What is GDPR?
From the 25th May 2018, a new law called The General Data Protection Regulation (GDPR) will be in effect. The GDPR is the most important change in data privacy laws in the last 20 years and specifies how consumer data should be collected, used, and protected. It also clarifies what individual’s rights are concerning their own personal data.
You can find out more about GDPR here.
Online Picture Proof: Committed to GDPR compliance
Online Picture Proof is committed to protecting the personal data and privacy of our users and their customers. We have updated our product and added new tools in order to ensure compliance with GDPR regulations.
Please see below some FAQ's and a helpful guide for our customers regarding GDPR.
What rights does GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
1. RIGHT OF ACCESS – This means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
2. RIGHT TO BE FORGOTTEN – If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
3. RIGHT TO DATA PORTABILITY – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
4. RIGHT TO BE INFORMED – This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt-in for their data to be gathered and consent must be freely given rather than implied.
5. RIGHT TO HAVE INFORMATION CORRECTED – This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
6. RIGHT TO RESTRICT PROCESSING – Individuals can request their data is not used for processing. Their record can remain in place, but not be used.
7. RIGHT TO OBJECT – This includes the right of individuals to stop the processing of their data for direct marketing. There are no exceptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
8. RIGHT TO BE NOTIFIED – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.
Does GDPR apply to me as a Photographer?
In short Yes, GDPR applies to all small or large businesses / organisations e.g. Sole traders, Ltd companies etc.) involved in processing personal data (names, email addresses, phone numbers, etc.) about individuals within the European Economic Area (EEA).
Each individual organisation needs to evaluate its data practices against the new regulations and ensure compliance.
How is Online Picture Proof preparing for GDPR?
We’ve updated our product and added new tools in order to ensure compliance with GDPR regulations for us and for our customers:
1. New Cookie Control option has now been added and is live in all EU customers accounts.
New GDPR compliant cookie banner and cookie control settings are now displayed to all visitors when they visit your OPP website or proofing gallery.
This new control allows your visitors to set their website Cookie preference as they wish. This is now live for all EU account holders.
2. New Consent Check-boxes added to gain customers EXPLICIT permission to receive updates regarding your business
Under GDPR if you wish to send a customer marketing e-mail’s, that customer needs to provide you with their EXPLICIT consent. Consent must be specific, and you must have a record of when you obtained that consent.
In order to achieve this, we have now added new Consent Check-boxes to gain customers explicit permission to receive marketing emails from you.
Now when your customers contact you using one of the forms on your OPP website or when they place an order they have an option to give you their consent to receive marketing information from you.
The following consent check-boxes have been added to your account:
a. New Consent Check-box added to the website contact form
A new simple consent check box has been added to the website contact form which allows visitors to opt in for you to send them emails.
b. New Consent Check-box added to the client’s albums order form
A new simple consent check box has been added to the client’s albums order form which allows visitors to opt in for you to send them emails.
c. New Consent Check-box added to the website calendar enquiry form
A new simple consent check box has been added to the website calendar enquiry form which allows visitors to opt in for you to send them emails.
d. New Consent Check-box added to the “Require Email to view Clients Album” box
A new simple consent check box has been added to the “Require Email to view Clients Album” box which allows visitor to opt in for you to send them emails.
3. New Delete Email option has been added for the email addresses that have been collected from the “Required Email to view Clients Album” option
This option will allow you to delete your customers emails if needed.
4. SSL Security
The client albums and shopping cart utilize SSL security and all online payment information is taken by PayPal on their secure servers. We are also in the process of implementing HTTPS (SSL) on all pages of our customers entire website without any extra cost.
5. Privacy Policy link in website footer
The cookie policy tool in the control panel will now allow you to insert a privacy policy link in your website or proofing gallery footer. Simply create a privacy policy page in your website and from "Manage Website" section click on "Seo and marketing > Cookie & Privacy Policy" to insert the privacy policy page link in your website footer.
6. We have updated our Privacy Policy
Our Privacy Policy is being updated to ensure that it is GDPR compliant. We will make the new policy available on the website no later than May 25th, 2018.
Some GRPR responsibilities for you as a Photographer
1. Only store customers data required to conduct your business.
2. Don’t keep customer’s data longer than necessary. Any personnel data which is no longer required by law or to run your business should be deleted.
3. Do not share information collected from clients without their express consent
4. Obtain consent from existing email subscribers.
Under GDPR you must have users consent before you send any marketing information to them. You need to have your existing EU email subscribers give you explicit permission to continue emailing them after 25 May 2018.
Many email marketing providers such as “Mail Chimp”, “Constant Contact” etc. offer the double opt-in process.
