Finding a professional photographer
16th February 2018
Is your camera strap properly secured?
16th March 2018

General Data Protection Regulations (and Bill) – what we think we know so far!

GDPR – Something restrictive this way comes

While the Beast from the East batters our land, it’s a different storm worrying photographers : the new General Data Protection Regulations, or GDPR.

There are a lot of loops that self-employed photographers, like me, have to jump through. One of those loops, the Data Protection Act, is changing shape and name. The General Data Protection Regulations, or GDPR, come into effect on the 25th May. However, the General Data Protection Bill (which turns it into British law) does not get it’s second reading until 5th March 2018, so it is not sure it will be implemented at the same time.

How will GDPR affect photographers?

I should start by saying that I am not a legal expert and this is how I am interpreting the state of play at the moment after lots of reading and contacting the Information Commissioner’s Office (ICO). There is plenty of other information for small businesses out there about the changes in the law, but not much clear information about photography. So this post is purely about that.

Is my work purely art?

Under the current Data Protection Act exemptions exist for photographers for images taken as art and for journalism.

Speaking with the Information Commissioner’s Office they said, “The GDPR allows member states to introduce exemptions/derogations. These will be set out in the Data Protection Bill – it’s likely there will be a similar exemption for personal data processed for the purposes of “journalism, literature and art” but as the Bill has not yet been approved and adopted by Parliament, we can’t yet confirm what those exemptions will be. ”

Out with the Old

Under the old Data Protection Act 1998, there was definite provision for art and journalism.

32. Journalism, literature and art.

(1)Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.”

In with the new

The proposed GDP Bill is worded differently.

“Journalistic, academic, artistic and literary purposes

24 (1) In this paragraph, “the special purposes” means one or more of the
(a) the purposes of journalism;
(b) academic purposes;
(c) artistic purposes;
(d) literary purposes.

Schedule 2 — Exemptions etc from the GDPR
Part 5 — Exemptions etc based on Article 85(2) for reasons of freedom of expression and information

(2) Sub-paragraph (3) applies to the processing of personal data carried out for
the special purposes if—
(a) the processing is being carried out with a view to the publication by
a person of journalistic, academic, artistic or literary material, and
(b) the controller reasonably believes that the publication of the material would be in the public interest.
(3) The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.”

Am I exempt?

That’s a lot of legalese, but I interpret that as, if produced for purely artistic purposes, photography will continue to be exempt from data protection laws.

So, an amateur street photographer taking candid shots in the street will be exempt from the the Regulations. The arts are free of constraint, according to the EU Charter of Fundamental Rights.

(I should point out that the current government are making noises about removing us from the EU Charter of Fundamental Rights. So things may change in the future. Our current freedoms of expression may change or disappear altogether.)

If I am reading the law correctly, and I reiterate I am not a lawyer, photographs would only be able to be used without the law applying if used for journalistic/academic/artistic or literary purposes.

So, if I took a photograph of you on the street and published it as art, then it would be exempt. I would be carrying out my freedom of expression. But, I do need to limit the use of that photograph to just that purpose. If I were to use your image for advertising, or I sold you copies in return for you letting me use your image, then that becomes data and the GDPR rules come into force.

Carrying out the ICO’s online test, I have to be registered for my work. I would be hard pushed to see any circumstances where a professional photographer would be exempt.

Commercial Shoots

The exemption is unlikely to hold if you enter into a contract with the subject. Therefore, wedding photographers should ask the couples to make their guests aware of who the photographer is and individuals should have the option of not being photographed. That makes life really difficult for documentary photographers. Permission should certainly be sought before wedding shoots are used for publicity.

A contract does not necessarily mean the exchange of money. Just promising to send a copy of a photograph to someone in return for letting you take their photograph is a contract. Then the photographer should get a model release form signed.

Be extra aware of photographing children. Always seek written parental permission before using a picture, sharing it on Facebook or Instagram, even in private groups.  If you attend a youth event and promis photographs of the children for a club or organisation, then that is entering into a contract. The new regulations are –quite rightly– very strict regarding children’s data.

Are street photographs of people biometric data?

This is a regularly debated topic and the answer from the ICO is no.
“In relation to street portraits of individuals; these will not be ‘biometric’ data.” Even so, I would be cautious about uploading to public sites photographs that contain people’s names or other information that may be sensitive.

Occasional Professionals Beware!

