

The marketing and communications teams are the main people impacted, with employee photos often used on the company website, internal and external presentations, marketing campaigns, and in collections for the press. Meanwhile, HR departments are also affected by their use of these images to produce things like employee identification cards. Essentially, any department that has produced or used images of employees will be impacted.

But before we delve into how organizations can ensure they comply with the GDPR and Article 17, it’s important that we first look at why Article 17 causes difficulties for those who create, manage, or use photos of employees.

What are the challenges?

Let's say someone has exercised their Right to Erasure - perhaps a former employee who, understandably, doesn't want their image used by the company anymore. Where do you begin?

Finding the images

Firstly, you need to find the files in question, a challenge that may be particularly difficult depending on how many locations your organization uses to store them. You might be using a combination of tools, including cloud-sync storage such as Dropbox, Google Drive, Box, SharePoint, or One Drive. Perhaps you use multiple hard drives for all your photos, or maybe they're stored on a local system with everything else. Simply knowing where to look can often be the first challenge for many businesses.

Navigating through folders

Once you’ve figured that out, you might experience another challenge: Namely finding out that the files are stored in folder structures, which can be challenging to navigate within. When storing files in this manner, you'll need to know specific information about them prior to actually browsing through the folders. To search efficiently, you must, for example, know the answers to questions like:

  • If the folders are organized by date: do you know when the photos were taken?

  • If the folders are organized by category: can you remember the folder names and search for them?

  • Which folder(s) do you need to go through to get to the right sub-folders with the photos?

  • How many different sub-folders are you looking for?

Identifying the person(s) photographed

Even if you find the correct folder, the most important question still remains:  How will you identify the individual you’re looking for in the photos?

Photos with file names like 2020_01_9542.jpg or Employee_Photoshoot_3874.jpg won’t be much help! Smaller organizations will have an advantage here of course - if you know the individual you can recognize their face in the photos for starters. But, what if you don’t know them? How can you identify an individual whose personal data you need to erase from your systems if you don't know what they look like?

Regardless of how many photos you may need to search through, this is an extremely painstaking task - yet it's a standard procedure for so many organizations.

Finding and removing published content

Once you've been able to locate all the photos that are stored of the specific individual, one important question remains: Are any of the photos published on other platforms or sites? If so, these need to be taken down as well.

How can you efficiently comply with Article 17?

When a request for Article 17 comes in, your organization will have one month to respond to it. You need to be certain that you can quickly and easily find photos of the individual who has exercised their Right to Erasure. The key to this is a little thing called metadata.

Every photo that is ever captured will have metadata on it such as the date it was taken, the camera model, and the size of the file. But what if you could add more kinds of metadata, to give every single file more information, and then search for those files based on that additional metadata? This is entirely possible! It’s actually the whole point of Digital Asset Management (DAM) systems, which aim to provide a single, central source of truth for an organization’s files by making them easier to find, share, and reuse by tagging them with metadata.

img-blog-GDPR-fotoware-screenshot-Employee Photos

The FotoWare Digital Asset Management system shows searchable metadata tags on an image of an employee

How to use Digital Asset Management for GDPR:

In our article Is your use of employee photos GDPR compliant? we established that obtaining consent from employees is absolutely essential before taking photos. So, what if you could create a unique identifier for each employee’s consent form and attach that ID to the photo as a metadata tag? This would enable you to:

a) know whether they have given their consent for a photo
b) identify that they are actually in that photo

This means that when you’re faced with a former employee exercising their Right to Erasure you can simply search based on the ID you have added, and find all their images. Simple!

Now, this does involve some work to tag the photos, of course. But it will certainly save you time in the long run. In fact, you’ll feel the benefits much sooner than that. The next time you or your colleagues in the marketing and communications department need to find a photo featuring a specific person, you’d be able to search using the additional metadata you’ve attached to the file - not only when you need to comply with a request to erase personal data!

LEARN MORE: How to Collect and Manage Image Consent Forms in FotoWare



FotoWare empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR. FotoWare makes no representation, warranty or guarantee of GDPR-compliance when using the product.