8 Steps to Make Your Photography Website GDPR Ready

GDPR is almost upon us, and many of you are still in the process of preparing your site for the big changes to data collection taking effect on May 25th 2018. In the following article we are going to outline the steps you can take to GDPR proof your site before the deadline day.

*Note this is not legal advice. This guide offers some steps that can assist you in making your site more GDPR compliant, but for legal wording and to truly protect your business it would be best to seek legal counsel.

This post includes a quick overview of GDPR, and a quick checklist of things you should review to make your website compliant.

What is GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU Law for data protection and privacy for all individuals in the European Union (EU). It also covers details on the export of personal data outside the EU. The GDPR aims to give more control to its citizens and residents over their personal data and to simplify regulations for international businesses operating within the EU. GDPR does not just affect businesses within the EU, but any business that has operations or collects information about EU citizens.

If you operate outside of the EU it would still be good practice to comply with these regulations as global data protection policies are tightening up with recent worldwide scandals such as Facebooks data leak in 2018.

So if you hold information about individuals, suppliers, vendors, employees, past or present, even as a small business, you need to comply with these new terms and conditions. Failure to comply with these terms can lead to legal action or a hefty fine on your business.

It may be the time to invest in some studio management software to start tracking all the information that you’re collecting about clients, as it will make it easier to know what information was collected and when. Check out tools such as 17Hats, Studio Ninja, and Tave.

Clients Rights

Clients have the following rights under GDPR, which can be seen in chapter 3 of the GDPR regulations:

– The right to transparency
– The right to be informed about collected information
– The right to access to their specific collected information
– The right to rectify collected information
– The right to request removal of information
– The right to restrict processing
– The right to object to processing
– The right to data portability
– The right to complain to a supervisory authority
– The right to withdraw consent

Lets not all get in a panic. There are several steps that you can take to make sure your website is complying with GDPR before the deadline day on May 25th 2018.

The GDPR Checklist

To be compliant with GDPR you’ll want to make sure that all information you’re collecting on your site requests consent before doing so, using a double opt-in methods for all email marketing, and providing your privacy policy and check box before someone submits a contact form on your site is a must.

Here are the things and steps that you should consider in advance for GDPR. Items that are starred are required:

1. Cookie Policy *
2. Terms of Use
3. Privacy Policy *
4. Updating Contact Forms
5. Auditing Data *
6. Data Subject Requests *
7. Reviewing your plugins
8. Moving to HTTPS

1. Cookie Policy *

You should create a cookies policy outlining the following items:

– Give a definition of what cookies are.
– What cookies are deployed on your site. For all cookies that are not required to run your site, you must ask for consent prior to deploying those cookies to your clients’ browser.
– Cookies used by third parties, including information from third party sources such as Google Analytics, Facebook Custom Audiences (Facebook Pixel), mailing services, and client management software.
– Information on how to refuse cookies
– How to manage cookie preferences on your site

2. Terms of Use (Not required by law)

A terms of use policy is not required by law, however it’s a good value add for your site as it can limit the liability of your site. Create a terms of use or terms and conditions policy for the use of your website. This can include details on some of the following items:

– License to use the site
– A disclaimer of liability (limiting your site due to errors)
– Any statutory rights
– Acceptable use Policy
– Copyright

Again it would be best to get a template from SEQ Legal or Terms Feed to make sure you cover all the legal jargon required.

3. Privacy Policy *

Put in place a privacy policy that includes information on the rights above. It should be created in a manner that is understandable and easily accessible on the site. We recommend creating a privacy policy and placing it in the footer of your website, in the footer of any email communication and adding it as a disclaimer to your contact form before users submit any information on your site.

For Flothemes clients, check out the following tutorial on how to add a privacy policy to your contact forms:

GDPR compliance and Flo Forms

Once you have a privacy policy created, it would be in your best interest to contact all your previous and existing clients, vendors, employees to make them aware of your new policy.

You can purchase privacy policy templates from various sources on the web. Try SEQ Legal or Terms Feed for templates which can be modified for your business needs, we’ve heard good reviews from other photographers in the industry.

