The new General Data Protection Regulation (GDPR) comes into force on May 25. This new law applies to all businesses that process the personal data of European Economic Area residents: this naturally includes PhotoDeck, as well as our professional members.
This is great news. As citizens, we highly value the respect of our personal data and therefore welcome the new protections the law affords. As a business, PhotoDeck is based on strong ethical values, and the new law has no impact on our business model (it has always been out of question, for example, to share data with third parties for other purposes than providing our service). Still, it requires some work to ensure compliance, and help our members ensuring theirs.
This first post is an introduction to the topic and to the actions we have undertaken. We will soon publish another article that will describe in more details and in full transparency the data processing we operate.
What are we doing?
The first step towards compliance has been to list and review all the pieces of data we store, their purpose, the duration for which we keep them, the subcontractors that may have access to them, and the associated security measures. This has also enabled us to confirm that we only store the minimum data required for the good operation of the PhotoDeck service and company, and that each data processing is justified.
PhotoDeck is responsible ("data controller") for the processing of data related to our members (for example the account credentials, e-mail, addresses, connexion security data, ...) We have made a few little adjustements, for example about the removal of former members' data.
In addition, we are asking to our members who wish to keep receiving our informative newsletter to re-subscribe, so that we can record their consent as required by the new regulation.
Before May 25., our Terms and Conditions will also be updated to include the clauses required by the GDPR.
GDPR from our members' viewpoint
The service we offer allows our members to process data about their their own customers.
In the GDPR sense, PhotoDeck is a subcontractor ("data processor") for the member regarding the personal data of his visitors/customers, and processes this data only as instructed and initiated by the member. In other words, a member "owns" exclusively the data of his site and his customers, controls them fully -- and therefore is responsible for them.
The GDPR puts obligations upon both the subcontractor and the data controller. We are commited to respect our obligations as a subcontractor, and we also work to help our members comply, by providing for example:
assurance, in our terms and conditions (update forthcoming) that we assume our responsibilities as a data processor, and therefore that we don't compromise our members' compliance
new subscription options to our members' own newsletters that allow them to record consent as required by the GDPR (done)
a full access to their customers data allowing them to edit and delete them more easily, for example upon request from the person in question (done, transition underway for old customers)
a feature for customers to export their personal data from their account on the member's website (done, under "My Profile")
PhotoDeck has always fully respected personal data. Adherance to a general principle nonetheless doesn't necessarily mean automatic compliance with a law text: this applies to PhotoDeck as well as to our members, which we therefore encourage to learn more about the GDPR if needed!