What is the GDPR?
The GDPR (European General Data Protection Regulation) is an EU regulation that protects the personal data of EU residents. It comes into effect on May 25th, 2018.
It will replace the Data Protection Directive (“Directive”), which has been in effect since 1995.
It is really important that you have control and clarity over how your data is used and protected by any organisation you interact with.
The GDPR imposes requirements on organisations that collect and/or process personal data. This includes a requirement to comply with six key principles:
-Transparency on the use and handling on personal data
(Keep reading to view how I handle and use your personal data)
-Ensuring personal data is limited to legitimate and specific purposes
(I outline below the purpose that I use your data for – basically, the only data I collect and use is the exact data required to photograph your wedding)
-Ensuring personal data storage and collection is limited to specific and legitimate purposes
(I outline below how I store your data, what it is used for (wedding photography) and for how long it is stored)
-Enabling people to request the deletion of their personal data
(You have the option to delete your data from my systems, however I would not recommend this prior to me photographing your wedding, as I need this information to be able to do my job)
-Ensuring that your data is protected via appropriate security measures
(I outline below what I do to protect your data. It involves the software I use being GDPR compliant, using strong passwords, enabling two step verification, only collecting the exact data I need in which to do my job and keeping image files stored in a locked cabinet).
Your Rights under the GDPR
The GDPR gives you rights pertaining to your personal data, which include the rights to:
-Request to be informed about your personal data
-Request access to your personal data
-Request correction of your personal data (rectification)
-Request deletion of your person data (erasure)
-Object to the processing of your personal data
-Restrict the processing of your personal data
-Have data portability (this basically gives you the right to receive personal data that you have provided to me in a structured way)
-To complain to a supervisory authority
-To withdraw consent to use your personal data
You can contact me at any time to amend, delete, or gain a copy of the personal data that I hold on you.
It is important to note that these rights do not override other legal requirements (such as the requirement to keep certain records for tax purposes).
Your privacy is important to me. I aim for full transparency on how I collect, store, use and protect your personal data (and where I store it).
What personal data do I collect, where do I store this and how do I protect it?
I only collect personal data if I have a legitimate reason to do so – for example, to communicate with you, to provide you with wedding photography services and to improve these services.
When you first enquire (via email), I ask for your email address, phone number and name. This is simply so I can contact you with the objective of responding to your wedding photography enquiry. I require a phone number because some of my emails end up in spam boxes and this is a good way to let you know that I have emailed you, however I would only contact you via phone (prior to signing any contracts and becoming a client) in the instances of you not receiving my emails.
This data is stored securely in my password protected email account (Gmail G Suite). Here is some information pertaining to how G Suite protects your data. Gmail G Suite is GDPR compliant. This data is also stored securely in the backend of my WordPress website; when you enquire via my contact form, it saves a copy of this enquiry (which includes your name, email address and phone number) in my form log.
I collect both of your full names, both of your phone numbers and your full postal address. I require full names and an address so I can put together a contract and invoice for you (necessary to secure your booking with me).
I require phone numbers so that I can easily contact you on your wedding day. I also ask for a name and phone number of an alternative person (just in case neither of you are free and I need to get hold of you on your wedding day). By giving me the name and phone number of the alternative contact, you are opting them in to receive communication from me and it is assumed that they have given you their permission to pass their details onto me. However, the only time I would contact them would be on your wedding day in direct relation to your wedding.
The software I use to manage my wedding bookings is synched with two different, password protected computers (my laptop which I take with me travelling and my iMac, which sits in a locked office) and my password protected phone. My phone is always carried on me when I am away from my locked house, meaning it is unlikely to be accessed by anyone other than me.
The last piece of data I collect on you is images of you (i.e. wedding photography images). These are stored on external hard drives, which are kept in a locked cabinet in my locked office. There is no information stored alongside the hard drives that identifies you (e.g. phone number, email address etc) other than your first name. The folders containing your images are named with your first names.
I also keep catalogs of your images securely in my Dropbox. These catalogs contain edited previews of the images (rather than the images themselves). Synching these catalogs with Dropbox ensures that my editing is backed up immediately at all times.
I also temporarily store the final selection of raw files of your wedding images in my Dropbox account as I am editing your wedding (as an additional backup), but these get deleted after I deliver your wedding.
Furthermore, I store your wedding images on the original camera SD cards until your wedding has been delivered (as an additional backup). These cards are stored in the locked cabinet alongside the external hard drives.
If I fill up a camera SD card whilst at your wedding, this requires me to change my SD cards. I always photograph the same images to two cards simultaneously (as an additional backup of the photos), so one card (containing your images) gets carried in my bag (on my person) for the duration of your wedding, and the other card (containing a duplicate/backup of these images) is stored in my camera bag.
My camera bag is generally locked away or out of sight of the wedding guests.
I feel that having a copt of your images on me and a duplicate copy in my bag is the best way to protect your photos from being lost. The SD cards just contain your wedding images and no other data.
I also use a piece of software called Shootproof to deliver image galleries to you. This means that you can easily download your edited images. I use this to deliver image galleries to you, so that you can easily download your edited images. Your images stay in these galleries for at least a year (as per your contract). These galleries are generally password protected and a pin code is required to download the images.
