By Ramon Forster • Apr 16, 2018
The days have gone when you could argue ignorance about the General Data Protection Regulation (GDPR) of the European Union (EU).
The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).Wikipedia
While data protection laws on a national level are nothing new, the General Data Protection Regulation (GDPR) aims at strengthening and harmonizing the data protection regulations across member states of the European Union. This impacts all companies dealing with personal data of EU individuals, and hence also applies to companies outside of the EU, for example, in the United States or Switzerland.
The General Data Protection Regulation (GDPR) automatically becomes effective on May 25, 2018. The media, consultants and legal attorneys are drumming up business by offering advice to companies on how to comply with GDPR, by offering all kinds of compliance checklists and tailored consulting.
Given that much of the content managed in Digital Asset Management (DAM) systems contain personal data: how concerned should DAM system customers be with regard to their General Data Protection Regulation (GDPR) compliance? And how can they streamline their GDPR processes?
Most DAM Systems Manage Sensitive Personal Data
Digital Asset Management (DAM) are exposed with regard to personal data (PD) because images or videos of individuals expose more than an ID or name of an individual, the data subject. A picture can easily unveil race or ethnic origin, physical or mental health or conditions, religious beliefs, and more.
These types of personal data are categorized as sensitive personal data for which stricter conditions apply under General Data Protection Regulation (GDPR). Hence, customers and their respective users of Digital Asset Management software as the data controller need essentially to ensure that:
- The DAM software providers comply with the processing instructions of the Data Controllers and the General Data Protection Regulation (GDPR), such as the case for Picturepark.
- Explicit consent of the data subject for processing its personal data as requested is provided, and that such consent can be withdrawn at a later time by the data subject.
Compliance of DAM System Providers
The customers of DAM systems and their respective users are the data controller whereas the DAM system provider (e.g. cloud hoster) is the data processor.
Despite its already established high data privacy standards, Picturepark started to work on General Data Protection Regulatio(GDPR) compliance in late 2016 which among others resulted in contract changes with customers and suppliers, internal policies and new software features.
A data controller needs to ensure that its data processors process personal data as per its instructions and in compliance with both, the Data Controller’s privacy terms to which the data subject had agreed, and statutory requirements of GDPR. The data processor itself needs to further ensure that all its suppliers as sub-processors adhere to the same processing principles.
In practical terms, the customer of a DAM system needs to exactly know how and where the DAM system provider is hosting the data and processing it, e.g. for the purpose of technical support or other matters.
While this is primarily a legal thing on first sight, it requires policies as well as organizational and technical procedures which for international companies can be pretty demanding to implement, and for demonstrating compliance throughout the chain of processors and sub-processors.
Hence, customers of DAM systems should look into existing agreements
with their DAM vendors now, and ensure compliance from when GDPR becomes
effective (May 25, 2018).
Getting Consent from Data Subjects
Receiving explicit consent from a data subject is an equally complex undertaking.
In the real world this effectively means that an editor uploading an image with people in it to the DAM system needs to ensure that those pictured individuals have agreed to the particular use of the image. Such use needs to be declared with the picture and enforced e.g. by obtaining the corresponding permission.
For most photo shoots, explicit consent should be obtained by signing a model release form prior to photographing or video recording the particular persons – which is nothing new.
But in many situations people are an integral part of a picture, and are not knowingly photographed and are not out of focus. Take for example an event where people are photographed speaking in front of a booth, or as a group shot. Just putting up a poster at the entrance saying that “you consent to our use of images for xy purpose” is not enough, you have to get affirmative consent for a particular use.
So you have to get this in writing e.g. on registration, or walk around and get forms signed. It’s also fine to ask but anything verbal is tougher to prove later.