I consider internet users' privacy and data protection to be really important, so let's talk about what I do (or don't do) to stay GDPR compliant. 'What's GDPR?' you ask? The General Data Protection Regulation (GDPR) comes into effect as of May 25th 2018, and effectively gives you lots of control over your personal data - in particular that of your digital personal data (i.e. anything you do online.) My website, and anything in relation to the processing of personal data supplied to me by users (that's you!) and other personal data in my possession for any reason - must be GDPR compliant. I have done my very upmost to ensure that it is, and I have put this policy in place to assure you of the ways I use your data.
I collect personal information about you, such as your name, email address (so I can reply to your enquiry), telephone number (so I can text you briefly to let you know my reply hasn't gone awol!), date of your wedding or event (so we are on the same page about your enquiry), and I also like to know a bit more about your plans (don't worry - I won't share your soppy love story with everyone!) During the enquiry stage, this is only information that you voluntarily provide to me. For example, I may receive personal information about you when you send me an email through my website's contact form. Later, if you decide to book, further information will likely be required so that I can do my job! This is information such as your address (so I can send you your contract and lovely photo delivery!), the address/es for your event location (so I know where to photograph!), names of your friends and family (helpful for weddings - if you'd prefer, just refer to people as 'aunt and uncle' for example) and any other personal things you might like to tell me. I collect this information via an online form, which you won't have the link to unless I send it to you and I only send you this link once you've booked, so that I collect as little personal data as possible, and only when necessary. All of this information is retained for a minimum of six years and a maximum of twenty years. Why six years? The legal minimum I have to keep information (for tax return purposes) is six years - both in digital form and in paper form (but that's more relevant to me and my receipts!). Any paper-based information is stored in a folder which I lock away if I am not at home. I do not sell any personal information I receive through my website to any third party (such as Facebook, email or Instagram) nor will I add such information to any email list I may prepare.
As of June 2018, Grace Elizabeth now has a newsletter service, offered via the GDPR compliant service MailChimp, which Grace Elizabeth ran personally. As of February 2021, Spydr, the digital agency who helped to build this website, created a new MailChimp newsletter service on behalf of Grace Elizabeth. No old data was transferred across. To sign up to Grace Elizabeth's newsletter, you must enter your first name and email address, and an email will then be sent to you automatically by MailChimp to ask you to click a link to confirm that you signed up. This is known as a double opt-in and makes sure you didn't sign up accidentally. If you do not click the confirmation link in your automatic email to double opt-in, you will not be signed up. I never use your information unlawfully, and you may unsubscribe at any time (the button is at the bottom of any email you receive from me.) I will not spam you with emails, and access to my MailChimp account is via a password which only I know.
I am happy to discuss the information I have on record for you at any time, and, if at any time you request for this information to be deleted, I am happy to complete this request for you. Photographic identification (such as a passport or driving license) and proof of your current address (such as a recent utility bill) will be needed in order to confirm your identity prior to processing the removal or querying of your personal information. Please get in contact via emailing firstname.lastname@example.org for more information.
The ICO is a little unclear about what we photographers can do with photos of your face (because technically it is personal data) so I will explain my current process:
I love to share the beautiful images I take of my lovely wedding and portraiture clients, but I only do so once you have signed a contract with me. I do not undertake any work without the signing of a contract which covers many clauses to set out your expectations of me, and my expectations of you. I use Shootproof (a service which is, as of June 2018, GDPR compliant) to deliver my contracts and online galleries (if you have opted for the latter), which is a password protected online service that allows me to input the data you voluntarily give me, so that I can send you a contract, or let you into your beautiful password-protected image gallery.
In signing a contract with me, there is a clause within my contract that explains how I like to use the images I take for purposes such as social media and marketing. This usually includes posting them on social media, on my website, printing them for products to take to fairs and events, sending them to wedding blogs for publication, and showing other clients who would like to see more of my work. I do not presume that you give me your consent for this, so after you have booked, you will be linked to one of my online questionnaires (specific to whether you are booking a wedding or lifestyle session) with explicit tick boxes, where you are able to select how I may or may not use your images. Each use is clearly outlined. This data is retained in relevance to your wedding or session.
If at any stage you decide you no longer wish for me to use your images or want to alter which images I can or cannot use, let me know via contacting me at email@example.com and I will of course honour your request! For work that I do on a model call basis, or for personal projects, a contract is not required, but you absolutely must sign a model release, allowing full use of the images. If you are over 18, you may legally sign, although an adult must sign for children under 18.
I take the storage and collection of your data really seriously. I for one do not like the idea of my own data being stolen, so I have implemented various technical and organisational measures to ensure the most complete protection of your personal information, to prevent loss, misuse or alteration of this data (whether it be personal data or images - as I said, the ICO is a bit unclear about images.) However, Internet-based data transmissions surrounding third-party websites may have security gaps beyond my control, so absolute protection may not be guaranteed. For this reason, every person is welcome to transfer personal data via alternative means, e.g. by telephone. Any personal data I store about you (always digitally) is secured via unique login and password information on secured devices and online where necessary. This security information is never written down or reused elsewhere to ensure secure processing and management of your data.
From time to time, I may link to third party websites such as wedding blogs, and other cool places, but I do not take responsibility for the content of these websites. Of the ones I do use for my business (Drobpox, Shootproof and the like) these are all becoming (if not already) GDPR compliant.