As of May 25, 2018, the General Data Protection Regulation replaces the existing European Data Protection Directive (1995). GDPR affects every organisation that processes EU residents’ personally identifiable information: including us.
This is the new European Union privacy law, mutually agreed in 2016 by the Council of the European Union and the European Commission. GDPR brings all EU member states under a single data protection law and establishes guidelines on how personal data is processed, used, stored or exchanged by businesses. Personal data is any information relating to an identified or identifiable natural person. And includes:
- Basic identity information: name, email, address, ID numbers
- Web data: location, IP address, cookies data and RFID tags
- Health, genetic and biometric data
- Racial or ethnic data
- Political Opinions
- Sexual orientation
The main objective of GDPR is to allow data subjects to have more control over their data as well as achieving a better understanding of how personal data is used.
So, what has changed?
- Companies covered are more accountable for handling of personal data
- Breaches of data reported to the people it impacts within 72 hours
- More power to access information stored about individuals
- Individuals have the right to data erasure
How does GDPR affect Kartoffel Films?
At Kartoffel we accumulate data relating to staff, actors, freelancers and anyone else involved in production under the new guidelines we will be reviewing how this information is dealt with. Under GDPR individuals now have the right to data-erasure, which means that individuals can now withdraw their consent to appear in a film, even if they originally gave it – particularly problematic!
The definition of personal data is sufficiently broad so as to include ‘any information’ which can be used to identify an individual, including: video footage. However this is nothing new, such video footage would also fall within the definition of ‘personal data’ under the Data Protection Directive (1995). ‘Consent’ is not the only lawful ground for processing data. When a business can demonstrate a ‘legitimate interest’ in processing personal data, most processing will remain lawful even without having gained explicit consent.
Under most circumstances, Kartoffel will be able to continue to use and process personal data even if an individual has withdrawn their consent to do so, on the basis of having ‘legitimate interest’. The term ‘legitimate interest’ is not well defined under GDPR and its scope is open to some interpretation. GDPR also requires unambiguous consent that the individual not only consents to filming, but also that they consent to the specific processing and distribution of footage containing them. It is no longer enough to state that because they agreed to be filmed that they also agree for that footage to be used as part of a marketing campaign. This is particularly relevant to working with people who may have difficulty giving informed consent. In such instances a more patient and proactive approach should be taken to ensure that to the best of our knowledge the participant is aware of the involvement in a film and its uses.
To abide by the new regulations, we have
Reviewed consent forms for filming
Considered the impact of persons appearing in our films
At Kartoffel Films we have considered the impact that our control and processing of personal data will have on individuals and we are seeking preventative measures to limit the impact that our involvement with personal data has on those it belongs to.