4. Update Contact Forms

You will need to update contact forms if you plan to use them for marketing purposes, such as newsletters or email marketing. If someone contacts you via a contact form for the purpose of enquiring about your services you do not need to add a check box. You will however need to remove the users information after 90 days (subject to change) if it is no longer for “legitimate business interest”.

If you’re collecting information for your marketing efforts make sure to update any contact forms on your site to explicitly request consent from your user, including adding a check box and showing your privacy policy before they hit the submit button.

When storing the information, make sure that it tracks the submission dates of the clients form.

Using our Flo forms plugin you can do this very easily on your site. Check out the following tutorial on how to do so:

GDPR compliance and Flo Forms

5. Auditing Data *

You’ll want to review the existing data that you have collected via your website. So review the different types of data that you’ve collected, wether that’s via a contact form, adding users to your newsletter list or other tools where you have information about potential and existing clients.

For contact forms, you should make sure that you have suitable access to the information you have collected and a way to remove it after a certain period of time. This is particularly true for those clients who have not booked, and you do not legally require their information.

For newsletters, did you previously have a double opt-in explicitly asking for consent? If not, it’s time to cleanse your data, and send out a double opt-in to make sure that users are happy being on your newsletter list. Most mailing list services will offer this as standard, reach out to them if you’re unsure on how to do so.

It’s a good time now to review your site and decide on the information you’re collecting, do you really need it all? If you don’t need some of the information you’re collecting, now is a good time to remove any tools that aren’t being used.

Also make sure that all of the data you’re storing is safe and not liable to be leaked or stolen as this is a direct breach of the GDPR regulations. Add some encryption software (on Mac you can use FileVault, it’s built in, when enabled – all files stored in the “home” folder will be encrypted) to your computer and anywhere else you may have data stored.

6. Data subject Requests *

This can be created as a separate page or added directly to your privacy policy. You should give your clients a way to contact you directly to request any data collected about them. You have 30 days from the request to prepare the data and send it to the client. So making sure your data is organized is most important.

7. Review Site Plugins

If any of your plugins is collecting information about your users, make sure that it gives you the possibility to export / delete / review the information that is collected. If it’s not 100% necessary for your business remove it. Also note that excessive amounts of plugins can slow down your website, so it’s a good time now to review what isn’t needed to operate your business.

8. Move to HTTPS

We also suggest thinking about moving to HTTPS so that all data collected on your site is encrypted and secure. This is also a ranking signal for SEO with Google, so it can actually improve your site’s performance. Just make sure that you enable HTTPS correctly and redirect all the links properly to avoid any errors on your site. If you need assistance with enabling HTTPS on your site, check out our SSL Implementation services.

Useful Resources

For more useful resources and guides on preparing yourself for GDPR check out:

– The GDPR Regulation Documentation
– Go through this GDPR checklist
– Check out SEQ Legal or Terms Feed for policy generator templates


To have the most basic cover and to have the bare minimum in terms of compliance for GDPR start with your contact form, your privacy policy and a cookies policy. With these items added to your site you should be in a good place to get started. Creating these policies can be done easily with the policy generator tools (Free & Paid ones) noted above, just make sure you update the terms to be most relevant for your business.

Next you’ll want to review, audit and clean any existing data that you have. If you haven’t been given explicit consent for any of the information, or you’re unsure, request consent or remove the information safely.

For full compliance you may want to seek legal advice for your site and business from a legal representative, to make sure you’re completely covered and to avoid any fines due to non-compliance. Whilst it might be a pain now to get your site up and running, in the long run it’s a great benefit that there is now increased security for your own personal data, as well as your customers’.

If there is anything else we’ve missed, just let us know in the comments below!

Flothemes Team,
Supporting You.

What Are You Looking For ?
We need cookies to run our site optimally, by continuing to browse you agree to our cookie policy for our required cookies. If you’d like to update your cookies, check out how to clear cookies for your browsers here.