GDPR one year on - How media libraries are helping with data regulation compliance

The Data Protection Act (DPA), General Data Protection Regulation (GDPR), Privacy and Electronic Communications (PECR) and imminent ePrivacy Regulation (ePR) - in our current climate, marketers need to be regulation experts in order to avoid serious consequences. Getting data right is a legal imperative, but it’s not easy keeping abreast of the regulations, ongoing changes and how these apply to your business.

Speaking on the issue earlier this year, Guy Parker, chief executive of the ASA, told CIM:

“Effective regulation is good for companies because it helps provide a level playing field for everyone. Those who don’t stick to the rules face consequences. By ensuring higher standards, effective regulation gives people more confidence in the claims companies are making.”

Elizabeth Denham CBE, UK Information Commissioner, has set out a commitment to increase consumer trust people have in what happens to their personal data. This forms the basis of her strategic plan and has been demonstrated in her commitment to ensuring companies are transparent with the public about how personal information is used, notably with high-profile investigations into Yahoo, Camelot, WhatsApp and Facebook.

General Data Protection Regulation (GDPR)


The past decade has seen an enormous growth in the volume of personal data being held by businesses, as businesses such as e-commerce sites, social media channels, news distributers and cloud-based software services have continued to appear and expand. Many scandals, data breaches and cases of ID fraud have been reported in the news, so it’s no surprise that consumers are becoming anxious about how their data is being used.

With that in mind, the General Data Protection Regulation (GDPR), which came into force in May 2018, aimed to bring definition, clarity and accountability to data practice, and applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, then the GDPR will apply - even if that individual is in a professional or business capacity. GDPR affects any company, anywhere in the world that is doing business within the EU and even applies to a company’s supply chain.

GDPR images and personal data

A year on, all private and public organisations that process the personal data of EU citizens should have audited and updated their approach to the data they process accordingly, but so far that doesn’t seem to be the case.

One of the most important principles of GDPR is to obtain consent from any person whose data is stored, an element that changed the definition of consent within The Privacy and Electronic Communications Regulation (PECR). However, a CIM survey, conducted 6 months after GDPR was introduced, indicated that little had changed, and consumers were receiving similar amounts of unsolicited emails - 22% in November 2018 compared to 29% in May 2018. But the report did show a significant increase in the awareness of GDPR amongst consumers, from 41% in May 2018 to 72% in November 2018, making it all the more important for companies to take care of their customers’ data. Marketers must recognise that GDPR isn’t a set of guidelines for best practice, it’s a new set of laws. And given consumer concerns about data, the introduction of GDPR is an opportunity for marketers to engage customers and build trust and loyalty.

At Third Light, we’ve seen some very positive signs from our customers. In the last 12 months there has been a notable increase in enquiries from companies, particularly from the education sector, wanting to know how our media library Chorus can help with their GDPR compliance. These organisations typically have extensive image archives that contain images of people as well as their growing library of current visual content, and increasingly have the need to provide further functionality so they can distribute, re-purpose and re-use those files in line with current legislation.

Nathan Stewart, Production Manager, Image Services from Victoria University in New Zealand explains:

"As we are often taking shots of students on campus, having correct usage rights and consents is essential if we are providing the images as stock assets available to staff.”

A media library enables instant access to pre-approved assets to use in promotional materials, and also enables data controllers to monitor how those assets are being used – an important part of GDPR compliance.

Managing consent with digital media libraries

Anna Sigurdsson from the Stirling University’s marketing department explains:

"It allows people to instantly access and download images for use on posters, pamphlets, web pages and other promotional materials, and it also gives us the ability to monitor which images are being downloaded, where they are being used and what they are being used for.”

Charities also felt the blow from GDPR as their donor lists were stripped overnight and many had been ill-prepared for the changes. Discussion of GDPR in the charity sector has often focused on fundraising, but this has missed the scale of the change, according to Daniel Fluskey, Head of Policy at the Institute of Fundraising:

"GDPR covers everything that organisations can or need to do in relation to the personal data of individuals – whether that’s campaigning, volunteering, or service user/ beneficiary information. Charities need to take a whole-organisation approach to getting to grips with the changes and making sure they don’t just focus on the fundraising side of things.”

Children’s charities hold a lot of sensitive information that requires very sensitive handling, so access restrictions and accurate audit trails are a must. Animal charities such as the RSPCA prosecute under the animal welfare act so hold a lot of legal evidence, some of which is of a photographic or documentary nature, containing sensitive and confidential information. Charities like RNIB runs care homes, so private medical records need to be housed in accordance with the new legislation.

Whilst the education and charity sectors may feel the burden of GDPR more than others due to the nature of their operations, no company is immune to the regulations. All businesses now need to make sure they’re on top of their data privacy requirements, before the fresh challenge of the new ePrivacy regulation comes into force in 2020.

Want to know more about how media libraries can help with your data compliance? To get a copy of our latest guide: Privacy Laws and Media Libraries, keeping compliant, email [email protected]