5. Request explicit (active) consent of every visitor before any data collection takes place.
6. You must provide your customers with the right to opt-out of direct marketing of their data
7. Ensure that you have parental / guardian consent for processing children’s data.
8. We also recommend you obtain consent from your clients to upload photos.
9. Inform your clients of any known data breaches as soon as possible.
10. Have a means for your customers to request access and view the data that you have collected about them.
These requests must be executed at the latest within 1 month of the request. (You can process these requests manually and provide this information in electronic format e.g. PDF file etc.).
11. Have a clear and accessible GDPR compliance privacy policy on your website.
As part of your journey to GDPR compliance you'll need to update your privacy policy (or create one if you don't have a policy already). According to ICO the policy should have clear, straightforward language and adopt a simple style that your audience will find easy to understand.
Please refer to the ICO guidelines which can be accessed from this link. There are many privacy policy templates available online and you should use one of them according to your business’s needs.
You may want to use the Privacy policy attached as a guide.
Disclaimer - It is your responsibility to modify the policy before you start using it to make sure it covers all aspects of your business and complies with all applicable laws including GDPR. We do not take any responsibility for its contents.
Data Ownership
OPP owns and is responsible for photographers’ data. Photographers are the owners and are responsible for their customers data.
Our hosting and data partners
Our servers are hosted by the world's top hosting companies including Amazon Web Services (AWS) and Liquid Web LLC. Both providers are GDPR compliant and also certified under the EU-US Privacy Shield and covered under this certification.
To learn more about our hosting partners please see the links below:
https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/
https://www.liquidweb.com/about-us/policies/certifications/
How you can protect your account data
You are in control of your account security. Use good security practices to protect your account data
Secure your password
Here are some helpful tips for keeping your password secure:
- Do not reuse passwords across multiple accounts.
- Never share your password.
- Always log out from your admin panel when you use a shared computer
- Create a strong password - passwords should be at least 8 characters long, contain at least one number, one uppercase letter and at least one special character
- Use comprehensive security software and keep it up to date.
It is a good practise to change your account password at least once every six (6) months.
What photographers account data does OPP hold?
- Account holder Name
- Account holder Email(s)
- Account holder Account Password
- Account creation date, time and IP address
- Account holder System stats including browser used, operating system, device information and Last login date and time
- Account holder subscription history
- Account holder billing address
- Account holder business address and phone number(s)
- Account holder Paypal email address
(We do not store any payment details. Your VISA / MASTER card details are securely stored either with STRIPE or WORLDPAY or Paypal). - Customers Order history
- VAT / Tax id
What data does OPP hold on my customers?
- Customer Name
- Customer Email
- Customer Phone Number
- Order Details
- Shipping Address
- Website form submissions
What is the Process for data disclosure?
You may request a copy of your personal data in an electronic format. We will respond to your request within 1 month by providing a link to a location where the data can be downloaded.
1. Fill in the Support form in your Online Picture Proof control panel and request for the information that we hold
2. Online Picture Proof will send you an email to confirm the information we store.
What is the process for deleting the data OPP hold?
Deletion of your customers data
Your customers can request you to delete their information under “Right to be forgotten” clause – i.e. everything on that individual will be totally deleted.
OPP has provided you with the tools to permanently delete your customers data held online in our system.
However, you also need to make sure that when you receive any such requests you also delete any data you hold locally at your end (e.g. data stored in your computers, offline records, from your emails and from any backups you hold. etc.) and only keep the data that is required by law to run your business.
You can easily delete the following customer data that is held in your Online Picture Proof account:-
1. Customers Order Information:
Customer information that is obtained when your customers place an order.
You can permanently delete any order details form your online admin panel under “View Orders” page.
2. Customers Favourite Information:
Customer information that is obtained when your customers send you their favourite images.
You can permanently any favourite order from your admin panel under “View Orders >> “View favourite” page.
3. Website Contact Form entries:
Customer information that is obtained when your customers fill in your website contact form.
You can permanently delete any website contact form entries from your online admin panel under "Manage Website" section.
4. Website Calendar Booking Form entries:
Customer information that is obtained when your customers fill in your website calendar booking form.
You can permanently delete any website calendar booking form entries from your online admin panel under "Manage Website" section.
5. Client Online Albums:
You can delete any customers online private albums from your online admin panel under “Manage Albums” section.
Deletion of your account data
You may request to close your account.
1. You can send us your account deletion request by using the Support form in your admin panel. Fill in the Support form in your Online Picture Proof control panel and request your account to be deleted.
2. Online Picture Proof will close the account and delete any information we hold. Please note that while data will be removed visibly from our site, we may retain some information in our internal database required by law.
3. Online Picture Proof will send you an email to confirm that your data has been deleted. It may take up to 30 days for account data to be deleted. After deletion, you will no longer be able to access your account and your account will be unrecoverable.
Questions?
Feel free to reach out to us if you have any questions about the GDPR
Disclaimer:
This article provides an overview about photographer’s responsibilities under GDPR, but is not intended, and should not be taken, as legal advice. For more information please visit the following websites:
Information Commissioner’s Office website