Collaborative Media – Video Production and GDPR

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. With its implementation, businesses across Europe are now mandated to change the way they collect, store, and process personal and sensitive data of EU residents. The aim of the GDPR is to prevent a personal data breach which could lead to a potential maximum fine by the Information Commissioner’s Office of €20m or 4 per cent of global annual turnover, whichever is higher.

The GDPR prescribes that images and video recordings of individuals constitute personal data, and therefore falls within the GDPR; however, determining whether personal data is in images is not always clear-cut.

GDPR and Collaborative Media

We acknowledge that our company is affected by GDPR, as we reside within the EU and we have clients, staff and crew from EU countries. As a result, we must comply to GDPR laws.

How we produce videos under the GDPR

As we provide videos to EU residents which can sometimes involve acts of processing their personal data (e.g. live-product testing, interviews etc.) and videos that include EU residents, we are subject to GDPR rules.

To stay compliant, we always follow these guidelines during our filming process:

  1.     Filming members of your staff

When shooting videos that include staff members, we make sure that they know we are filming them and understand why we are doing it.

  1.     Filming in a public space

Going outside a private space and filming in public is more complicated, especially if it’s in a busy city like London. First of all, captured video footage involving anyone in public is considered personal data. Therefore, in all cases, we make sure that we:

  • Receive written consent of anyone identifiable in any shot, whether they are the subject of your video or in the background.
  • If in a huge public area and consent forms are practically impossible, we place signs around to inform all passers-by of what we are doing. We do this before we start filming, so anyone who does not want to be captured can avoid the area.
  • We keep our shots focused on the essentials of the story, possibly in close up. This way, we do not have to obtain any consent forms from anyone in the background.
  • We make sure to blur any identifiable individuals who happen to be in the background during the editing phase.

How we market our video content under the GDPR

GDPR limits how we can directly communicate with our target audience, so we are creative without overstepping boundaries:

  1.     Consent

We obtain consent from our target market before collecting any of their data:

  • Any online video platform that we use, which capture or track personal information
  • Any online video platform that we integrate with CRMs or marketing automation tool

If we do business with any third-party service providers, make sure that they are also GDPR-compliant.

  1.     Track our traffic legally

With regards to tracking and monitoring user behaviour to know whether our videos are getting the traction that we want, we do the following to stay within GDPR limits

Anonymize our data before storage and processing. We also add an overlay on our site that asks permission from users regarding cookie usage.

  • We let our site visitors know that if we use remarketing ads and obtain their consent. In case we publish sponsored content with companies that use track pixels/cookies, we inform our audience of this and ask consent. The same goes for affiliate links and display ads.
  • For comments, disclose the information you’re tracking (e.g. IP address) and if they consent to it.

We stay compliant

The GDPR places great emphasis on the rights of consumers regarding their privacy and personal/sensitive data.

We comprehensively document everything—our data collection processes, security, and what we intend to do with all the information that we have.

We are committed to being transparent about how we collect and use personal data. We hold personal data under the following permitted reasons provided by the GDPR:

(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering a contract.

(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.