Published: 17 April 2018

Case studies, photos and films can be personal data under GDPR too

As fundraisers, communicators and service staff are getting organised for GDPR, don’t forget that GDPR also affects charity storytellers too.

The data held on this crucial group of beneficiaries and supporters who share their personal story to promote your charity, donate their photos, or take part in videos and photo shoots must also be GDPR compliant.

Storytellers are the human face of your charity; they represent the difference you make. Don’t let them, or your charity, down.

Photos, films and stories as personal data

Most charities include real people, names and photos in their communications. Nothing is more authentic and powerful than a beneficiary talking about how their life was turned around by the support from a charity.

Stories, photos, videos, contact details and background notes that identify living individuals are personal data and therefore subject to GDPR. Often, the data kept includes sensitive personal data e.g. health, religious beliefs, ethnic backgrounds. A diagnosis of a health condition, such as cancer, MS, or Parkinson’s is sensitive personal data. Extra care is needed to ensure there is explicit consent in place to keep and share this information. This can include, for example, consent for photos and their captions.

Context is crucial. It’s important to be aware of where you use your story or photo. For example, a photo of a person next to an article about surviving child abuse could imply to the reader that the person has been abused. Context can be written into policy and consent processes.

Consent and data protection

Charities with UK-based beneficiaries often have active beneficiary contacts who can tell their story many times across many channels. Typically, this involves two different kinds of consent: firstly, to keep individuals’ details and information; secondly, consent to use their story and image to promote the charity.

Most charities use consent forms which set out the storage and use of material, with a reasonable expiry date. (A consent form usually records personal information in itself – so GDPR applies to consent forms.) Consent should be fully informed, specific to the use, freely given and unambiguous. But a form isn’t enough – they need to completely understand what they’re signing up to. It’s important to talk it through and provide clear information on how data is kept and used in plain easy to understand language. Illustrations and examples are very helpful too.

Get organised

It’s not just about getting forms and permissions right. Making sure your processes are joined-up is also essential: collecting, storing, sharing, using and archiving stories, photos and videos should all comply with GDPR, with the rationale and processes documented. Keeping story, photo and video data up-to-date, secure, organised, easily retrieved and not excessive to needs or kept longer than necessary (and other GDPR principles) is key. This makes legal and ethical sense, but it also means being more efficient and effective.

Some charities have records about individuals, stories and photos scattered across teams, but under GDPR, you must be able to easily withdraw all the data that relates to each person. Material can be easily withdrawn with a well-managed centralised database in place. Setting aside staff time to manage data and share best practice is also needed, just as you would expect to do for records that relate to fundraising or frontline services. I’ve seen charities with rigorous safeguards, processes, policy, and management of data in place for supporter care, major donors or service users but not for those who tell their story publicly. This group should be just as highly valued.

Do what you promise

Beneficiaries and supporters trust and expect charities to do the right thing – and so does the law. If you promise an expiry of five years for using a story or photo, then make sure the process is in place to make that happen. Think about what expiry and withdrawal means in practice. Does it mean taking down photos on your website? How will you make sure this is done when items expire? Have you thought through how long you can reasonably archive expired or withdrawn data? Do you have a process, policy and guidance that all staff who work with stories, photos and videos follow? You need effective internal communications so that all staff know what to do.

Take the time to think it through. You might need to allocate resources, assign an experienced project manager and put new processes and policy in place. Getting a well thought through and documented system in place will pay off in the long run with increased efficiency, better supporter care, robust legal compliance and risk mitigation. It’s the right thing to do.


More like this

Cath is setting up a new Facebook group for charity content creators, managers and strategists to share challenges, ideas and inspiration. The group is designed for creatives, photographers, filmmakers, case study officers, story managers, content creators and strategists who work with stories, videos and photos, including beneficiaries and supporter images and stories, across any or all channels (e.g. media, mailings, events, marketing, social media, website content etc).

Powerful stories don’t need to tick every box

Image: Antoine Beauvillain on Unsplash


Cath Drake, Communications consultant, Cath Drake Communications

Cath Drake is a communications consultant with 25 years experience in the UK and Australia. She specialises in working with storytellers and their data: systems, content development, strategy and training. Find out more at Cath Drake Communications.