How UK GDPR impacts Digital Asset Management

7th December 2023

The European Union’s General Data Protection Regulations (GDRP) had been long awaited when they were finally published in April 2016. Subsequently, businesses throughout the EU, including the UK, had to develop new data protection policies and processes to ensure they’d be compliant with the new legislation.

However, within a matter of months of the publication of GDPR, the UK voted to leave the EU, leading to a three and a half year process of negotiations that finally came to an end on 31st January 2020.

However, that time UK organisations spent preparing for GDPR was certainly not wasted, with the UK adopting almost identical legislation: the UK GDPR.

What is the UK GDPR?

One day before the implementation of EU-GDPR across the whole of Europe, the UK Government approved the updated Data Protection Act (DPA) 2018, a complete reworking of the original 1998 DPA. It incorporated all of the clauses from the European version of the legislation, effectively forming the UK GDPR.

The key principles of UK GDPR

UK GDPR is intended to provide citizens with more control over their personal data, and a key element of this control is consent.

There is a high standard to meet when it comes to consent, but there are four key principles of UK GDPR law organisations should aim to meet:

Consent must be explicit
Keep different consent requests separate
It should be easy to withdraw consent
Evidence of consent should be retained

1. Consent must be explicit

Prior to GDPR legislation, organisations could acquire information through implicit consent. However, GDPR outlines that consent must now be explicit. Providing consent should be an active choice, which means no pre-ticked boxes or opting people in by default and requiring them to opt-out. For consent to be considered explicit, there also needs to be a clear and specific statement of consent.

2. Keep different consent requests separate

Related to the principle of explicit consent, multiple consent requests should be kept separate, not bundled together.

For example, if you need to request consent for processing a customer’s data, sending them marketing communications and sharing their details with trusted partners, each of those requests should be unique. You also can’t bury consent requests within general prompts to accept terms and conditions.

3. It should be easy to withdraw consent

UK GDPR makes it clear that just because someone has given their consent, it doesn’t mean they’ve granted it indefinitely. With that in mind, you must also make it easy for the individual to withdraw their consent at any time, and have clearly defined processes for this.

4. Evidence of consent should be retained

To ensure you can prove the level of consent you’ve acquired, it’s essential to clearly document it, including who, when, how and what you told them.

What does this mean for images and video assets?

First of all, it’s important to note that ‘personal data’ refers to all information related to an ‘identifiable or identifiable living individual’, which includes photos and video content.

This means all of the same principles of UK GDPR apply to images and video: consent for processing and storage must be documented, individuals have the right to request the assets be deleted, and you must have clear and explicit consent from the individual.

The onus here is on the ‘owner’ of the asset, whether that’s the original photographer, a business or institution

How does UK GDPR relate to Digital Asset Management?

A typical Digital Asset Management system stores a huge amount of personally identifiable information, whether that’s in the form of photographs or data about individuals.

For example:

a collection of photos taken at a public event where specific people can be identified.
Metadata related to photos or videos detailing personal information about the subject.
Documents related to digital assets that contain personally identifiable information.

In this respect, the DAM is the ‘data controller’, defined by UK GDPR as:

“[T]he natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

And as the data controller, a DAM end-user needs to implement effective processes and policies for handling personal data, and ensure that it’s in compliance with their own privacy terms and the statutory requirements of UK GDPR.

However, a DAM manager isn’t just responsible for their organisation’s own data protection practices, but those of any third-party ‘data processors’ acting on their behalf—for example a photographer responsible for taking photos and recording any relevant personal information about the subjects.

How does ResourceSpace help you manage consent?

If you have a DAM in place you need to implement policies and processes that ensure it remains compliant with UK GDPR law. However, a DAM will also help you to manage consent.

ResourceSpace allows you to manage all of your consent documentation from a single location, making it easy to view and edit consent, as well as linking consent forms directly to assets. The Consent Manager makes this simple, and even lets you add multiple consent records to each resource. You can also make any necessary changes centrally.

Managing the expiry of consent is also a challenge, but ResourceSpace makes this simple too. You can set expiry dates for specific resources within the metadata, with access to assets with expired consent being restricted. You can even set up workflows that trigger alerts when the expiry date is approaching, giving DAM managers the opportunity to renew licenses. It’s possible to restrict access to an asset until a certain date too, for example if there’s an image in the DAM you haven’t secured a license for yet.

UK GDPR can be complex, but it’s essential that your organisation gets it right. To find out more about how ResourceSpace can help you stay compliant, request a 30-minute demo here. Alternatively, click below to instantly launch for free Digital Asset Management portal.