GDPR Fact-file

By Matt Abbott | 26th Apr 2018


The General Data Protection Regulation comes into force from May 25, 2018. Despite it being an EU regulation, it will be enforced in the UK regardless of Brexit.

Though there are journalistic exemptions, there are key principles with which journalists and news publishers (including community and hyperlocal journalists) must comply.

ICNN’s in-house media law advisor, David Banks, has written the following guide:

If you are using a contacts or email database to contact subscribers you must get a new opt-in consent from them to continue sending them material. This must specify what their contact data will be used for and you must adhere to this stated purpose. It cannot be transferred to another organisation or repurposed by you without consent. It must be made clear how subscribers can unsubscribe and remove their data from your database. If you are using an email management programme to send out information, several of them have rolled out GDPR-compliant subscription and consent forms which you can send to your subscribers. For Mailchimp users, here is a link on how to collect consent with GDPR forms.  For a more thorough look at GDPR from Mailchimp’s perspective, see here.

The GDPR establishes the following principles, that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The GDPR has to balance individual rights over their data against other rights, such as the right to freedom of expression in the European Convention on Human Rights. So there is an exemption where data is being processed for a journalistic purpose. This is not a blanket exemption though, and the journalist would need to demonstrate that the story could not be done without using the data in this way and that it was in the public interest to do so.

We will have to comply with the new ‘right to be forgotten’ in the GDPR unless we can show a public interest reason why we do not need to. You need to assess what personal data you hold about people and how you can give effect to this right if required.

Mike Press, Director of Open Change, has produced a detailed guide on GDPR which includes procedures for photography, video and audio recordings. The article also includes a handy template for media consent cards.

Here’s a quick guide for video journalists and photographers:

You should already be operating under some form of consent policy, i.e. the filming/photography of children, or in areas that require specific consent. This must now be reviewed and updated under the new regulation.

Personal data must now be processed in favour of the individual and not the processor. This means that while captured video footage fell under the previous definition of personal data, the processing of it will become stricter under the GDPR. So, any information that could identify someone, including their face and the location they are filmed in, qualifies as personal data.

You must get the consent of people that are identifiable in your footage/images, including those who appear in the background. This is very clear. What is not clear, however, is how you go about this. There are currently four ways to comply.

  • Get written consent from anyone identifiable in your shot, including those in the background.
  • Place signs to ensure people in the area know you are filming/shooting images.
  • Focus on the essentials of the story, close-ups, exclude the background where possible, blur identifying features at edit stage.
  • Avoid shooting people in compromising or private situations. There are places which may appear public but are in fact places where people should have a reasonable right to privacy. Make sure you are aware of these.

Unfortunately, it just isn’t possible to provide a clear take on the changes at this stage. The language is still ambiguous and things are likely to change. Take a close look at Section 32 of the Data Protection Act. It is believed, by some, that many of the freedoms given to journalists under this law will continue.

In the meantime, make sure you are aware of the issues and practices, and that you are willing to cooperate. If you are filming/photographing and someone requests not to be identified, as long as you rectify the situation immediately, you should be OK.

Helpful WordPress plugins

  • GDPR: a nearly all-in-one solution with options for consent management, privacy policy configurations, fulfilling data export requests, and more.
  • Shariff Wrapper: prevents the automatic transmission of data via sharing plugins.
  • GDPR Personal Data Reports: generates a personal data report for users invoking their Right of Access.
  • Wider Gravity Forms Stop Entries: allows Gravity Forms users to stop sensitive information from being stored on their servers.
  • Delete Me: allows users to delete their own accounts and profiles.

Using Google Analytics?

  • If like us, you use Google Analytics to keep a track of who visits your website, then you may want to think about the data that is being collected and how it is processed. Afterall, IP addresses, cookies and behaviour profiles all fall under the umbrella of personal data.

Follow this link for 5 Actionable Steps to GDPR Compliance with Google Analytics


Information Commissioner’s Guidance

Data Protection and Journalism: a guide for the media

Data Protection and Journalism: a quick guide

A detailed guide to GDPR by law firm Bird & Bird

ICO Guidance for small organisations

NUJ parliamentary briefing submitted to the parliamentary bill committee about the draft data protection legislation. 

Worried that GDPR compliance will put a dent in your newsletter subscriber count? Read this handy guide on how to retain your audience.

Section 32 Data Protection Act 1998

GDPR and the movie-maker

What GDPR means for photographers – the lowdown

Moving Image video specialists’ guide: GDPR

The GDPR and you

Latest Articles