Video Production and GDPR
The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. With its implementation, businesses across Europe are now mandated to change the way they collect, store, and process personal and sensitive data of EU residents. Failure to comply could result in hefty fines. In this post, I want to take a good look at GDPR and what it means for the video production and marketing industry.
How the GDPR Affects UK Businesses
The GDPR aims to give end users more control over their personal data, specifically with who collects their information and what they allow them to do with it. Although GDPR rules are similar to those in the EU’s Data Protection Directive 1995, the latter does not cover the nuances of the internet and social media—which often includes confusing terms and conditions.
The consequences of such have been demonstrated in the recent Facebook-Cambridge Analytica scandal, which saw millions of users’ data in the hands of a third-party app that allegedly affected the 2016 US elections. Although GDPR is a blanket law over all of Europe, each country can make their own changes. In the UK, the government has also enacted the new Data Protection Act 2018 (replacing the Data Protection Act 1998).Anyone who processes personal/sensitive data of EU residents—be it individuals, organisations, or companies in and out of Europe—would need to comply to the following:
- Individual rights. Under the GDPR, users can file a Subject Access Request (SAR) and ask your company to disclose the data you have about them—at no cost. They can also have their data removed, transferred, or object to how data is processed.
- Compliance. If you have more than 250 employees, you’re required to have documentation of what kind of info you’re getting and how they are collected and processed. If you collect data on a large scale, you need to hire a data protection officer (DPO), who will be in charge of monitoring compliance to the GDPR. You also need to have data protection policies, data protection impact assessments, and documents on how your data is processed.
- Obtaining consent. You need to obtain consent to process user information via a positive opt-in, which clearly explains the kind of information you’re getting and what you intend to do with it. The Information Commissioner’s Office (ICO), which implements GDPR over the UK has a comprehensive guide of what should be included in your consent forms.
- Breach reporting. In cases of security breach, you need to report to the ICO and the people affected within 72 hours of finding out.
- GDPR fines. Smaller offences can be fined €10 million (£8.88 million) or 2% of the company’s global turnover (whichever proves to be greater). Those with serious offences can go up to €20 million (£17.75 million) or 4% of the company’s global turnover (whichever proves to be greater).
How To Produce Videos Under The GDPR
If you provide videos to Europeans which involve any act of processing their personal data (e.g. surveys, interactive in-video forms), or produce videos that include EU residents, you are subject to GDPR rules. To stay compliant, follow these guidelines during your filming process:
1. Filming members of your staff
If you’re shooting videos that include staff members, whether yours or your client’s, make sure that they know you are filming them and understand why you are doing it. To stay on the safe side, have a clearly-worded contract or release form that states their consent.
2. Filming in public
Going outside a studio and filming in public may get more complicated, especially if it’s in a big bustling city like London or Bristol. First of all, understand that captured video footage involving anyone in public is considered personal data. So here’s what you need to do:
- Have a written permission from parents or guardians, if you’re going to film and publish a video of a child.
- Get the written consent of anyone identifiable in any shot, whether they are the subject of your video or in the background.
- If you’re in a huge public area and consent forms are nigh impossible, you can place signs around to inform all passers-by of what you’re doing. Do this before you start filming, so anyone who don’t want to be captured can avoid the area.
- Keep your shots focused on the essentials of the story, possibly in close up. This way, you won’t have to obtain any consent forms from anyone in the background.
- Blur any identifiable individuals in the background during the editing phase.
So as not to stifle freedom of expression, those in broadcasting or those whose films are for art/literature/academic purposes have a bit of flexibility under Section 32 of the Data Protection Act. This provision covers your material, as long as the footage is brief and that any individual is not caught in personal/private activity. Do note that if anyone approaches you and wishes to be de-identified in a video, do so immediately.
How To Market Your Video Content Under The GDPR
A 2018 study by Hubspot shows that 54% of customers prefer to watch videos about a brand, as opposed to other types of content. But with GDPR limiting how you can directly communicate with your target audience and send them any marketing paraphernalia, you need to be more creative without overstepping your boundaries:
1. Reassess current strategies
Post-GDPR, you need to obtain consent from your target market before collecting any of their data. That means reassessing and revamping strategies for the following:
- Any online video platform that you use, which capture or track personal information
- Any online video platform that you integrate with CRMs or marketing automation tool
- Any lead generation strategies that you use, such as video surveys, lead forms, and anonymous view tracking
- Any customer information that you share with sales
If you do business with any third-party service providers, make sure that they are also GDPR-compliant.
2. Track your traffic legally
Tracking and monitoring user behaviour is vital in knowing whether your videos are getting the traction that you want. To stay within GDPR limits, do the following:
- Anonymize your data on Google Analytics before storage and processing. You can also add an overlay on your site that asks permission from users regarding cookie usage.
- Let your site visitors know that you use remarketing ads and obtain their consent. In case you publish sponsored content with companies that use track pixels/cookies, inform your audience of this and ask consent. The same goes for affiliate links and display ads.
- Contact forms and email opt-ins should have disclaimers regarding the kind of content users will receive and what you’ll do with their information. They should also have clear checkboxes.
- For comments, disclose the information you’re tracking (e.g. IP address) and if they consent to it.
- Any product sales to EU residents should involve only the necessary information upon checkout. Be clear with how you’ll use their information and if they agree to it.
Cover Your Bases and Stay Compliant
The GDPR places great emphasis on the rights of consumers regarding their privacy and personal/sensitive data. Make sure that you cover your bases by documenting everything—your data collection processes, security, and what you intend to do with all the information that you have. If you haven’t yet, update your terms and conditions into unambiguous words, so your users can freely give you their informed consent. Given GDPR complexities, consider hiring an expert to come up with a plan and guarantee that you stay compliant.
If you need help creating engaging video content for your business that remains within GDPR boundaries, feel free to contact us here at Aspect and we’ll chat to you about what’s involved and how we can help.