left explosion corner right explosion corner

Business BLOG


Besides being the business brain behind Al Loves Aida Wedding Photography, Aida is also Head of operations and sales at a major digital marketing corporation and she has a degree in Marketing and Business Management. 


Aida’s Business tips for GDPR

March 23rd 2018

The internet is packed with information about it, all businesses talk about it, all companies feel a bit tense thinking about it, but what is GDPR? What do these four letters mean, and why I should care about it as a photographer? GDPR stands for General Data Protection Regulation and let me tell you that this subject is as hot as flamingos were in 2017, and you really need to know what it means.

I’ve been working on implementing data protection in different businesses, especially in Digital Marketing, for the last few months. I’ve decided to share some easy key points about GDPR, so you can start modifying your business compliance and get ready for one of the biggest events of the year without getting scared about it!
So what is this GDPR thing that everybody talks about?
Let’s, for a moment, think as consumers. We sign up to websites, we set up profiles on Twitter, Facebook and other platforms, we buy online and store our card details, together with our name, address, and so on. You might have been bothered by telemarketing companies, or received too many emails with offers, information, news, etc. from companies you’ve been in touch with at some point in the past.
Many of you may feel harrassed by the constant barrage, and countless people have phoned, emailed or text companies to say “Please remove me from your database”.
Because consumers are so vulnerable, and because the online world is growing at an unbelievable speed, the EU Government has decided to reinforce their DPA (Data Protection Act) with a new regulation: GDPR.
This new regulation focus on data protection and the privacy of individuals within the European Union. It means that as consumers we will be better protected from those annoying calls or emails (yay!), but it also means that as business owners we will also have to make sure we are compliant and understand why we are making the changes we are making (boo!).

OK, this makes sense, but what is sensitive information?
Sensitive information is any type of data that can be used to identify an individual. This will include: name, surname, addresses, email addresses, date of birth, bank account details, phone numbers and so on. And, of course, for photographers this also means photographs.
Photographs, really? Yes, I am afraid so. Think for a second of face recognition. There are apps and platforms where you can now identify someone through an image! Spooky, eh?
Therefore this affects how information is:
Filled up

Why? It’s very simple, because our lovely clients have the right to:
Access images
Be informed (give consentment or permission)
Rectification (for clients to have their data rectified if it is inaccurate or incorrect; businesses have a month to make rectifications upon client’s’ request)
Restrict usage of images
Decide on data portability (for or against the client’s data being stored in closed platforms; usually for mailing list, databases, etc.)
Complain and object
And last, but not least, they also have the right to not be automatically added to third parties files, platforms or systems.

Why are wedding photographers affected?
Wedding photographers are affected because we store sensitive data like many other big/small business. You might see it as us just taking pretty pictures of people having fun, but every image of someone is data.
What can we do?
Ten easy steps to getting things right!
Wedding photographers, and in fact any small business, will need to start being more organised and make some changes to keep things cool and nice. Here are 10 basic, easy tips to get your GDPR project going. Ready? Let’s go!

Explicit Consent
Look at those sexy words! These could become the trendy hashtag of the year, because they’re probably some of the most important words you may want to start using after today.
Either via email, in a contract, on the phone, face-to-face, or you name it, businesses have to start getting used to ask for explicit consent before contacting via email or phone, filling, sharing, or storing any data from clients. For instance, if you are at a wedding fair and couples come to you asking for your services, pricing quotes, etc. you’ll need to ensure they agree to a few things first:
That you have their permission to contact them in future
That you can add them to your database
However, don’t think that by having ‘explicit consent’ written everywhere your business will be compliant, there are other tasks that must not be ignored.

Duration, Right-to-Delete and Sharing
How long are you planning to store your client’s data (including images, don’t forget about the images!) for? Either you have a data lifespan of 1, 6, or 20 years, from now on you will need to make sure that you communicate a timeframe and that you ask for consent.
For example, you may keep your couples’ details to send them a Xmas card or a card on their wedding anniversary (if you’re not doing this you’re missing a trick. It’s excellent for word of mouth marketing). Well, from now on you’ll have to inform them that you’ll be storing their data for X years. And please, if you reach the end of the agreed time period, don’t contact them. That will count as spam! Make sure you contact them to ask permission again before the time comes, or if you are not interested or don’t need the data, the best thing to do will be to delete any data linked to them and the client know.
In the same way, you may have a client who kindly asks you to delete all their information and (I know, this is hard) all the pictures you took for them, RAW files included; everything means everything. If they request this, then it will have to be done and you will need to prove that you have done so.
And what about sharing? Well, the same applies; if someone asks you not share their images or details, you will have to agree. This affects any channel (email, social media, printing) or usage at an exhibition, photography contests, etc.

