Using images responsibly under UK GDPR

Photos and videos are powerful tools for communication, but they also contain personal data. A face, a name badge or even a location can identify someone. Sharing those images online or in print without care can easily breach privacy rules.

If you remember nothing else, remember this: a photo of a person is personal data. Treat it like any other.

1. Why images and videos matter under GDPR

The UK GDPR treats photos and videos as personal data when people can be identified. That includes direct identifiers like a clear image of someone’s face or indirect ones such as a combination of uniform, setting, or context that makes them recognisable.

This applies across situations,  whether taking photos at a work event, in an office, at a school or online. If you could identify someone in the image, it falls under GDPR.

2. Gaining permission

Before capturing or sharing someone’s image, make sure you have a lawful basis. The most common one is consent.

• Ask clearly and record consent in writing or through a digital form.
• Explain where and how the image will be used.
• Give people an easy way to withdraw consent later.

If you’re filming a group or public event, display signs telling attendees that photos or videos may be taken. Always give people a way to opt out.

For employees, consider whether consent is truly optional. In workplaces, consent might not be freely given because of power imbalance, so legitimate interests may be more appropriate if usage is limited and low-risk.

3. Safe storage and sharing

Images are data like any other.

• Store photos and videos in secure folders with restricted access.
• Avoid keeping duplicates on personal devices.
• Delete files once they are no longer needed.
• Do not upload images to public or personal accounts unless authorised.

If you use external photographers or videographers, ensure there is a written agreement covering data protection duties.

4. Social media and websites

Posting images online gives them global reach. Once shared, it can be difficult to control where they go.

• Use official company accounts for business posts.
• Check every image for identifiable people before uploading.
• Avoid tagging individuals without permission.
• Blur faces or remove details where appropriate.
• Think before reposting photos shared by others.

Remember that even casual photos taken at work events can fall under GDPR if shared online.

5. Children and vulnerable people

Extra care is needed when taking photos of children or vulnerable adults.

• Always get consent from a parent, guardian, or responsible adult.
• Never include identifying details such as names or locations in public posts.
• Follow any safeguarding or school-specific photography policies.

The privacy risk is higher in these cases, so apply stricter rules.

6. Monday morning takeaways

If you take or share images:

1. Treat photos and videos as personal data.
2. Get consent or have another lawful basis before using them.
3. Use official storage and sharing channels.
4. Remove images once they are no longer required.
5. Respect withdrawal of consent immediately.

If you manage a team:

1. Provide clear photography and social media guidance.
2. Ensure event organisers use proper consent notices.
3. Check that marketing staff review images before posting.
4. Keep a record of all approved photographers and usage.
    

Quick summary

In plain terms

A picture can say a thousand words, but under GDPR it can also reveal personal data. Ask permission, store images safely, and think carefully before sharing. A respectful approach protects both the people in the photo and your organisation’s reputation.