Shine Bright Photography & Booths
MENU
Shine Bright Photography & Booths
  • Home
  • About us
  • The Studio
  • IN THE BOX! Sessions
  • School Photos
  • VIP Photo Booth Hire
  • Xmas Mini Sessions
  • View your pictures
  • Gallery
  • Contact us
  • GDPR
  • |
    Home
  • |
    About us
  • |
    The Studio
  • |
    IN THE BOX! Sessions
  • |
    School Photos
  • |
    VIP Photo Booth Hire
  • |
    Xmas Mini Sessions
  • |
    View your pictures
  • |
    Gallery ▴
    • Gallery
    • SAMPLES OF MY WORK
    • GREEN SCREEN BACKGROUND SAMPLES
    • PHOTO BOOTH PRINT TEMPLATE SAMPLES
  • |
    Contact us
  • GDPR
© 2025 Shine Bright Photography & Booths  -  Cookie Policy 
© 2025 Shine Bright Photography & Booths  -  Cookie Policy 
GDPR

The New Government Data Protection Regulations And Your Photography Business.

General Data Protection Regulation (GDPR)

 

All the information below has been sourced from the Information Commissioner's Office Website.
https://ico.org.uk

 

You may or may not be aware that in May 2018 the  European union are introducing new rules that will govern how business handle their customer’s personal data. These new rules, the General Data Protection Regulation will replace the previous regulations, The Data Protection Act Of 1998.

Personal data is defined as any data, which can identify someone, such as name, date of birth, address, age and more relevantly images. Images on your website ARE classed as data for instance! So you will need a GDPR compliant model release which includes specific consent.

As many photographers work with sensitive personal data, it is important to understand the changes that are being made and steps that your business will need to take to comply with these new regulations. 

Before we get into the change in individuals rights its worth looking at some changes in definitions under the GDPR.  There are three main sections here:

  • Processing of data
  • Consent
  • Children’s personal data


 

Processing

In this instance when GDPR refers to processing it is not as we understand it the editing of an image, but refers to any operation or set of operations, which you perform on data. For instance your client’s data for marketing analysis, or a mailing list. As the person that holds this data your are referred to as the data controller.

 

Consent

Consent has changed slightly under the GDPR as you no longer allowed to automatically opt in clients to data storage or processing. This is mainly applicable if you provide a newsletter or other form of communication where currently the client would have to opt out, the client must now clearly consent to their data being processed. This does not mean that current members of a mailing list or marketing analysis will need to re-consent but it does mean that any future members will need to consent so no need to throw out your mailing list just yet!

 

Children’s Personal Data

While children’s personal data rules are being changed under the GDPR which may seem worrying on the face of it. Much of the changes will not affect children’s photographers. Many of the rules are designed to target online websites used by children, however the one section that will affect photographers, and probably something you are already doing in your business is that in order to process a child’s data you must have consent from a person holding parental responsibility, for example a model release.

The GDPR makes some changes and adds new rights for individuals.

Such as:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • And rights in relation to automated decision making and profiling, (less likely to apply to photographers this is for business’s where computers analyze information and make decision, such as a bank or insurance companies.

 

Rights to be informed.

The Right to be informed regards a business’s obligation to provide fair details of how data is used. This is typically addressed through a privacy policy. Something all photographers should now have in place.

This includes any information on how data will be processed, how long data will be held, if the information is transferred to a different country, ie is your website hosted outside of the EU. Are images being transferred out of the EU for product fulfillment such as albums etc. Are images transferred outside the EU for digital retouching these are all things that should be considered when writing your privacy policy.

 

Right Of Access

Under GDPR individuals are allowed to request access to their personal data. This includes confirmation that their data is or is not being processed. Access to personal data that you hold on them, this does not mean you have to give them all the photos if they ask, nor do you have to give them access to your studio management software, but it would just mean you would have to show them in a useable format what data you hold (See the right to Data Portability).

This information must be provided free of charge and within one month of the receipt of request. However you do have the right to refuse to respond to a request, if you do you must respond explaining to the individual why you cannot provide this. Although as a photographer I cannot see any instances where you would have good reason to refuse.

See chapter 3 section 1 article 12 #5 of the GDPR.

 

The Right To Rectification

This is simpler than previous rights, it simply states that individuals have the rights to amend or correct any details, which you have on file, which may be incorrect.

The Right to Erasure or the right to be forgotten is a right provided to consumers where by upon request a business is required to delete all personal data held by the business, providing there is no compelling reason for its continued processing. The business does in some circumstances have the right to refuse this request, for example if the data is required for completion of a contract.

 

The Right To Restrict Processing

This is very similar to the previous regulations under the Data protection act.  Individuals are allowed to request that processing is not performed on their data, unlike the right to erasure you are still permitted to hold the data you just can’t process it, i.e. use it.

 

Right To Data Portability

This right is in relation to an individuals right of access. The right of access allows an individual to request access to their data, the right to data portability allows individuals access to their data in a portable format in order to use themselves. The business is required to provide the data in a format that is portable between platforms for example a CSV file. 

