Keeping your media library GDPR-compliant with Third Light

Around Europe, businesses have prepared themselves to comply with the new GDPR (General Data Protection Regulation) law, which came into force on 25 May 2018. The law put stringent new controls in place on how businesses handle personal data. How can Third Light help you comply with the law?

One of the most important principles of GDPR is to obtain consent from any person whose data is stored. For example, if you have a record of an name and email address, or perhaps a photograph which has metadata that is tagged with someone's name, then this is personal data and you need the person's consent.

In Third Light, there are several features which are designed to help with permissions, consent and record-keeping in this area. Here are some ways you can use Third Light to support your GDPR compliance.

1. Site Terms and Conditions

When a user logs into your Third Light system, you can require that they accept a set of terms and conditions In IMS v6, this is enabled from the Configuration > Site Options page, under "Terms and Conditions". In Chorus, it's found in the Site Privacy settings menu. To avoid becoming a nuisance, once a user accepts the terms, this decision is recorded. However, if you change your terms and need users to review them again, then there is a button to clear all existing terms and force users to go through this process again.

V6: Documentation for Site Terms and Conditions

Chorus: Documentation for Site Terms and Conditions

Chorus also offers the ability to set a log retention policy, so that personal data is not stored indefinitely.

GPDR terms and conditions

2. Approvals and terms and conditions on key actions

Third Light includes two features which help you create manual approval workflows. For example, you can make your site require a user to accept a set of upload terms and conditions before they proceed with an upload, or you can require that another user reviews their files after upload (for example, a team manager or a legal review department can check that all inbound files have been checked for copyright claims, consent etc.)

Similarly, you can use approvals on downloads. This can be used to ensure that users consider any privacy implications before they re-use or publish a file, perhaps by drawing attention to your GDPR policies and ensuring that no inadvertent errors are made.

V6: Documentation for upload approvals

V6: Require users to accept terms and conditions for uploads

V6: Documentation for download approvals

3. Attaching Consent Forms

When photography containing individuals is stored in your site, you may need to acquire consent from the person depicted. This is generally achieved using a consent form which they sign, giving you the right to store the image. For your convenience, you can attach consent forms to your files using Third Light. This helps keep images and the relevant records for those images associated (assuming the consent form is a file). Don't forget, you can also use metadata to store consent - which may be even more useful as it is searchable.

V6: Documentation for attaching consent forms to files

Chorus: Documentation for attaching consent forms to files

Example GDPR consent form

4. Using Metadata to Record Consent

Third Light is built for metadata flexibility. For example, you can add custom metadata fields which can be drop-downs, yes/no options, tree structures or free text. You can use this as part of your GDPR compliance package, for example to record consent, to maintain a log or to refer to other systems. Metadata fields can be protected from editing, or even made hidden if required, again helping to stop information from being changed by accident or revealed in the wrong contexts.

V6: Documentation on customising metadata fields

Chorus: Documentation on customising metadata fields

Tip: You can also use Chorus expiry and embargo features, which help keep all use of a file within a set date range.

Example GDPR expiry and embargo

Next steps with GDPR

Please remember that GDPR compliance is not a feature, but a process for your organization which may require specialist legal advice. For further guidance, please see the Information Commissioner's Office web site at:

Third Light's privacy policy, with other legal notes on GDPR is available here:

Articles Hints and Tips