Keeping your media library GDPR-compliant with Third Light
Around Europe, businesses have prepared themselves to comply with the new GDPR (General Data Protection Regulation) law, which came into force on 25 May 2018. The law put stringent new controls in place on how businesses handle personal data. How can Third Light help you comply with the law?
One of the most important principles of GDPR is to obtain consent from any person whose data is stored. For example, if you have a record of an name and email address, or perhaps a photograph which has metadata that is tagged with someone's name, then this is personal data and you need the person's consent.
In Third Light, there are several features which are designed to help with permissions, consent and record-keeping in this area. Here are some ways you can use Third Light to support your GDPR compliance.
1. Site Terms and Conditions
When a user logs into your Third Light system, you can require that they accept a set of terms and conditions In IMS v6, this is enabled from the Configuration > Site Options page, under "Terms and Conditions". In Chorus, it's found in the Site Privacy settings menu. To avoid becoming a nuisance, once a user accepts the terms, this decision is recorded. However, if you change your terms and need users to review them again, then there is a button to clear all existing terms and force users to go through this process again.
V6: Documentation for Site Terms and Conditions
Chorus: Documentation for Site Terms and Conditions
Chorus also offers the ability to set a log retention policy, so that personal data is not stored indefinitely.
2. Approvals and terms and conditions on key actions
Third Light includes two features which help you create manual approval workflows. For example, you can make your site require a user to accept a set of upload terms and conditions before they proceed with an upload, or you can require that another user reviews their files after upload (for example, a team manager or a legal review department can check that all inbound files have been checked for copyright claims, consent etc.)
Similarly, you can use approvals on downloads. This can be used to ensure that users consider any privacy implications before they re-use or publish a file, perhaps by drawing attention to your GDPR policies and ensuring that no inadvertent errors are made.
V6: Documentation for upload approvals
V6: Require users to accept terms and conditions for uploads
V6: Documentation for download approvals
3. Attaching Consent Forms
When photography containing individuals is stored in your site, you may need to acquire consent from the person depicted. This is generally achieved using a consent form which they sign, giving you the right to store the image. For your convenience, you can attach consent forms to your files using Third Light. This helps keep images and the relevant records for those images associated (assuming the consent form is a file). Don't forget, you can also use metadata to store consent - which may be even more useful as it is searchable.
V6: Documentation for attaching consent forms to files
Chorus: Documentation for attaching consent forms to files
4. Using Metadata to Record Consent
Third Light is built for metadata flexibility. For example, you can add custom metadata fields which can be drop-downs, yes/no options, tree structures or free text. You can use this as part of your GDPR compliance package, for example to record consent, to maintain a log or to refer to other systems. Metadata fields can be protected from editing, or even made hidden if required, again helping to stop information from being changed by accident or revealed in the wrong contexts.
V6: Documentation on customising metadata fields
Chorus: Documentation on customising metadata fields
Tip: You can also use Chorus expiry and embargo features, which help keep all use of a file within a set date range.
Next steps with GDPR
Please remember that GDPR compliance is not a feature, but a process for your organization which may require specialist legal advice. For further guidance, please see the Information Commissioner's Office web site at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.