What can we do?
Ten easy steps to getting things right!
Wedding photographers, and in fact any small business, will need to start being more organised and make some changes to keep things cool and nice. Here are 10 basic, easy tips to get your GDPR project going. Ready? Let’s go!
1. Explicit Consent
Look at those sexy words! These could become the trendy hashtag of the year, because they’re probably some of the most important words you may want to start using after today.
Either via email, in a contract, on the phone, face-to-face, or you name it, businesses have to start getting used to ask for explicit consent before contacting via email or phone, filling, sharing, or storing any data from clients. For instance, if you are at a wedding fair and couples come to you asking for your services, pricing quotes, etc. you’ll need to ensure they agree to a few things first:
• That you have their permission to contact them in future
• That you can add them to your database
However, don’t think that by having ‘explicit consent’ written everywhere your business will be compliant, there are other tasks that must not be ignored.
2. Duration, Right-to-Delete and Sharing
How long are you planning to store your client’s data (including images, don’t forget about the images!) for? Either you have a data lifespan of 1, 6, or 20 years, from now on you will need to make sure that you communicate a timeframe and that you ask for consent.
For example, you may keep your couples’ details to send them a Xmas card or a card on their wedding anniversary (if you’re not doing this you’re missing a trick. It’s excellent for word of mouth marketing). Well, from now on you’ll have to inform them that you’ll be storing their data for X years. And please, if you reach the end of the agreed time period, don’t contact them. That will count as spam! Make sure you contact them to ask permission again before the time comes, or if you are not interested or don’t need the data, the best thing to do will be to delete any data linked to them and the client know.
In the same way, you may have a client who kindly asks you to delete all their information and (I know, this is hard) all the pictures you took for them, RAW files included; everything means everything. If they request this, then it will have to be done and you will need to prove that you have done so.
And what about sharing? Well, the same applies; if someone asks you not share their images or details, you will have to agree. This affects any channel (email, social media, printing) or usage at an exhibition, photography contests, etc.
3. Storage and Access
Make sure that your passwords are strong and your files are encrypted. I would recommend that, if you can afford it, have a business only computer.
If you store images in external drives, these have to be secured with encryption too and again, they must be stored in a locked space.
4. Storage Tools
You need to make sure that your information is stored in a format that you can share with clients (or auditors – oooh, yes I know, crazy!) if requested. The best way would be Numbers for Apple users or Excel for Microsoft users (or Google Drive – for more on this service see the next point), etc. You will have to make sure that the files are encrypted or password-protected and stored them in your super secured computer!
5. Google Drive
Right, this is a very interesting part and it can make your relationship with GDPR smoother. ‘Https’ sources are considered safe because https sends data over an encrypted source. That it is considered perfectly valid.
This means that you can store sensitive information in your i.e. Google Drive because it’s cloud based and appropriately encrypted. Dropbox can also be a testable option since they are also compliant with GDPR. However, be aware of cloud platforms that you don’t know or don’t share enough information about their GDPR compliance. There are many platforms selling you help for your business that are appearing like mushrooms out there, but they can actually be very risky.
You see, it’s not all bad news!
Make sure that your website holds a little corner for this important subject!
Your contracts have to match requirements too, but a few twitches will do wonders!
Firstly, try moving into digital contracts, think Adobe Digital Signatures, for example. That way the contract is encrypted, can easily be filed on an encrypted cloud and, let’s be honest, looks much nicer too.
Secondly, add a consent/permission clause. It is very important that this clause is separated from your standard terms and conditions; regardless of the decision that the client makes about how their data is going to be used in future. Terms and Conditions refer to a service agreement, and the consent/permission refers to sensitive information. For instance, a good thing to add in your consent section may be asking permission to share your photographs on any channel, including the usage in exhibitions, contests, etc.
At Cuckoo we are thinking on adding a tick box with the information, so clients can make the decision (giving consent) when ticking the box. However, you may find your own way or you may already have one in place! (If that’s the case, well done you! That’s a great start).
So you are working on your data and storage, trying to making it all compliant and GDPR friendly, but what about who has access to the data in your company?
In my experience, in this business and working for other companies, not everybody needs access to sensitive data. You may have an assistant that needs access, but it’s likely you are the only person who needs access to that information. In any case, sensitive data must only be available to those who need it in order to do their work, no one else.
9. Document Your Process
This seems a bit ‘for dummies’, but it is very important that you document how you are changing and following the processes to ensure you are caring for your client’s data.
What I am doing for Cuckoo is creating a process flow form, where I detail our new, updated, compliant, shiny WOW (way of working). A process flow will also help you to identify gaps in your process that you can then add to a to-do list to correct in the next process step.
I am also making a checklist of everything we use, and what is included in each thing i.e. email address, passwords, contracts, invoices, photo storage, etc. That way I can see what needs to be changed.