The days have gone when you could argue ignorance about the General Data Protection Regulation (GDPR) of the European Union (EU).
The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
While data protection laws on a national level are nothing new, the General Data Protection Regulation (GDPR) aims at strengthening and harmonizing the data protection regulations across member states of the European Union. This impacts all companies dealing with personal data of EU individuals, and hence also applies to companies outside of the EU, for example, in the United States or Switzerland.
The General Data Protection Regulation (GDPR) automatically becomes effective on May 25, 2018. The media, consultants and legal attorneys are drumming up business by offering advice to companies on how to comply with GDPR, by offering all kinds of compliance checklists and tailored consulting.
Given that much of the content managed in Digital Asset Management (DAM) systems contain personal data: how concerned should DAM system customers be with regard to their General Data Protection Regulation (GDPR) compliance? And how can they streamline their GDPR processes?
Most DAM Systems Manage Sensitive Personal Data
Digital Asset Management (DAM) are exposed with regard to personal data (PD) because images or videos of individuals expose more than an ID or name of an individual, the data subject. A picture can easily unveil race or ethnic origin, physical or mental health or conditions, religious beliefs, and more.
These types of personal data are categorized as sensitive personal data for which stricter conditions apply under General Data Protection Regulation (GDPR). Hence, customers and their respective users of Digital Asset Management software as the data controller need essentially to ensure that:
- The DAM software providers comply with the processing instructions of the Data Controllers and the General Data Protection Regulation (GDPR), such as the case for Picturepark.
- Explicit consent of the data subject for processing its personal data as requested is provided, and that such consent can be withdrawn at a later time by the data subject.
Compliance of DAM System Providers
The customers of DAM systems and their respective users are the data controller whereas the DAM system provider (e.g. cloud hoster) is the data processor.
Despite its already established high data privacy standards, Picturepark started to work on General Data Protection Regulation (GDPR) compliance in late 2016 which among others resulted in contract changes with customers and suppliers, internal policies and new software features.
A data controller needs to ensure that its data processors process personal data as per its instructions and in compliance with both, the Data Controller’s privacy terms to which the data subject had agreed, and statutory requirements of GDPR. The data processor itself needs to further ensure that all its suppliers as sub-processors adhere to the same processing principles.
In practical terms, the customer of a DAM system needs to exactly know how and where the DAM system provider is hosting the data and processing it, e.g. for the purpose of technical support or other matters.
While this is primarily a legal thing on first sight, it requires policies as well as organizational and technical procedures which for international companies can be pretty demanding to implement, and for demonstrating compliance throughout the chain of processors and sub-processors.
Hence, customers of DAM systems should look into existing agreements with their DAM vendors now, and ensure compliance from when GDPR becomes effective (May 25, 2018).
Getting Consent from Data Subjects
Receiving explicit consent from a data subject is an equally complex undertaking.
In the real world this effectively means that an editor uploading an image with people in it to the DAM system needs to ensure that those pictured individuals have agreed to the particular use of the image. Such use needs to be declared with the picture and enforced e.g. by obtaining the corresponding permission.
For most photo shoots, explicit consent should be obtained by signing a model release form prior to photographing or video recording the particular persons – which is nothing new.
But in many situations people are an integral part of a picture, and are not knowingly photographed and are not out of focus. Take for example an event where people are photographed speaking in front of a booth, or as a group shot. Just putting up a poster at the entrance saying that “you consent to our use of images for xy purpose” is not enough, you have to get affirmative consent for a particular use.
So you have to get this in writing e.g. on registration, or walk around and get forms signed. It’s also fine to ask but anything verbal is tougher to prove later.
Get a demo for the GDPR Consent Manager
Complexity of Withdrawn Consents
Further to that, withdrawal of consent by an individual might actually require you to no longer use that picture or content.
This is a problem because it doesn’t just refer to the use of the personal data within the DAM system but everyone who downloaded or shared that picture via the DAM system, resulting in the the use of such now withdrawn personal data in presentations, on web pages, and similar.
In other words, simply adding or removing content to the DAM based on consent or withdrawal of consent is not enough. You have to know who uses it and – at the minimum – inform those using it that they should no longer do so. This in turn requires any user of a DAM system agreeing with usage terms that require him or her to unpublish content if requested to do so.
Automating the Consent Process
As one can see: Managing the consent of data subjects can be pretty cumbersome for customers of DAM systems.
In order to facilitate this process, Picturepark decided together with its Premier partner DAM United to think about a solution for better managing the process of receiving and withdrawing consent for use of personal data. As a result, the “GDPR Consent Manager for Picturepark” (press release) was created.
Using the “GDPR Consent Manager”, content managers or editors can easily request consent for use of personal data from within Picturepark. On request, a link is sent via email, leading recipients to a secure web page where they can review their personal data, its intended usage and terms, and provide consent with a few clicks. If wished at a later point in time, consent can be withdrawn by the individual by simply visiting the link again.
The General Data Protection Regulation (GDPR) Consent Manager supports various types of digital assets such as images and videos. All transactions are securely logged and can be reviewed for auditing purposes. Picturepark metadata permissions ensure that only permitted users can view and edit any consent-relevant information, such as the individual’s email addresses.
Picturepark Technologies and API Frameworks
Picturepark user actions can be used for triggering additional workflows such as detecting faces on images and sorting them for consent approval with restrictive permissions. Once consent is received by all data subjects, the digital asset can be automatically published. Or when consent is withdrawn, responsible content managers can be alerted and notices sent to all users that have ever downloaded or shared the content.
Those interested in learning more about the General Data Protection Regulation (GDPR) Consent Tool should contact email@example.com.
The GDPR Content Manager has been developed by Picturepark and DAM United, a Picturepark Premier partner, and is available as a Release Candidate (RC). Among others, the tool makes excessive use of Picturepark Adaptive Metadata™ layers, the Picturepark API and the Picturepark Workflow framework – all technologies for which substantially new and advanced capabilities have been announced for the forthcoming Picturepark Content Platform.
Picturepark wishes to thank solicitor Irene Bodle from Bodle Law who has contributed her expertise to this blog post. Bodle Law is a German law firm, registered in Germany, specialising in SaaS, legal cloud computing issues and IT law.