How to Ensure GDPR Compliance when Using Images of Employees
Images of your staff are the best way to show the human side of your business, whether you’re promoting the company internally or externally. However, the General Data Protection Regulation act (GDPR), which came to force on May 25, 2018, has introduced a number of complications and many businesses are still suffering with inefficient processes. In this article, you will discover how to ensure that the way your organization handles images of employees is compliant with the GDPR, and how it can be done most efficiently.
If you've seen our GDPR Checklist for Images, you'll already be familiar with the 5 steps that every organization should consider before a photograph is even taken. However, the biggest challenge to an organization's GDPR compliance and use of images, is Article 17 - the Right to Erasure.
What is the Right to Erasure?
Sometimes referred to as the 'Right to be Forgotten’, this is the right of an individual to request that an organization erases all their personal data. As photographs can constitute personal data under the GDPR, this means organizations must be able to quickly and easily remove all images where the individual can be identified. Failure to do so means failure to comply with the GDPR and Article 17, and the fines for breaching compliance can be seriously damaging. For most businesses, Article 17 poses an extremely difficult, time-consuming manual task when it comes to images - like finding a needle in a haystack, but worse!
Who does this affect?
The marketing and communications teams are the main people impacted, with employee photos often used on the company website, internal and external presentations, marketing campaigns, and in collections for the press. Meanwhile, HR departments are also affected through their use of these images to produce things like employee identification cards. Essentially, any department that has produced or used images of employees will be impacted.
But before we delve into how organizations can ensure they comply with the GDPR and Article 17, it’s important that we first look at why Article 17 causes difficulties for those who create, manage, or use photos of employees.
What are the challenges?
Let's say someone has exercised their Right to Erasure - perhaps a former employee who, understandably, doesn't want their image used by the company anymore. Where do you begin?
Well, that depends on how many locations your organization stores its files in. You might be using a combination of tools, including cloud-sync storage such as Dropbox, Google Drive, Box, SharePoint or One Drive. Perhaps you use multiple hard drives for all your photos, or maybe they're stored on a local system with everything else. Simply knowing where to look can often be the first challenge for many businesses.
Once you’ve figured that out, a new challenge awaits. Everything is probably stored in folder structures, which can be difficult to navigate. This means you need to know some specific information about the files you’re looking for, prior to actually browsing through the folders in order to find the photos. To search efficiently, you'll need to know the answers to questions like:
- If the folders are organized by date: do you know when the photos were taken?
- If the folders are organized by category: can you remember the folder names and search for them?
- Which folder(s) do you need to go through to get to the right sub-folders with the photos in?
- How many different sub-folders are you looking for?
Let’s take a step back for a second, though - how will you identify the individual you’re looking for in the photos? Photos with file names like 2020_01_9542.jpg or Employee_Photoshoot_3874.jpg won’t be much help! Smaller organizations will have an advantage here of course - if you know the individual you can recognize their face in the photos for starters. But, what if you don’t know them? How can you identify an individual whose personal data you need to erase from your systems if you don't know what the look like?
Regardless of how many photos you may need to search through, this is an extremely pain-staking task - yet its a standard procedure for so many organizations.
How can you efficiently comply with Article 17?
When a request for Article 17 comes in, your organization will have one month to respond to it. You need to be certain that you can quickly and easily find photos of the individual who has exercised their Right to Erasure. The key to this is a little thing called metadata.
Every photo that is ever captured will have metadata on it such as: the date it was taken, the camera model, and the size of the file. But what if you could add more kinds of metadata, to give every single file more information, and then search for those files based on that additional metadata? This is entirely possible! It’s actually the whole point of Digital Asset Management systems, which aim to provide a single, central source of truth for an organization’s files by making them easier to find, share, and reuse through tagging them with metadata.
FotoWare Digital Asset Management system, showing searchable metadata tags on an image of an employee
How to use Digital Asset Management for GDPR:
In our article Is your use of employee photos GDPR compliant? we established that obtaining consent from employees is absolutely essential before taking photos. So, what if you could create a unique identifier for each employee’s consent form and attach that ID to the photo as a metadata tag? This would enable you to:
a) know whether they have given their consent for a photo
b) identify that they are actually in that photo
This means that when you’re faced with a former employee exercising their Right to Erasure you can simply search based on the ID you have added, and find all their images. Simple!
Now this does involve some work to tag the photos, of course. But it will certainly save you time in the long run. In fact, you’ll feel the benefits much sooner than that. The next time you or your colleagues in the marketing and communications department need to find a photo featuring a specific person, you’d be able to search using the additional metadata you’ve attached to the file - not only when you need to comply with a request to erase personal data!
To save even more time, you can even integrate FotoWare with Microsoft Cognitive Services to use facial recognition and train the system to identify your employees. Whenever you upload a new batch of photos it will recognize your employees and automatically tag them for you!
Are you unsure if your organization's use of employee images is GDPR compliant?
Watch the video to see how a Digital Asset Management system helps to ensure GDPR compliance by keeping track of employee consent and enabling fast search and discovery of images of individuals.