Most professional photographers will be prepared for GDPR. Some won’t.

Those who should worry are all the ‘semi-professional’ or ‘semi-amateur’ photographers who just shoot the occasional event, or sell the odd print. These are often not even registered as self-employed and are not insured. They are unlikely to comply with the current Data Protection Act. The new fine for failing to comply, which includes registration, is jumping up from a few thousand pounds to €10 million.

The ICO have been quite good at giving guidance instead of fines to date, but the new laws are stricter. One complaint from a parent whose child’s photo was shared without permission, or you sending an unsolicited email to a former client without their permission, could start an avalanche of penalties. Will HMRC or DWP look at people investigated by the ICO? Will they jump on those who try making an untaxed income from selling photographs? Will they also be studying the lists of people who are registered with the ICO to see if they are registered as self employed?

Now is a good time to either legitimise your business or step away from it altogether.

For those businesses and individuals who use photographers, searching the ICO database  is a good guide to whether the photographer is a legitimate and trustworthy business.


  1. Ross W says:

    Great article – really useful. However, I took the ICO test and it said I would not need to register. I telephoned them to confirm and they confirmed I would not need to.

    • Ivor says:

      Thank-you for your nice comments, Ross.

      It all really depends upon the nature of your business whether you need to register or not. That’s great news for you if you don’t, it will save you the registration fee.

      I am running courses for photographers and storing customer names and addresses, and processing their invoices electronically. I also contact by email. The ICO, who were really helpful, said in those circumstances I would definitely need to register. I phoned too as some of the questions on the test seemed a bit ambiguous to me.

      Thanks again for reading the post. I’m glad you found it useful.

    • Ivor says:

      Just as an aside, even if you do not have to register, you still need to abide by the restrictions put in place by the Regulations. Event photographers, for example, are going to have to ensure that the guests know that they are going to be photographed and the invitations may have to have an opt-in clause . Guests will have the right not to appear in images.
      Some photographers use people’s images for marketing without the subjects’ permission. This already should not happen, but that restriction is reinforced under GDPR.

  2. Andrew James says:

    Thanks for these words. They’ve helped quell a few unfounded GDPR-related fears in the minds of my colleagues.

  3. Dod says:

    what if you are just shooting concerts, festivals etc and take crowd shots for websites facebook, magazines..

    • Ivor says:

      Hi Dod,

      As I have said before, I am not a lawyer. This post is my interpretation of the conversations I have had with the ICO. I can’t give legal advice, but happy to have a discussion.

      In most cases, there is no change from pre-GDPR and common sense prevails. So, I think it depends upon what you are doing with the photos; the circumstances in which you use them.

      At a concert, I think there is a reasonable assumption that, if photography is allowed, people will appear in the background of photographs. It’s the same as the BBC filming a concert for television. It would be impracticable to get permission from every person.

      When I have done work at events for large corporations, they have asked me not to supply ‘close-ups of anonymous people’ but pictures of the entire audience. To me, that seems a common sense approach.

      People in audiences tend to appear quite small and unidentifiable in these shots, especially when reproduced in articles.

      There are GDPR exemptions under the Human Rights Act which allows for ‘freedom of expression’ and ‘freedom of the press’. So, if you think you could defend (perhaps in court) your work as either art or journalism, you should not have a problem. If you are shooting for magazines, I think that is journalism.

      The thing to watch in the future is the changes to the Human Rights Act.

  4. Cederic says:

    The enacted legislation includes the artistic/literary exemptions:

    What’s far more fun is data access requests and the right to portability. Get ready to share your RAW files..

    • Ivor says:

      Yes, the exemptions are there because of the Human Rights Act, which allows for freedom of expression. This article was written before it was enacted by Parliament before the provision had been finalised.

      Your point about sharing raw files is an interesting one. Thinking about it, I am pretty sure you don’t need to share raw files. If you have a photograph of someone, it would be perfectly okay to send a low-quality JPEG that is, if necessary, watermarked. You are just saying ‘I hold this data.’ Why? You have rights accrued from your intellectual works outside of GDPR, namely moral and material rights. They have been enshrined in British Law since 1709.

      Regarding potability, the ICO says:
      “there may be legitimate reasons why you cannot undertake the transmission. For example, if the transmission would adversely affect the rights and freedoms of others. It is however your responsibility to justify why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.” For others, read ‘you.’