 

The Right To Object.

This is related to the right to restrict processing and the right to erasure, individuals have the right to object to processing of their personal data or direct marketing, which may bring into effect their right to restrict processing or even erasure. In the case of direct marketing, ie email newsletters you are not allowed to refuse. Customers must be made aware of their right to object in your privacy policy.

 

The Right Related To Automated Decision Making And Profiling.

This should not impact many if any photographers but a brief overview is that in the case of any data procession or decision making by an automated process an individual has the right to request human intervention. For instance you put in for a loan and that process is decided by a computer, you have the right to request that an actual person reviews the decision.

 

Transfer Of Data

The GDPR much like the DPA imposes restriction upon transferring data outside of the EU. This is mainly relevant for photographers in the case of website hosting being out of the EU. You may transfer data where the business receiving the data has provided confirmation in the form of a contract or agreement that they are compliant with the GDPR. So for instance I contacted my website hosting company, Photobiz, in the US and sent them the entire GDPR document and I now have in writing (email) that they comply with the relevant regulations.

In terms of your business, what other instances are there where by you might be transferring images outside of the EU.  I have listed a few below. 

  • your website servers
  • retouching services
  • album fulfillment and design
  • purchasing of products, wall art etc, where you are uploading images online
  • if your client purchases session fees via an online store like BigCartel.
  • email marketing such as Mail Chimp
  • studio management software such as Lightblue, Tave, 17 Hats.
  • cloud storage

 

As a photographer ask yourself the following questions to gauge what you still need to do.

If you are like me and run your business single handed you are considered a data controller. ICO have a controller checklist that is very helpful: Controllers Checklist

If you are holding data on your clients even if you don't do anything with it, you are processing it. Complete the Processors Checklist here.

Asses your compliance with data protection, complete the information security checklist here.

Complete the Direct marketing checklist here.

You will need to assess your records management procedures and risk to your client's personal information. Records Management

Have your communicated your policies on your website, such a terms of use, privacy policy. Is your contact for GDPR compliant? Complete a Data sharing and subject access checklist here.

Do you have a GDPR compliant model release?

Is your insurance adequate

 

Useful Links

Suzanne Dibble is an excellent resource! Here is a link to a free GDPR Check List!

Susanne Dibble GDPR Compliance Pack.

I've actually joined Suzanne Dibbles Small Business Academy, and can highly recommend, the GDPR pack comes free with membership. There is a wealth of information in there for all sorts of business'!

Preparing For The General Data Protection Regulation - 12 Steps To Take Now - Quick view below for more information click on this link.

GDPR Overview

The whole GDPR in all it’s glory, happy reading! 

Data Audit Information

Mail Chimp GDPR Tools

Contract and Model Release Templates England and Wales

Contract and Model Release Templates Scotland

Contract and Model Release Templates Northern Ireland - Coming Soon

For any definitions of certain terms regarding GDPR please see Chapter 1 Article 4 of the GDPR. Link above

Contact Us
© 2025 Shine Bright Photography & Booths  -  Cookie Policy 

Cookie Policy

We use cookies to offer you a better browsing experience, analyze site traffic and assist in our marketing efforts. Read below about how we use cookies and how you can control them by clicking "Cookie Settings". If you continue to use this site, you consent to our use of cookies.

What are cookies

Cookies are small text files that are stored on a user's computer or mobile device. They are used for a variety of purposes, including personalising pages, remembering visitor preferences, analysing visitor behaviour, managing shopping carts and delivering targeted advertising. Cookies are used to improve the online experience of almost every website, including our own.

Types of cookies

When you use our website, the following four types of cookie may be set on your device:

Necessary cookies:
Necessary cookies are essential for the use of the features and services we offer on this website. Without these cookies, the services you want to use (such as view and buy your images) cannot be possible.

Functional cookies:
These cookies allow us to provide you with a better online experience when you use our website. They do not gather or store any information which would allow us to identify you personally.

Performance cookies:
Performance cookies collect information about how our customers use our site so that we can improve our site. These cookies collect anonymous information on the pages visited. For example, we might use performance cookies to keep track of which pages are most popular, which method of linking between pages is most effective, and to determine why some pages are receiving error messages.

Targeting cookies:
These cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. Advertising Bureau has put together a great resource for information on behavioural advertising: how it works, further information about cookies, and steps you can take to protect your privacy on the internet. For more information please visit www.youronlinechoices.com

Managing Cookies

Most internet browsers allow you to erase cookies from your computer hard drive, block all cookies (or just third-party cookies) or warn you before a cookie is stored. You can choose to restrict or block cookies through your browser settings at any time.

For more information about how to do this, and about cookies in general, you can visit www.allaboutcookies.org. Please note that certain cookies may be set as soon as you visit this website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies may impact the functionality or performance of our website. Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, view pictures, login or interact with the site by doing something that goes beyond clicking on simple links.