We take the security of your personal data, and your clients’ personal data, seriously. That’s why we’ve been working hard to prepare this document for you to help you prepare for upcoming changes in privacy law, when the GDPR comes into force on 25 May.
If you’re already complying with the current data protection laws in the UK (the Data Protection Act), it’s likely that you’ll only need to make a few changes to ensure you’re complying with the new law.
We’ve had a number of questions from photographers in relation to the GDPR, and so we hope this FAQ is helpful to explain how your use of Light Blue affects your responsibilities under the GDPR.
The law dealing with the way in which people handle personal data for commercial purposes is changing. The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and you need to be ready to comply with the new rules from that date.
What does the GDPR do?
The GDPR is designed to ensure that people are transparent in their processing activities and when they communicate with data subjects (i.e. your clients).
Does the GDPR apply to me?
Yes, it’s likely that it will apply to you (and most other businesses in the UK and EU).
Data protection laws apply to people who, for commercial purposes, handle ‘personal data’ – which means any information that can identify a living person. By managing your clients, enquiries and bookings, you are handling their ‘personal data’.
Is Light Blue Software GDPR-ready?
Yes. We’ve taken various steps to ensure that we’re ready and compliant. For example, we’ve updated the privacy notice on our website and updated the Light Blue licence agreement to cover the new regulations.
If Light Blue Software are ready and GDPR compliant, why do I need to do anything?
The GDPR distinguishes between the roles of a data processor and a data controller. Light Blue Software is a worked solution used by you to provide a service to your clients. Where Light Blue Software receives information about your clients (e.g. name, address, a photo), Light Blue Software is just a data processor acting on your behalf. You are the data controller. That means the primary responsibility of the GDPR rests with you in relation to your client. However, Light Blue Software has taken steps to help you comply with the GDPR: for example, by adding new GDPR clauses to our licence agreement with you which deals with our processing of your clients’ data.
Light Blue Software will be the data controller in respect of the information we hold about you (our customers) for billing, management, and administration. For more information about how we collect and use your personal data, see our privacy notice.
So what do I need to do?
In relation to your use of Light Blue, you need to be clear and transparent about your use of a third party processor.
Do I need to tell my clients about Light Blue?
Yes, transparency is key under the GDPR. You must inform your clients about the collection and use of their personal data.
What’s the best way to inform my clients that I use Light Blue?
You can update your website privacy notice. Under the GDPR, you’re only required to say that you’re using an externally hosted third party to enable you to provide your service, rather than name Light Blue specifically.
As an example, you could add some wording like this to your website privacy notice: “[Your business name] uses an externally hosted third party to manage and administer your account.”
Will I need consent from my clients to enter their details into Light Blue?
Some aspects of the GDPR are unclear at the moment, but we’ve been working with legal experts and they don’t expect you to need consent from your clients to manage their personal details with Light Blue. Another legal basis for processing (that’s likely to apply here) is that it’s in the legitimate interest of your clients for the administration of their account.
How long can I retain my clients’ data in Light Blue?
Under the GDPR, personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. This means that you can retain your clients’ information whilst you provide the services to them, plus a reasonable period after that.
As part of Light Blue 7.1, we’ve introduced a new tool that can help you to identify personal information that you no longer need to keep so that you can securely delete it. You can find out more about this tool (and the other new features that we’ve added to Light Blue to help you comply with GDPR) in the Light Blue 7.1 release notes.
Will my clients’ personal data be kept secure by Light Blue?
Yes. We take extensive precautions to secure every aspect of Light Blue’s online services, including (but not limited to): encrypting all communications between the Light Blue desktop and mobile apps and our servers; encrypting data at rest on our servers; securing our servers according to industry best practices.
Because Light Blue stores a copy of your data on the devices that you use it on so that you can use it when you don’t have an internet connection, you should take precautions to ensure that no-one has unauthorised access to your own copies of Light Blue. We’ve provided some helpful tips for securing your copies of Light Blue on our blog.
Where does Light Blue Software store my clients’ personal data?
If you’re using our online services, we store a copy of the current version of your data on our servers. Our servers are located in the EU, and we ensure that the providers that we use are compliant with the GDPR.
This is not a substitute for legal advice. You are responsible for your own compliance with data protection laws. This is guidance only and is based on normal use of Light Blue Software products. You’ll need to seek your own advice.