Need a knowledge base like this for your business?


GDPR and MyPhotoApp

By Kim Dixon, MyPhotoApp Training Guru

Created: May 28, 2018, 11:24 am UTC
Last updated: May 29, 2018, 3:42 pm UTC
 
NOTE:  This article is still being updated and more information will be added as the application of GDPR becomes clearer. 
 

Our Privacy Policy

We have recently updated the MPA privacy policy in line with GDPR to make it clearer that MPA follows the principles of GDPR. http://myphotoapp.com/privacyPolicy.html .
 

Data transfer outside the EUA

Is MyPhotoApp registered with the EU US Privacy Shield?
 
There are many different opinions expressed about the GDPR and one is that photographers based in the EU can no longer use companies based in the US unless they are registered with the  EU US Privacy Shield. Interestingly, however,  there are less than 4000 companies from the entire US territories who have actually paid to do so.  Registering with the Privacy Shield is a self-certification process that involves submitting a GDPR compliant privacy policy, agreeing to follow the GDPR protection principles and paying an ongoing annual fee.  
 
MyPhotoApp is GDPR compliant and routinely provides the same standard of data Protection as expected in the EU
 
GDPR does not prohibit the storage outside EU but imposes additional safeguards to ensure data controllers choose reputable companies they have confidence in who will look after peoples data and not infringe peoples right to privacy. The safety of peoples data is important to us and all the expected safeguards to protect it are in place.  
 

Lawful Basis For Transfering Data to US

MyPhotoApp is committed to providing a high standard of service and Data protection and privacy are important and industry standard measures are in place to protect the data transferred and stored on the MyPhotoApp server. 

There are two clear lawful basis for continuing to provide services using MyPhotoApp: 

1.  Necessary For The Performance of A Contract

When you provide apps to your clients you are covered under the Article 49 derogation "necessary for the performance of a contract"

When you supply clients with photo apps as part of the service they have paid you for you have a contract with them.  

2. Explicit Consent

Alternatively, if you prefer you can choose to use explicit consent as your lawful basis. To do this you should add a clause in your contract or order form to cover the use of a US based third party service provider and the data transfer to the US when clients choose or receive a photo app as part of their package. Clients will then be providing clear evidence of their consent for the data transfer when they sign the contract or order form. 

 

How Do I Make Sure My Business is GDPR Compliant?

If you are based in the EU or you have EU customers you need to be aware of GDPR and the measures you need to ensure you put in place to ensure your business has a GDPR compliant Data Protection Policy. If you already have a fairly robust data protection policy it will mean adding insome extra mesaures and updating your processes and information.

As a first step, I recommend downloading the easy to understand FREE GDPR checklist below to help you work out what you actually need to do to get all your ducks in a row.  I found this one provided by the UK lawyer Suzanne Dibble, really useful and it's the one I used.  You can download your FREE copy of it by clicking the link below:

Free GDPR Check List

 

When you do you will also receive information about Suzanne's Facebook group which I also highly recommend and the GDPR document pack for businesses that she also sells if you want a stress free solution and can't be bothered to do the research and writing yourself. I didn't invest in this as I had already done the work by the time I discovered it, but those who did have commented that they believe it saved them a lot of stress and weeks of research and work.  

There is a lot of FREE information for businesses and individuals available on the ICO (Information Commissioner's Office) website about the new measures GDPR requires from businesses who control or process Personal Identifiable Information, which of course also includes photographs.

Click here to visit the site and find out more:

ICO Guide To The GDPR

 

Other sources of information and documentation that may help for those located primarily in the UK are:

The Guild Of Photographers - they have a FREE privacy policy template for members and also a negotiated deal with a company that will create a customized Privacy Policy and will also keep it up to date with any new changes.  You can click below to find out more about The Guild of Photographers and you will also get a 10% discount if you join using this link. 

Join The Guild Of Photographers

The Federation of Small Businesses - have a FREE legal helpline for members and vast resources of legal documentation and guides for all aspects of business, including GDPR plus some GDPR webinars. 

Click below to find out more about joining the FSB

The FSB

There is a lot of conflicting information out there and a lot of scaremongering about the GDPR and it makes it impossible to carry on business as usual but it is ONLY data protection and to be honest it's about treating peoples information with respect and due care and diligence which after all how we all want our personal Identifiable information to be treated by the businesses we deal with. So do not panic, but equally, do not ignore it! 

 

How Do I Inform My Clients?

