Finding a professional photographer
16th February 2018
Is your camera strap properly secured?
16th March 2018

GDPR – Something restrictive this way comes

While the Beast from the East battered our land,  a different storm worried photographers: the new General Data Protection Regulations, or GDPR.

There are a lot of loops that self-employed photographers, like me, have to jump through. One of those loops, the Data Protection Act, changed shape and name. The General Data Protection Regulations, or GDPR, came into effect on the 25th May 2017. However, the General Data Protection Bill (which turned it into British law) did not get it’s second reading until 5th March 2018. Soon after, the Data Protection Act 2018 became law.

How does GDPR affect photographers?

I should start by saying that I am not a legal expert and this is how I am interpreting the state of play at the moment after lots of reading and contacting the Information Commissioner’s Office (ICO). There is plenty of other information for small businesses out there about the changes in the law, but not much clear information about photography. So this post is purely about that. It is my interpretation.

Is my work purely art?

Under the current Data Protection Act exemptions exist for photographers for images taken as art and for journalism.

Speaking with the Information Commissioner’s Office they said, “The GDPR allows member states to introduce exemptions/derogations. These will be set out in the Data Protection Bill – it’s likely there will be a similar exemption for personal data processed for the purposes of ‘journalism, literature and art’ ” These exemptions came into play, as did handling data for personal domestic purposes.

Out with the Old

Under the old Data Protection Act 1998, there was definite provision for art and journalism.

32. Journalism, literature and art.

(1)Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.”

In with the new

The \new data Protection Act is worded differently.

“Journalistic, academic, artistic and literary purposes

24 (1) In this paragraph, “the special purposes” means one or more of the
(a) the purposes of journalism;
(b) academic purposes;
(c) artistic purposes;
(d) literary purposes.

Schedule 2 — Exemptions etc from the GDPR
Part 5 — Exemptions etc based on Article 85(2) for reasons of freedom of expression and information

(2) Sub-paragraph (3) applies to the processing of personal data carried out for
the special purposes if—
(a) the processing is being carried out with a view to the publication by
a person of journalistic, academic, artistic or literary material, and
(b) the controller reasonably believes that the publication of the material would be in the public interest.
(3) The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.”

Am I exempt?

That’s a lot of legalese, but I interpret that as: if produced for purely artistic purposes, photography will continue to be exempt from data protection laws.

So, I understand that a street photographer taking candid shots in the street for art is exempt from the the Regulations. The arts are free of constraint, according to the EU Charter of Fundamental Rights.

(I should point out that the current government are making noises about removing us from the EU Charter of Fundamental Rights. So things may change in the future. Our current freedoms of expression may change or disappear altogether.)

If I am reading the law correctly, and I reiterate I am not a lawyer, a professional’s photographs would only be able to be used without the law applying if for journalistic/academic/artistic or literary purposes. When shot for domestic purposes photos are also exempt from the Act.

So, if I took a photograph of you on the street and published it as art, then it would not be considered personal data. I would be carrying out my freedom of expression. But, I do need to limit the use of that photograph to just that purpose. If I were to use your image for advertising, or I sold you copies in return for you letting me use your image, then that becomes data and the GDPR rules come into force. Also, I could not name you in the photograph nor say where  you were at what time.

Commercial Shoots

The exemption is unlikely to hold if you enter into a contract with the subject. Therefore, wedding photographers should ask the couples to make their guests aware of who the photographer is and individuals should have the option of not being photographed. That makes life really difficult for documentary photographers. Permission should certainly be sought before wedding shoots are used for publicity.

A contract does not necessarily mean the exchange of money. Just promising to send a copy of a photograph to someone in return for letting you take their photograph is a contract. Then the photographer should get a model release form signed.

Be extra aware of photographing children professionally. Always seek written parental permission before using a picture, sharing it on Facebook or Instagram, even in private groups.  If you attend a youth event and promise photographs of the children for a club or organisation, then that is entering into a contract. The new regulations are –quite rightly– very strict regarding protecting children’s data.

Are street photographs of people biometric data?

This is a regularly debated topic and the answer from the ICO is no.
“In relation to street portraits of individuals; these will not be ‘biometric’ data.” Even so, I would be cautious about uploading to public sites photographs that contain people’s names or other information that may be sensitive.

