How UK GDPR impacts Digital Asset Management

The European Union’s General Data Protection Regulations (GDPR) had been long awaited when they were finally published in April 2016. Subsequently, businesses throughout the EU, including the UK, had to develop new data protection policies and processes to ensure they’d be compliant with the new legislation.

However, within a matter of months of the publication of GDPR, the UK voted to leave the EU, leading to a three and a half year process of negotiations that finally came to an end on 31st January 2020.

However, that time UK organisations spent preparing for GDPR was certainly not wasted, with the UK adopting almost identical legislation: the UK GDPR.

What is the UK GDPR?

The UK GDPR, or the United Kingdom General Data Protection Regulation, is a set of data protection laws in the UK that govern the handling of personal data. It was adapted from the EU GDPR (European Union General Data Protection Regulation) following the UK's departure from the EU. The UK GDPR, along with the Data Protection Act 2018, forms the core of the UK's data protection regime.

The key principles of UK GDPR

The UK GDPR aims to give individuals greater control over their personal data, emphasising the crucial role of consent. To comply with UK GDPR, organisations must adhere to four essential principles regarding consent:

  • Consent must be explicit: Individuals should clearly and affirmatively agree to the processing of their personal data.
  • Separate consent requests: Consent requests for different data processing activities should be kept distinct to ensure clarity.
  • Ease of withdrawal: It should be straightforward for individuals to withdraw their consent at any time.
  • Evidence of consent: Organisations must keep records to demonstrate that consent was obtained.

These principles ensure that consent under the UK GDPR is meaningful, providing individuals with genuine choice and control over their data.

1. Consent must be explicit

Prior to GDPR legislation, organisations could acquire information through implicit consent. However, GDPR outlines that consent must now be explicit. Providing consent should be an active choice, which means no pre-ticked boxes or opting people in by default and requiring them to opt-out. For consent to be considered explicit, there also needs to be a clear and specific statement of consent.

2. Keep different consent requests separate

Related to the principle of explicit consent, multiple consent requests should be kept separate, not bundled together.

For example, if you need to request consent for processing a customer’s data, sending them marketing communications and sharing their details with trusted partners, each of those requests should be unique. You also can’t bury consent requests within general prompts to accept terms and conditions.

3. It should be easy to withdraw consent

UK GDPR makes it clear that just because someone has given their consent, it doesn’t mean they’ve granted it indefinitely. With that in mind, you must also make it easy for the individual to withdraw their consent at any time, and have clearly defined processes for this.

4. Evidence of consent should be retained

To ensure you can prove the level of consent you’ve acquired, it’s essential to clearly document it, including who, when, how and what you told them.

What does this mean for images and video assets?

First of all, it’s important to note that ‘personal data’ refers to all information related to an ‘identifiable or identifiable living individual’, which includes photos and video content.

This means all of the same principles of UK GDPR apply to images and video: consent for processing and storage must be documented, individuals have the right to request the assets be deleted, and you must have clear and explicit consent from the individual.

The onus here is on the ‘owner’ of the asset, whether that’s the original photographer, a business or institution

How does UK GDPR relate to Digital Asset Management?

A typical Digital Asset Management system stores a huge amount of personally identifiable information, whether that’s in the form of photographs or data about individuals.

For example: 

  • a collection of photos taken at a public event where specific people can be identified.
  • Metadata related to photos or videos detailing personal information about the subject.
  • Documents related to digital assets that contain personally identifiable information.

In this respect, the DAM is the ‘data controller’, defined by UK GDPR as:

“[T]he natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

And as the data controller, a DAM end-user needs to implement effective processes and policies for handling personal data, and ensure that it’s in compliance with their own privacy terms and the statutory requirements of UK GDPR.

However, a DAM manager isn’t just responsible for their organisation’s own data protection practices, but those of any third-party ‘data processors’ acting on their behalf—for example a photographer responsible for taking photos and recording any relevant personal information about the subjects.

READ MORE: Navigating consent and Digital Asset Management

How does ResourceSpace help you manage consent?

If you have a DAM in place you need to implement policies and processes that ensure it remains compliant with UK GDPR law. However, a DAM will also help you to manage consent.

ResourceSpace allows you to manage all of your consent documentation from a single location, making it easy to view and edit consent, as well as linking consent forms directly to assets. The Consent Manager makes this simple, and even lets you add multiple consent records to each resource. You can also make any necessary changes centrally.

Managing the expiry of consent is also a challenge, but ResourceSpace makes this simple too. You can set expiry dates for specific resources within the metadata, with access to assets with expired consent being restricted. You can even set up workflows that trigger alerts when the expiry date is approaching, giving DAM managers the opportunity to renew licenses. It’s possible to restrict access to an asset until a certain date too, for example if there’s an image in the DAM you haven’t secured a license for yet.

UK GDPR can be complex, but it’s essential that your organisation gets it right. To find out more about how ResourceSpace can help you stay compliant, request a 30-minute demo here. Alternatively, click below to instantly launch for free Digital Asset Management portal.