When you consider consent you’ll typically think about contact information, your address and, perhaps medical records that you’d consider to be ‘sensitive’ or confidential.

However, laws to do with consent apply to anything where a person is identifiable, and this includes artwork, photos and videos.

Digital asset managers must make sure they have robust consent policies and procedures in place to avoid falling foul of these regulations, and protect the privacy of their organisation’s customers, employees, contractors and the subjects of digital works.

What is consent?

There are six legal bases that allow personal information to be processed - obtaining consent is one of them as set out in article 6 of the UK General Data Protection Regulation (GDPR). It refers to when an individual has given clear consent for an organisation or institution to process their personal data for a specific purpose.

The other five are:

  1. Contract: processing the individual’s data is necessary for a contract, or because you’ve been asked to carry out specific steps before entering into a contract.

  2. Legal obligations: processing is necessary in order for you to comply with the law.

  3. Vital interests: processing is necessary to protect somebody’s life.

  4. Public task: processing is necessary for a task in the public interest, or for an official function that has a clear basis in law.

  5. Legitimate interests: processing is necessary for your organisation’s legitimate interest, or that of a third party, unless there is good reason to protect that individual’s personal data that takes precedence over your legitimate interest.

Consent is defined in Article 4(11) of the UK GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.  

For that consent to be ‘freely given’, the person must have had a genuine choice and control over how their data is used - but what does ‘genuine choice’ really mean?

What is ‘genuine choice’ when it comes to consent?

For a consent request to be considered a ‘genuine choice’, people must be able to refuse consent ‘without detriment’. The key here is whether the consent is required to carry out the task.


Imagine you’re going through the checkout process for buying a digital collection of photos from a museum’s website. Before completing the purchase, you must consent to having your details shared with the museum’s ‘trusted third parties’.

The retailer has made the consent a condition of the sale, but sharing your details is not necessary for processing the order. This means consent is not ‘freely given’, even though customers could choose to abandon the purchase.


As part of the checkout process, an art gallery requires you to consent to having your details shared with a third-party courier that handles all of the gallery’s orders. You can also choose to opt-in to the gallery’s monthly newsletter, but it’s not required to complete the purchase.

In this case, both consents can be considered freely given. It is necessary for your information to be shared with the courier for completion of the sale, while opting into the gallery’s newsletter is optional.

The implications of GDPR

We should start with a clarification: the General Data Protection Regulation (GDPR) is no longer applicable in UK law.

GDPR is a European Union regulation, so when the UK left the EU on 31st January 2020, it ceased to be in effect. However, the GDPR framework has been retained, with the ‘UK GDPR’ sitting alongside an amended version of the Data Protection Act (2018) which controls how personal information is used by organisations, businesses or the government. There are very few significant differences between the UK version of GDPR and the original EU regulations, with the UK essentially lifting the entire structure of the original framework and placing it into UK law.

The Data Protection Act provides individuals with a number of rights when it comes to how their data is used and stored, including:

When it comes to consent specifically, UK GDPR sets a high standard. It means offering individuals a genuine voice, and control over how their data is processed on an ongoing basis. Here are some key principles:

Explicit consent

Providing consent should be an active choice. This means you shouldn’t use pre-ticked boxes, or require individuals to opt-out. Explicit consent also needs a clear and specific statement of consent.

Keep consent requests separate and granular

Under UK GDPR, consent requests cannot be buried in the Terms & Conditions. They should also be specific and ‘granular’, enabling the individual to consent to each separate use of their data.

Make it easy for people to withdraw consent

Under UK GDPR, freely given consent is not indefinite or even for a set period of time, and individuals should be able to easily withdraw consent at any time—and you should explain how they can do this.

Keep evidence of consent

It’s also important to document the details of the consent individuals have provided—who, when, how and what you told them. This is particularly important for public authorities that need to take extra care to demonstrate consent has been freely given.

What does this mean for images and video assets?

First of all, it’s important to note that ‘personal data’ refers to all information related to an ‘identifiable or identifiable living individual’, which includes photos and video content.

This means all of the same principles of UK GDPR apply to images and video: consent for processing and storage must be documented, individuals have the right to request the assets be deleted, and you must have clear and explicit consent from the individual.

The onus here is on the ‘owner’ of the asset, whether that’s the original photographer, a business or institution.


Let’s take a closer look at how consent relates to photography.

If an individual can be identified by an image, data protection legislation applies. For example:

The two museum employees in this image are clearly identifiable. Therefore, consent would have to be obtained from both of these individuals before the museum could use the image for marketing..

By contrast, the people in this photo aren’t identifiable, so consent wouldn’t have to be obtained by the gallery before using this image.