Storage and Access
Make sure that your passwords are strong and your files are encrypted. I would recommend that, if you can afford it, have a business only computer.
If you store images in external drives, these have to be secured with encryption too and again, they must be stored in a locked space.

Storage Tools
You need to make sure that your information is stored in a format that you can share with clients (or auditors – oooh, yes I know, crazy!) if requested. The best way would be Numbers for Apple users or Excel for Microsoft users (or Google Drive – for more on this service see the next point), etc. You will have to make sure that the files are encrypted or password-protected and stored them in your super secured computer!

Google Drive
Right, this is a very interesting part and it can make your relationship with GDPR smoother. ‘Https’ sources are considered safe because https sends data over an encrypted source. That it is considered perfectly valid.
This means that you can store sensitive information in your i.e. Google Drive because it’s cloud based and appropriately encrypted. Dropbox can also be a testable option since they are also compliant with GDPR. However, be aware of cloud platforms that you don’t know or don’t share enough information about their GDPR compliance. There are many platforms selling you help for your business that are appearing like mushrooms out there, but they can actually be very risky.
You can find out more about Google Drive work to help you protect your client’s data by clicking here: Google Cloud & the General Data Protection Regulation
You see, it’s not all bad news!

Privacy Policy
Make sure that your website holds a little corner for this important subject!
You need to have a privacy policy in place where you list consent, duration of storage, usage, etc.
You are bound to have something in place already, but if you don’t this is a good opportunity to start writing one! A privacy policy on your website can be the separation between a compliant legal website and … well, anything else.
I am currently updating Cuckoo’s website privacy policy in order to match the new requirements… It’s not as exciting as editing images, but the sooner this is done the better!
If you want to read more about how you can make your website ‘legal’ click here: UKWDA – Is your website legal?

Your contracts have to match requirements too, but a few twitches will do wonders!
Firstly, try moving into digital contracts, think Adobe Digital Signatures, for example. That way the contract is encrypted, can easily be filed on an encrypted cloud and, let’s be honest, looks much nicer too.
Secondly, add a consent/permission clause. It is very important that this clause is separated from your standard terms and conditions; regardless of the decision that the client makes about how their data is going to be used in future. Terms and Conditions refer to a service agreement, and the consent/permission refers to sensitive information. For instance, a good thing to add in your consent section may be asking permission to share your photographs on any channel, including the usage in exhibitions, contests, etc.
At Cuckoo we are thinking on adding a tick box with the information, so clients can make the decision (giving consent) when ticking the box. However, you may find your own way or you may already have one in place! (If that’s the case, well done you! That’s a great start).

So you are working on your data and storage, trying to making it all compliant and GDPR friendly, but what about who has access to the data in your company?
In my experience, in this business and working for other companies, not everybody needs access to sensitive data. You may have an assistant that needs access, but it’s likely you are the only person who needs access to that information. In any case, sensitive data must only be available to those who need it in order to do their work, no one else.

Document Your Process
This seems a bit ‘for dummies’, but it is very important that you document how you are changing and following the processes to ensure you are caring for your client’s data.
What I am doing for Cuckoo is creating a process flow form, where I detail our new, updated, compliant, shiny WOW (way of working). A process flow will also help you to identify gaps in your process that you can then add to a to-do list to correct in the next process step.
I am also making a checklist of everything we use, and what is included in each thing i.e. email address, passwords, contracts, invoices, photo storage, etc. That way I can see what needs to be changed.

And final…
If you want to know more or have questions about the subject, or you just simply bloody love GDPR you can find all the official guides at the ICO (Information Commissioner’s Office) website by clicking here: ICO guide to general data protection regulation and ICO business guide to general data protection regulation.
Get your GDPR sorted
GDPR is a big change and most people get a bit anxious about change. I hope you found this post helps you understand the very basics to start taking care of your data, but also to feel it is not as daunting as it looks at first. I’m sure that in no time you will have a shiny process in place, totally compliant!
Keep in mind we have it much easier than large corporations (believe me!), and we will not be hit as badly as some business will probably be if data is lost, or compliance breached. However, you may come across difficult customers at some point in the future that will use the data card; therefore it is important to understand the change, and make sure that your business is organised and ready for the big data changes coming our way.

Share your views, ideas, questions, or any tips you are learning along the way in the comments. I am sure that many will also find it helpful!



This article is intended as a general guide to GDPR for small business marketing and wedding photography in particular. The information compiles the basics of GDPR, but is not exhaustive and it is not legal advice. In case of concerns on specific situations is always best to seek legal advice from a lawyer.


Share with friends


2 comment(s)

THIS IS EFFING amazing!!!!!
Thank you so much for providing us with such rich content. This is something I’ve been meaning to learn more about and I feel like I have just had a massive help.
Thank you, Cuckoos!

Danni says:


Do you have any comments to share?

Your email address will not be published.