Occasional Professionals Beware!

Most professional photographers were prepared for GDPR. Some won’t.

Those who should worry are all the ‘semi-professional’ or ‘semi-amateur’ photographers who just shoot the occasional event, or sell the odd print. These are often not even registered as self-employed and are not insured. They are unlikely to comply with the current Data Protection Act. The new fine for failing to comply, which includes registration, is jumping up from a few thousand pounds to €10 million.

Are you registered?

Carrying out the ICO’s online test, I have to be registered for my work. I would be hard pushed to see any circumstances where a professional photographer would be exempt. If you keep customers or employees data, you need to register.

The ICO are helpful. They are good at giving guidance instead of fines to date, but the new laws are stricter. One complaint from a parent whose child’s photo was shared without permission, or you sending an unsolicited email to a former client without their permission, could start an avalanche of penalties.

Will HMRC or DWP look at people investigated by the ICO? Are they going to jump on those who try making an untaxed income from selling photographs? Will they also be studying the lists of people who are registered with the ICO to see if they are registered as self employed?

Now is a good time to either legitimise your business or step away from it altogether.

For those businesses and individuals who use photographers, searching the ICO database  is a good guide to whether the photographer is a legitimate and trustworthy business.

Street photograph at a harbour

Other laws – addendum to the original post

Are you still getting GDPR emails? I’ve enjoyed not responding to them, reducing the cascade of emails into my inbox. Some businesses have clearly ignored the new laws.

The new regulations have confused photographers. This blog post about the topic has been my most popular, still receiving between 50 and 100 hits a day.

If not in business you still need to be careful.

I discovered, during my latest conversation with the Information Commissioner’s Office (ICO), that the regulations apply to everyone and not just businesses. So, posting a photo in a local forum of a car parked on double yellow lines might well be in breach of the new data protection laws.   The example the ICO gave me was sharing images including people who didn’t want to be seen together. They could pursue their complaint under GDPR.        

Exemptions still apply

There are exemptions to GDPR because we have, under the Human Rights Act, freedom of expression. I can share a photo I create for art’s sake. If challenged, I may have to prove my intention in court. If I used the image for commercial purposes, then that use has changed. Entering into a contract with the subject, as I need to do when working commercially, then again things get more complex. But, most amateur photography is art.

Similar freedoms exist for journalism, scientific research and literature.  The Human Rights Act is possibly the most important law for protecting photography.

An unrecognisable person in a photo shot as art.

Facial Recognition

One area I queried with the ICO was Lightroom’s facial recognition facility. The official said this was where the new law was clearly not up to speed with modern technology.


There is misunderstanding about a lot of laws. One misconception is that a photo, once published online, is fair game for anyone to use. That is false. I own the copyright of all the photos I take and articles I write. International law, set down in the Berne Convention, prevents people from using my work without my permission. Breaching the law is a criminal offence, yet many people do so with what they think is impunity.

A magistrate’s court can impose 6-months in prison and/or a fine of up to £50,000 for copyright infringement. In the Crown Court, it’s a maximum term of incarceration is 10 years and/or an unlimited fine. Plus, the person who breaches copyright may have to pay compensation to the victim.

It is not a breach of copyright linking to the URL of a photo from, say, Facebook, even when Facebook creates a preview of the image. However, downloading and using the image is an offence.

Beware claiming ownership of a hashtag.

I recently had a photographed stolen on Instagram. I had used a hashtag. Unknown to me, someone else had claimed the hashtag as their own and was republishing images using it without seeing the photographer’s permission. This is unlawful. Hashtags on Instagram are there to add context to a photo and to help people find images on a particular topic. If you use someone’s photo without their permission, even if you tag them in a repost, is breaking the law.

My photo that was plagiarised

Photographing buildings

Another area that brings confusion is photographing buildings. It is not unusual for security guards to challenge photographers in the street who are capturing the architecture. Despite their insistence, they cannot stop you if you are on public land.

