GDPR Guide for Photographers - Get your photography business GDPR compliant

GDPR Guide for Photographers

GDPR Guide for Photographers

Are you a wedding or family portrait photographer? Do you sell your images or photographic services to consumers? Most photographers that earn a living from their art sell to members of the public. This means that it is important to keep data about clients and potential customers so that you can make more sales in future. If you photographed a couple’s wedding then you may hope to do a photoshoot with them later if they should have children. All this information – emails, phone numbers and so on – can be the lifeblood of your  business’ sales. So, did you know that you have to ask permission to use their data to market your products to them? Did you know that GDPR regulations are coming into force in 2018 that will make businesses such as ourselves more responsible for how customer data is stored and used? This may sound worrying, but it is in fact an opportunity for you to contact your customers and ensure that only those interested in your business will continue to be on your mailing lists. 

Keep your customers’ data and your business safe from hackers and misuse. Not only will this help prevent you clocking up fines, you will also have another great selling point to offer. Let your customers know what measures you are taking to keep their data from being abused. Tell them what they will receive from you if they sign up to your mailing lists. GDPR doesn’t have to be terrifying!

GDPR Guide for Photographers - Get your photography business GDPR compliant

Find out more about GDPR in this guide for photographers written especially for us by Jamie Allan:



As a photographer, you have customers saved somewhere on a database (or several databases) so you can contact them in order to book future sessions to generate revenue. As this is classed as personal information, you need to find every instance of where you store that data as under the new GDPR rules from May 25th 2018, you must make sure that you have the consent of your customers in order to continue to make this contact.

By getting your data GDPR complaint, and keeping it regularly updated, means that you can continue to develop and grow your business.
Here are some pointers to get you going:

1. Cleanse your data

This is an ideal time to review all data that you hold on your customers and either delete old databases or update current ones by sending out an email or letter explaining what is happening and telling them what information you hold on them and for what purposes you want to use it for. After all you only want to do business with people who want to buy from you. In this communication, you need to ask them for their consent to use this information in the future as any implied “opt-in” from the past will not be allowable under GDPR.
And if you hold data about children, it is even more vital that you get permission to hold data about that child from their parents and also make sure that it is stored very securely.
Also, check that your email marketing providers are compliant. MailChimp offer the double opt-in process already, so if you use an email provider like this, chances are you already have this part covered off.

2. Secure your Website and IT Infrastructure

Your website and infrastructure needs to be secure, fit for purpose and GDPR compliant. This means that you need to prove that you have taken steps to ensure that your IT website and infrastructure is secure against a possible cyber attack. This needs to cover:
1. Security against Contact Form intervention from an outside unknown source
2. Security against MalWare and Viruses
3. Security against access to Content and Database
4. Security for your external devices to access your data from a remote location – Mobile Device Management. See also
You also need to back up your data to an encrypted and password controlled area.

3. Review and update your Documentation

One of the aims of the GDPR is to ensure that companies have documented processes in place and it would be advisable to get a GDPR lawyer to review this. This includes:

1. Data Protection Policy
2. Privacy Statement

a. You’ll need to ensure that all products, processes or services have the right privacy measures in place. And anything new your business develops has privacy built in.
b. Your Privacy Policy needs to be written so your customers can understand it. A well-written policy demonstrates that your business is serious about protecting privacy and customer data. Some things you’ll need to consider when writing your policy:
i. What personal information you ask customers for and where (i.e. what data you collect when an order is placed, or when a service is provided)
ii. Why you need that information and what you’ll use it for
iii. How you store that data
iv. How is it transferred?
v. Is it disclosed to anyone else?
vi. How you delete it

3. Data Protection Impact Assessments

4. Documents about how data is stored and processed

a. You’ll need to review your current IT security policy and how you collect, use and store any customer data. GDPR gives your customers the right to ask you to share and/or erase their personal data. Probably the best place to start is to look at your current systems and gather information. You need to be able to track, disclose and delete data easily if you’re asked to. So….
i. What personal data do you collect?
ii. Can you track and erase personal data?
iii. Where is personal data stored (on computers, servers, in the cloud)?
iv. How is personal data used?
v. Is data disclosed to anyone else, or shared/transferred?
vi. How do you backup data?

© Jamie Allan, February 2018


You might also be interested in this article on keeping your photos & other data safely backed up

2 thoughts on “GDPR Guide for Photographers”

  1. Hi I volunteer photos at sports comps (adults & children), I don’t sell the pics the images are loaded up on facebook to the organisers to share to those that entered. Organisers make a small donation to a charity for the pics as a token. Organisers have wording on entry forms to state that if anyone does not wish their pic to be published to contact the organiser. I am not a professional photographer at all this is a hobby.
    I don’t store names, addresses of any persons on images.
    I am not sure if I need to do anything else in relation to GDPR rules.

    1. GDPR is all to do with what data we store on people and how we use it. Basically, people’s data should be safe and only used for things that they have explicitly agreed to. So, if people have consented to having photos taken and you aren’t storing any further data on them it seems unlikely (as far as I can see) that you’d need to do anything else. Best to make sure that there is consent rather than assuming, just in case.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top