Photographs of individuals and posed groups

There are three legal bases for photographs of individuals and posed groups: ‘legitimate interest’, ‘consent’ and ‘contractual obligation’.

Legitimate interest

Legitimate interest is recommended by the ICO as it is the easiest legal basis to prove, but it still has to be used correctly. 

Although this basis does not require explicit consent, you need to be able to show that taking the photograph(s) was necessary for your organisation’s (or a third-party’s) legitimate interest, unless there was good reason to protect that individual’s personal data—in this case, their likeness—that takes precedence.


In cases where ‘consent’ is being used as the legal basis, this consent needs to be secured and correctly stored. Ideally, the image and the consent form should be kept together within your Digital Asset Management system.

This consent form needs to be retained for as long as you wish to keep and use the image.

It’s important to note that individuals can withdraw consent for their image to be used at any time, but that the consent is still considered valid up to the point of withdrawal. This means that if the person’s likeness has been used on printed materials that have been sent out and that you no longer have control of, you do not need to take any action. However, it does mean that copies of printed materials still in your possession cannot be used, while anything on display would need to be removed as soon as practically possible.

Contractual obligation

An example of the ‘contractual obligation’ legal basis would be taking a photograph of a keynote speaker at an industry conference or of a model you’ve employed for the purposes of taking the photo(s).

Note that taking the photo must be necessary for this basis to apply. If you can reasonably perform the contract by processing less data (not taking the photo) you should do so.

Remember that, regardless of the legal basis, the data subjects must be told what you intend to do with the photographs.

Photographs of crowds

For crowd shots that contain no identifiable individuals, no legal basis is required for taking, displaying or publishing the image. If a crowd photo does include identifiable individuals, then the legal basis is ‘legitimate interest’.

If you’re taking photos at an event your organisation is running, or on your premises, you should do the following:

READ MORE: How to manage consent for group events

Photographs of children

According to UK Data Protection law, you must take extra care when using children’s personal data. However, despite the need to take extra care, the law itself isn’t that different apart from requiring consent from the child’s parent or guardian.

READ MORE: Why ResourceSpace is perfect for... academic institutions

Case study: charity/marketing

A marketing team at a national children’s hospice produces illustrated ‘stories’. These raise awareness of how they’re helping families with terminally ill children. 

Each story has a set of photographs of a child, on their own and alongside hospice staff, and includes a written description. The story is used in promoted social media posts, and the images are treated as a set with different photos from the same collection being used across different platforms. There’s also a video of the child with a voiceover telling the story, which is used as part of a longer video. 

Before sharing anything, the hospice must agree with the family how and where the story will be used, how long to make it available for, and confirm how much they feel comfortable disclosing about their child’s prognosis. The legal guardian(s) have to sign a consent form that includes all of this information. A copy of the form is given to the family and the original is saved by the hospice. The form is set to expire after the agreed period. Before that date is reached, the hospice will need to decide if they intend to re-contact the family about renewing the consent if they want to continue sharing the story.

How Digital Asset Management supports compliance

A dedicated DAM system includes a number of features that help to manage consent and ensure you stay within the law.

Store and manage consent records in one place

A DAM allows you to manage subject consent in a single location, making it easy to view and edit consent documents and link them directly to the assets they relate to.

ResourceSpace’s Consent Manager does exactly this, allowing you to add multiple consent records per resource and make changes centrally.

READ MORE: Five ways ResourceSpace can help streamline your consent process

Setting license expiry dates with metadata

Permission to use an image does not necessarily last forever. Licenses and consent will be time limited, and a DAM will make it easier to keep track of this using metadata.

In ResourceSpace, you can set license and consent expiry dates as a metadata field, and create workflows that automatically send alerts when that expiry date is approaching. This gives DAM managers the opportunity to renew the license or consent. If it isn’t renewed the system will automatically archive the material and take it out of general circulation.

Manage image releases

As well as setting expiry dates with metadata, you can also restrict assets from being accessed until a certain date. For example, you might have an image in your DAM system but you don’t yet have the usage license agreed. This can be automated too, with a workflow that triggers the release into general circulation.

Set access permissions

When a digital asset is used in a way that doesn’t comply with the license or consent, it’s often by accident, and typically it’s because the person or team using the asset isn’t aware of the restrictions.

Restricting access permissions to certain assets goes a long way to avoiding this, with DAM managers able to control who can view, download or edit an asset, while they can also review access requests to help identify whether a use case might be in breach of the license.

Discover how ResourceSpace manages consent and licenses

Want to find out more about how ResourceSpace makes managing consent and usage licenses easy?

Request your free 30-minute demo and we’ll show you how these features take the hassle out of consent management—and help you to comply with data protection law.