There are a few exceptions but you can photograph most things in the UK from public land. Although there is nothing a security guard can do to prevent you photographing an office block from the outside, once inside a building the situation changes. On private property building owners or their representatives can prevent you from taking photos. If you do, although instructed not to, you are committing trespass. The owner can make you leave. That falls under common law. If you refuse the offence becomes a criminal one, that of aggravated trespass.

Hospitals and swimming pools and many shopping centres display no photography signs.

The Police

Unlikely to be a terrorist suspect

Police can, of course, move you along if you are causing an obstruction when shooting on the street. Officers can view your images, but they must “reasonably suspect” you are a terrorist before doing so. Officers have the power to view digital images contained in mobile telephones or cameras and to seize equipment that contains evidence of terrorism. They do not have the power to delete digital images or destroy film during a search.


  1. Ross W says:

    Great article – really useful. However, I took the ICO test and it said I would not need to register. I telephoned them to confirm and they confirmed I would not need to.

    • Ivor says:

      Thank-you for your nice comments, Ross.

      It all really depends upon the nature of your business whether you need to register or not. That’s great news for you if you don’t, it will save you the registration fee.

      I am running courses for photographers and storing customer names and addresses, and processing their invoices electronically. I also contact by email. The ICO, who were really helpful, said in those circumstances I would definitely need to register. I phoned too as some of the questions on the test seemed a bit ambiguous to me.

      Thanks again for reading the post. I’m glad you found it useful.

    • Ivor says:

      Just as an aside, even if you do not have to register, you still need to abide by the restrictions put in place by the Regulations. Event photographers, for example, are going to have to ensure that the guests know that they are going to be photographed and the invitations may have to have an opt-in clause . Guests will have the right not to appear in images.
      Some photographers use people’s images for marketing without the subjects’ permission. This already should not happen, but that restriction is reinforced under GDPR.

  2. Andrew James says:

    Thanks for these words. They’ve helped quell a few unfounded GDPR-related fears in the minds of my colleagues.

  3. Dod says:

    what if you are just shooting concerts, festivals etc and take crowd shots for websites facebook, magazines..

    • Ivor says:

      Hi Dod,

      As I have said before, I am not a lawyer. This post is my interpretation of the conversations I have had with the ICO. I can’t give legal advice, but happy to have a discussion.

      In most cases, there is no change from pre-GDPR and common sense prevails. So, I think it depends upon what you are doing with the photos; the circumstances in which you use them.

      At a concert, I think there is a reasonable assumption that, if photography is allowed, people will appear in the background of photographs. It’s the same as the BBC filming a concert for television. It would be impracticable to get permission from every person.

      When I have done work at events for large corporations, they have asked me not to supply ‘close-ups of anonymous people’ but pictures of the entire audience. To me, that seems a common sense approach.

      People in audiences tend to appear quite small and unidentifiable in these shots, especially when reproduced in articles.

      There are GDPR exemptions under the Human Rights Act which allows for ‘freedom of expression’ and ‘freedom of the press’. So, if you think you could defend (perhaps in court) your work as either art or journalism, you should not have a problem. If you are shooting for magazines, I think that is journalism.

      The thing to watch in the future is the changes to the Human Rights Act.

  4. Cederic says:

    The enacted legislation includes the artistic/literary exemptions:

    What’s far more fun is data access requests and the right to portability. Get ready to share your RAW files..

    • Ivor says:

      Yes, the exemptions are there because of the Human Rights Act, which allows for freedom of expression. This article was written before it was enacted by Parliament before the provision had been finalised.

      Your point about sharing raw files is an interesting one. Thinking about it, I am pretty sure you don’t need to share raw files. If you have a photograph of someone, it would be perfectly okay to send a low-quality JPEG that is, if necessary, watermarked. You are just saying ‘I hold this data.’ Why? You have rights accrued from your intellectual works outside of GDPR, namely moral and material rights. They have been enshrined in British Law since 1709.

      Regarding potability, the ICO says:
      “there may be legitimate reasons why you cannot undertake the transmission. For example, if the transmission would adversely affect the rights and freedoms of others. It is however your responsibility to justify why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.” For others, read ‘you.’

      Being forced to forward raw files would hinder your moral and intellectual rights. I think that would be a legitimate defence against sharing the entire raw file, which would contain your intellectual property, such as the camera settings you used to achieve a particular shot and, (if you use your manufacturer’s software), the embedded adjustments. You can only remove this data by changing it into another file format.

