You're probably aware of the widespread unease about data protection and privacy online — for example the Cambridge Analytica Facebook scandal and the other major data breaches that have been in the news so regularly.
Protecting people's data is the focus of the European "GDPR" (General Data Protection Regulation), which comes into effect later this month. It applies to everyone who does business in the EU, including us and many of our clients.
In brief the GDPR is saying that people have the right to complete control of their data, and that you, as a photographer, and we, as a hosting platform — both being in the business of gathering and publishing data — have certain obligations:
– to tell the user who we are, why we are collecting the data, who will have access to it, and how long we're keeping it for.
– to get clear consent before we collect any data (opt-out is not sufficient).
– to let users access their data, and "take it with them" (eg give it to another organisation).
– to enable users to delete their data.
– to let users know if data breaches occur.
We believe these are praiseworthy, and we will comply with them, not only in Europe but across our entire user base.
Here are a few other points to think about:
Data can only be used for the purpose you declared when it was given to you. So if you said you were gathering an email, name and address to make a sale, it's NOT permissible to then add that email to a mailing list without consent. Neither can data be shared with another organisation — so, for example, email addresses cannot be rented or sold without consent.
The above obligations extend, of course, to the relationship between you and ourselves, not just between you and your customers. Also involved are Queensberry's partners in our marketing, banking, hosting and delivery infrastructure. All are major, reputable international companies who will have their own GDPR compliance policies, and with whom we only share what's necessary to, for example, process your payments and deliveries.
Photographs are considered to be personal data, and are therefore subject to the same rules. So if, like most photographers, you publish peoples' images in online galleries, or in sample albums and other promotional materials, you must have their explicit permission to do so. You need to be particularly careful with children or sensitive subject matter (eg nudity).
What are we doing about this?
In most respects we believe Workspace already complies with these requirements, but we do need to be more transparent. We are therefore modifying Workspace to make it clear why we are gathering certain information — as one example, why we need people to login or register before they can "favourite" images for their wedding album. (In that particular case we also need to enable people to delete their registration.)
We also need to make it clear that, as a hosting platform, we depend on you, the photographer, gathering the necessary permissions before you publish public image galleries in Workspace (to avoid doubt our galleries will default to the "private" setting). We already require your assurance that you have your client's permission before using photographer images in our samples and online.
More to come on all the above! Over the coming days you may notice changes in Workspace as we give effect to these requirements. We will be publishing detailed blog articles about the changes, and look forward to your comments and questions.