Update Your Privacy Policy

It's a good idea to add an appropriate statement to your privacy policy under How we share your information about third part suppliers and data transfer and storage and mention that you may also use selected suppliers for some products and services who are outside the UK/EUA and that you choose carefully selected companies who follow the principles of the GDPR. There are many examples of suitable clauses to included available from a range of resources online. 

If you haven't already created a Privacy Policy here are a couple of useful privacy Policy generators you could use: 

Iubenda.com

DGD Deutsche Gesellschaft für Datenschutz GmbH

Here are some examples of the sort of information you could add:

How we share your information

"In order to provide outstanding products and services for our clients, YOUR BUSINESS NAME may share data about customers with carefully selected suppliers and service providers who assist us in operating our website, conducting our business and serving our clients, so long as those parties agree to keep this information confidential. Third party Service providers are only authorized to use personal information necessary to complete the services requested." 

"We constantly seek to provide the best products and services we can for our clients and this may include using selected suppliers who operate outside the EUA."

 

Data Transfer & Storage

"Some products and services we offer, such as custommized Photo Apps, may involve the transfer of personal information to service providers based outside the EU. For example, if you have selected a Photo App, you acknowledge and agree that your information will be normally be received by or transferred to servers located within the United States and processed by our selected third party service provider.   We only work with selected companies who provide a high level of service and  have a data protection policy that is GDPR compliant."

 

What About From Data?  

If you are based in the EU and use Apps for your business that include contact forms, application forms or marketing sales funnels and lead magnets you should now make sure that they meet GDPR guidelines when collecting personal information.  

This means that you should be clear and transparent about how you will use the information you are asking for and should refer to your privacy policy so people are aware that data may be transferred outside the EU.  

MyPhotoApp has lots of tools to help you make great GDPR compliant Apps:

eForm section - it's easy to add a checkbox to a form to provide a clear opt-in

Pop-up Section - allows you to easily deliver a simple privacy notice or other info and or collect information

Hero section - allows you to provide text and a button with an image background

Welcome Section - Unlike the pop-up and hero section, this will restrict access to the rest of the app if the button is not pressed. Allows you to add a privacy notice, message, footer and collect data if wished or just provide a button to click to agree to the statement.  

Document, text & markdown sections  - easily add privacy notices and terms & conditions, text links and footers to your apps.

PDF Section - Add a privacy policy in this popular format.  

Menu & Menu+ - Add navigation to relevant documents & information.

Buttons - You can use any of the button sections to easily link to your documentation. 

If you are collecting leads to add to a marketing mail list you should ensure that the form allows for a clear opt-in. This means that if you have included a tick box it should not be pre-ticked as people should make an affirmative opt-in to be added to a marketing list.

It's a good idea to add a brief privacy statement to reassure people that their data is safe with you. 

Here is an example of a statement added to a portfolio model application form that also included an opt-in tick box:

This is a belt & braces approach as it's now widely accepted that the tick box is probably not actually needed as pressing the submit form button is an affirmative action.  

 

One of the other requirements now when building mailing lists for marketing is that you must be able to demonstrate how and when people opted in to be added to a marketing email list as well as exactly what they opted in to.  MyPhotoApp can help you capture this essential information for your records in several ways.

1. You can link any form you create to a MailChimp list.  Even if you do not use MailChimp to send emails it's a great way to collate information.  You can create a new list for each specific campaign and you then have a clear record of who signed up and what they signed up to as the list is linked to that particular lead generation campaign. 

2. You will receive an email record of the form submission that you can keep as a record. 

3. Form Data You can download the CSV data from your form submissions to have a permanent record of the data.  Form Data is saved on the MyPhotoApp server for 180 days and then deleted. 

4. Forms and any section that has a data collection element included can now automatically be linked to the new CRM module.   The source of the client entries added is the name of the App, so you can do a query using the app name to filter client records added to the Rolodex from that App. You could then export the client data as a CSV file.   You can also add keywords and notes. 

 

Here is a great resource that talks about how to make GDPR compliant emails and lead magnets:

Make Your Marketing GDPR Compliant

 

What About Websites created with MyPhotoApp?

It's really easy to create a website using MyPhotoApp.  If you are based in the EU or have EU visitors and clients you must include a Privacy Policy on your website and an easy means for people to access it from your Homepage.   MyPhotoapp makes this really easy to do with lots of sections and features you can use. 

For example, you can easily do this using a page section and a document, markdown or text section and a simple text or button link to the Privacy Policy document. You can also add it to a Menu or Menu + section to make it even easier to find. 

If you have a Contact Us form you might also want to add a statement that by submitting their information/request they are agreeing to your privacy policy and add a link to your privacy policy at the bottom.