      Furthermore, transmission of data must be interoperable, i.e. easily read by other machines. Raw files are not interoperable as they require specialist software to access them. JPEGs or BMP or GIF files are. It is easy to create a low resolution, small format, watermarked copy.

      The ICO say “The GDPR does not require you to use open formats internally. Your processing systems may indeed use proprietary formats which individuals may not be able to access if you provide data to them in these formats. In these cases you need to perform some additional processing on the personal data in order to put it into the type of format required by the GDPR.” Raw files would probably be an example of a non-open format.

      What is more, you still have copyright law to protect your work. If the subject reuses the images without your consent, then you have the full weight of criminal law to back you up, along with massive fines and prison sentences for the perpetrator.

      Again, I reiterate that I am not a lawyer and this is how I am interpreting the law. I’ll speak to the ICO and get this clarified.

  5. Cederic says:

    For access request purposes a degraded (watermark or otherwise) JPG is likely adequate. For data portability I don’t think it would suffice – you wouldn’t accept your accountant providing only 96% of your general ledger entries if you were switching to another accountant.

    Proprietary formats would be something like a Lightroom catalog file, which is specific to that piece of software. RAW files can be read by many software products so I’d assume they’re no different to JPG in that regard.

    (My JPGs retain the camera settings anyway, but I’m not a professional)

    The “adversely affect the rights and freedoms of others” consideration is a far more interesting one, and might be how balance is achieved. I could however easily argue that your processing of my data misrepresents me (i.e. you turned the RAW into a black and white image, and really my skin is lemon chiffon) and I want to use data portability to allow another data processor to create a superior representation.

    As you suggest, that then gets interesting around copyright law. Methinks the powers that be just didn’t think this one through, and it’d be useful to get some clarity (and common sense) before a bunch of barristers get rich(er).

    • Ivor says:

      You are right that they didn’t think it through; the ICO said as much to me when I told them about Facial Recognition software built into Lightroom.

      They are the experts and I have asked them to clarify the portability issue. I am awaiting a reply and will let you know when I do. They purely have to enforce the law and did not make it and they are the most helpful government department I have come across. (Don’t tell the government this because they’ll then probably shut it down!)

      What I think they will say is that the right of portability only applies to information an individual has provided to a controller. A photograph has not been supplied by the individual and should therefore be exempt.

      Also, the raw data from a camera does include the camera settings, and one could argue that they too are protected as intellectual property. When you export a raw file to a jpeg you can remove this information.

      I’ll keep you posted. Thanks again for reading and engaging in my blog.

    • Ivor says:

      Hi Cedric, I haven’t heard back from the ICO yet, but I haven’t forgotten your question. I have been discussing it with some legal eagles and they agree with me that as the customer has not provided the raw data in a raw image and it is generated by the photographer, the photographer is not obliged to share it; it is not regarded as portable.

  6. Cederic says:

    Thanks for the update. I appreciate that this is unlikely to be clarified any time soon.

    At a common sense level I agree that a raw image is created rather than the facial data being provided, and that does exclude it from data portability. If only the ICO had thought this through during those long years of planning..

  7. Ivor says:

    Hi Cederic, this is from the ICO website:

    ” The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

    The right only applies to information an individual has provided to a controller.”

    The raw files from a camera is not provided by the individual but generated by the photographer, so portability does not apply to it.

  8. Ivor says:

    I had another call today from the ICO.

    Good news for many, contrary to what I had previously been told prior to the new Data Protection Act 2018 came into force, their officer tells me that private individuals are now exempt from the regulations. So, GDPR does not apply to people handling personal data in the course of exclusively personal or household activity. This does not exempt you if you work from home! The moment you start to trade, take part in any economic activity, you are no longer a private individual!

    For many professionals, it may be difficult separating some work from home. Many of my friends have also become my clients. So, I treat all photographs of people as personal data.

    For those of us that are professional, facial recognition in Lightroom is personal data. (I’ve turned mine off.)

    They told me that crowd photography (probably) isn’t considered personal data.

    Wedding and event photographers should give the attendees the right to opt out of the photos.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Lost your password?