The only personal information stored alongside these files is your first names. I also occasionally use Shootproof to generate invoices and contracts, meaning other data stored in Shootproof can be your full names, address, phone numbers and email addresses.
Shootproof also has the option to adjust the privacy settings of your images in your online gallery. They are generally password protected and can be viewed by others.
I will not use this data (full names, postal address, phone numbers and email addresses) for any purpose other than for your wedding photography.
How do I use this data?
In general terms, your data is only used for the specific task of photographing your wedding. It is required to perform the contract we enter into and for completely legitimate means. Furthermore, it is used to comply with regulatory and legal obligations.
Your personal data is used to:
-Ensure your wedding is photographed in a way that is consistent with the images on my website
-Send you updates and to communicate with you about information relating to your wedding
-Comply with regulatory and legal obligations
-Resolve any disputes
-Provide customer service to you.
If you sign up to my mailing list or opt-in to receive information from me about special offers, sales and competitions (marketing information), then your personal information (in the form of your name and email address) will be used to send you promotional messages, advertising, information I might feel is of interest to you, information on competitions and other marketing information.
I will not sign you up to these emails, instead you will specifically need to opt-in and you can unsubscribe at any time.
Who do I share your data with?
Your data (email address, full name, postal address, phone number) is not shared with third parties (with one exception – explained below).
The only situation where I might have to share a phone number or email address would be if there was a second photographer for your wedding, or where there is a legal requirement to do so (such as for tax or insurance purposes). The second photographer would need your phone number and/or email address to be able to get in touch with you on the wedding day itself. I would seek your consent prior to passing this information on and I would only give the minimum amount of information needed for your wedding photography coverage.
I may share your wedding images on my website, social media channels and might enter them into the odd competition. Your images also might be published on external blogs separate to this website.
However I will ensure that you opt in to your images being shared at the point of booking and the only purpose for sharing these would be so that future wedding photography clients can see my photographs (to get an idea of my style) when they are booking their own wedding photography.
I will not publish any images that you do not want on the internet. There is also the option of having images on my website without any identifying details (such as your first names). The only information that I would share on my website accompanying your images would be your first names.
I might also share full galleries of selected weddings in Shootproof to show prospective clients what an entire wedding looks like.
How long do I retain your data?
If you have booked me as your wedding photographer, then I will keep your details (email address, phone number, postal address at the time of booking your wedding photography and full names) in my email archive indefinitely (Gmail G Suite and Polymail). This information will be stored securely (protected with passwords which are changed regularly and two step verification via my phone number) and will never be shared with third parties.
You can request to remove this information at any time – this will mean deleting all emails between us. The reasons for keeping these records is for the purpose of getting in touch with you in future regarding your wedding photography.
Your contracts and invoices (which contain your full names and postal address) will be kept in my Dropbox for at least five years. This is a requirement of HMRC for tax purposes. This information will be held securely.
Your information gets deleted from Wunderlist around once per year.
Your contracts get deleted from Signable around once every 2 years.
The raw files of your wedding images are stored in Dropbox for around 12 weeks (as I edit them).
All of the raw files of your wedding images are stored on the original camera SD cards for around 12 weeks (as I edit them).
The final selection of raw files of your wedding images gets stored on external hard drives (kept in a locked cabinet) for at least one year after your wedding date, as an additional backup method.
Your edited wedding images are stored in Shootproof for at least one year – you can access these at any time.
What data breach procedures do I have in place?
In the unlikely event of a data breach, I have a procedure in place to ensure you are maximally protected.
I will notify any customers of any data breaches within 72 hours of learning of this data breach. I will communicate with you via email on this matter.
Do I receive data from any third parties?
No. I only use data given to me directly for the sole purpose of photographing weddings.
In what way am I committed to being GDPR compliant?
-I am committed to complying with the ICO on any data security matter
-I have an action plan in place in the event of a data breach
-I will ensure people give their consent regarding information given to me
-I will not share data with third parties without consent (with the exception of second photographers (or when the data is required to do the job I am hired to do) and for legal and insurance purposes).
Blog post comments on this website
If you leave a comment on one of my blog posts on my website, the data that is shown in the comments form is collected. The IP address and browser user agent string is also collected to help detect spam.
After I approve your comment, your profile picture alongside your comment is visible to the general public.
If you leave a comment, this comment (and associated metadata) are retained indefinitely. This is so follow up comments can be approved automatically instead of being held in a moderation queue.
You are able to request the deletion of blog post comments and data associated with these at any time.
Comments may be checked through an automated spam detection service.
A cookie is a small file that is placed on your computer/phone/device. It is possible to refuse acceptance of cookies via the settings on your phone/internet browser.
If you make a blog post comment, this might mean that you opt-in (through your browser) to saving your name, website and email address in your cookies. If you go to fill in your email address and it already pops up (for general convenience), this is a good indication that this information is stored in your cookies. These cookies last for one year.
I also use Google Analytics cookies and the Facebook Pixel (for the purpose of advertising and retargeting).