      Being forced to forward raw files would hinder your moral and intellectual rights. I think that would be a legitimate defence against sharing the entire raw file, which would contain your intellectual property, such as the camera settings you used to achieve a particular shot and, (if you use your manufacturer’s software), the embedded adjustments. You can only remove this data by changing it into another file format.

      Furthermore, transmission of data must be interoperable, i.e. easily read by other machines. Raw files are not interoperable as they require specialist software to access them. JPEGs or BMP or GIF files are. It is easy to create a low resolution, small format, watermarked copy.

      The ICO say “The GDPR does not require you to use open formats internally. Your processing systems may indeed use proprietary formats which individuals may not be able to access if you provide data to them in these formats. In these cases you need to perform some additional processing on the personal data in order to put it into the type of format required by the GDPR.” Raw files would probably be an example of a non-open format.

      What is more, you still have copyright law to protect your work. If the subject reuses the images without your consent, then you have the full weight of criminal law to back you up, along with massive fines and prison sentences for the perpetrator.

      Again, I reiterate that I am not a lawyer and this is how I am interpreting the law. I’ll speak to the ICO and get this clarified.

  5. Cederic says:

    For access request purposes a degraded (watermark or otherwise) JPG is likely adequate. For data portability I don’t think it would suffice – you wouldn’t accept your accountant providing only 96% of your general ledger entries if you were switching to another accountant.

    Proprietary formats would be something like a Lightroom catalog file, which is specific to that piece of software. RAW files can be read by many software products so I’d assume they’re no different to JPG in that regard.

    (My JPGs retain the camera settings anyway, but I’m not a professional)

    The “adversely affect the rights and freedoms of others” consideration is a far more interesting one, and might be how balance is achieved. I could however easily argue that your processing of my data misrepresents me (i.e. you turned the RAW into a black and white image, and really my skin is lemon chiffon) and I want to use data portability to allow another data processor to create a superior representation.

    As you suggest, that then gets interesting around copyright law. Methinks the powers that be just didn’t think this one through, and it’d be useful to get some clarity (and common sense) before a bunch of barristers get rich(er).

    • Ivor says:

      You are right that they didn’t think it through; the ICO said as much to me when I told them about Facial Recognition software built into Lightroom.

      They are the experts and I have asked them to clarify the portability issue. I am awaiting a reply and will let you know when I do. They purely have to enforce the law and did not make it and they are the most helpful government department I have come across. (Don’t tell the government this because they’ll then probably shut it down!)

      What I think they will say is that the right of portability only applies to information an individual has provided to a controller. A photograph has not been supplied by the individual and should therefore be exempt.

      Also, the raw data from a camera does include the camera settings, and one could argue that they too are protected as intellectual property. When you export a raw file to a jpeg you can remove this information.

      I’ll keep you posted. Thanks again for reading and engaging in my blog.

    • Ivor says:

      Hi Cedric, I haven’t heard back from the ICO yet, but I haven’t forgotten your question. I have been discussing it with some legal eagles and they agree with me that as the customer has not provided the raw data in a raw image and it is generated by the photographer, the photographer is not obliged to share it; it is not regarded as portable.

  6. Cederic says:

    Thanks for the update. I appreciate that this is unlikely to be clarified any time soon.

    At a common sense level I agree that a raw image is created rather than the facial data being provided, and that does exclude it from data portability. If only the ICO had thought this through during those long years of planning..

  7. Ivor says:

    Hi Cederic, this is from the ICO website:

    ” The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

    The right only applies to information an individual has provided to a controller.”

    The raw files from a camera is not provided by the individual but generated by the photographer, so portability does not apply to it.

  8. Ivor says:

    I had another call today from the ICO.

    Good news for many, contrary to what I had previously been told prior to the new Data Protection Act 2018 came into force, their officer tells me that private individuals are now exempt from the regulations. So, GDPR does not apply to people handling personal data in the course of exclusively personal or household activity. This does not exempt you if you work from home! The moment you start to trade, take part in any economic activity, you are no longer a private individual!

    For many professionals, it may be difficult separating some work from home. Many of my friends have also become my clients. So, I treat all photographs of people as personal data.

    For those of us that are professional, facial recognition in Lightroom is personal data. (I’ve turned mine off.)

    They told me that crowd photography (probably) isn’t considered personal data.

    Wedding and event photographers should give the attendees the right to opt out of the photos.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Content is protected !!

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.