GDPR – We’ve got your, and our, backs!
We take our obligations to data protection very seriously. The nature of our work does present some non-standard challenges around GDPR and data protection for both us and our clients. So, we have systems in place which enable us to ensure the work that we do for our clients maintains their compliance as well as our own. We are registered with the ICO as a data controller. Company Director, Lucy Critchlow is our nominated Data Protection Officer (DPO) and we have a GDPR compliant Data Protection policy in place.
With most of our projects we would expect to become Joint Data Controllers with the client for whom we are producing a film or films. That means we jointly control and process personal information about the data subjects within the films. This is because we hold audio and visual recordings of individuals, along with their consent forms and our clients hold finished films and consent forms as well as being responsible for hosting the finished content.
Consent is the legal basis for us processing personal data. We seek formal consent from everyone we film. Filming personal stories and information also means we sometimes process “special category” data, such as health information, which is considered to be more sensitive than more basic demographic data such and names and addresses. So, we make sure the consent process is robust and understood by the people being filmed.
The consent form asks contributors to acknowledge that they are being filmed of their own free will, without coercion and states that no fee will be paid for the contribution. It also allows for consent to be withdrawn, providing the contact details for both us and our client as we both hold personal information.
Consent forms are signed before filming with our producers ensuring the data subjects understand what they are signing. They are given a copy to keep, which contains the relevant contact details. They are then scanned into our system and stored securely alongside the filmed footage within our project files.
Protecting your data
Our Data security policy covers how we manage the security of our data and provides policies to all staff identifying risks and providing practical ways to mitigate them. It’s outlined in the Dependable Productions Data Protection Policy .
We handle comparatively large amounts of data both in our studio and on location. All our cameras record digitally. At the end of each filming day, the data is copied onto two encrypted portable hard drives. Once the drives go into our studio a working copy is transferred onto secure Network Attached Storage to make it accessible to our network edit suites. A second copy is made to LTO Tape and stored securely off-site. We then log the data into a library database to enable us to find data quickly and easily in future.
Personal Information is also stored in call sheets and consent forms. These are stored on our server which is backed up to two external hard drives which are swapped once a week. The spare drive is also stored off-site. Call sheets are occasionally printed to be used by our producers. These are shredded at our studio when filming is complete.
All our PCs are password protected with users being required to have strong passwords changed routinely. All PCs also run anti-virus software which is automatically updated. All incoming and outgoing emails are scanned for viruses as part of our SLA with our hosted email provider.
Subject Access Requests
All subject access requests should be made by email to firstname.lastname@example.org We will respond within 14 days.