I am not a professional photographer, by that I mean I don’t do work commercially for pay. I like to think my images are of a decent quality but these days its just for fun and just for my own enjoyment.
I had a very interesting event recently relating to GDPR that has given me a great deal of food for thought and some new challenges too for all kinds of photographers. GDPR may effect more than just our websites and here is why.
Back when I was first learning the craft I am not afraid to say I did quite a lot of TFP shoots. It was a great way to practice whilst allowing models and makeup artists to practice too. I know there are some that hate TF and all it stands for but I look back on it as friends practicing together. I almost always used a model release form, making it clear that the photos were provided to the model for personal use in exchange for permission to me use them. It did in theory give me means to sell them as stock etc but I never did. Some of the early shoots when I wasn’t aware of such things I probably didn’t get a release.
Fast forward to GDPR go live day and I received something I didnt expect as a hobbiest photographer, a GDPR deletion request. The request was for blog posts, online images and any images I had stored on my computer.
One of my former models let’s call him Bob (not his real name), asked for blog posts to be taken down and any images deleted too. I don’t know the reasons and don’t need to know. Some of my work was pretty bizarre and maybe they didnt want a new boss seeing them made up like a monster or laying in the snow?
Now as a photograper I could in theory log a legitimate interest (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/) in the image as the copyright holder, especially as I have a release form. However it will probably create conflict and may prove more difficult as a non commercial photographer to demonstrate that interest and if you have a read of the requirements you literally will need to log the interest for anything you want to cover. Sounds like a lot of work and hassle.
Of course, I opted to honour the request without any challenge. To be honest if any previous model asked me before GDPR I am sure I would have just removed the posts then too. It has really sunk home about a large part of my website being TF images and what if I received witdrawal of consent for all of them?
This one request also created a lot of work, including removing indexing from google, portfolio websites and trying to report copy websites who had stolen my images and posts. All in all, about 4 hours of my time spent so far dealing with just one request.
With hindsight I should maybe have had a clause for when consent is withdrawn but I never could have predicted GDPR back then. The alternative is to challenge on the above basis but that will be a lot of discomfort and extra work for all parties.
Ironically because I had deleted the images, when I discovered external copies of my website it was harder to prove the images were mine (fortunately it had a watermark on it) and get them taken down.
So this brings me onto the point of this article, and it’s that of GDPR and it’s impact on our day to day processes. We need to consider the potential impacts on how we deal with these requests and the time it will take are potentially long.
The very real reality is this legislation could create a lot of work for small businesses that don’t always have capacity to deal with new admin that hurts income, rather than helps it.
I am not going to make statements about how to deal with it because to be frank I am still unsure and am no expert. I am sure as you read that you thought of ways you might approach it. I just wanted to make you aware if you haven’t had any requests yourself that they may come and only with advice from the ICO can we truly be sure on the way forward.