How Can a DAM Make Your Digital Content Compliant with GDPR?

Richard Bamford
May 12, 2020
1 min read

Think of all the different types of content your company uses every day. On the one hand, it’s perfectly accurate to call all these pieces of content ‘assets.’ They’re the backbone of your company, and your team members rely on them to do their work and attract new clients.

On the other hand, if you’re not careful with how you manage these digital assets, your company could be liable for violating the GDPR or other regulations designed to protect the rights of individuals.

In an earlier article, I discussed what the GDPR means for your digital content and its metadata. Here, we’re going to examine how a Digital Asset Management system (DAM) can ensure your organization’s compliance with GDPR and similar data privacy regulations.

Whether you are evaluating your existing DAM or researching alternatives, here’s a checklist of eight key questions to make sure your digital assets are compliant with GDPR.

1. Where is the Data Stored Today? 

The first question on our list might sound quite simplistic, but I believe it's the hardest question to answer. Is your digital content centralized in a single location, or are there files containing Personally Identifiable Information (PII) distributed across the network and saved in different locations?

In my experience, you probably have digital content spread across many different locations - some of which may be unknown to the organization. Content sprawl is a difficult problem to solve in any business because it requires people to change their habits and modify current working practices. 

With a multitude of cloud services available, content sprawl can be a challenge for traditional IT departments. This is one of the reasons many organizations appoint a Chief Data Officer to reside outside of their IT departments.

I shared several challenges to addressing content sprawl in my earlier article – see “How Can You Get Your Team On Board with a Content Compliance Audit?” And the only way forward is through. You must address your team’s fears and concerns, then share a new plan for effective, secure digital content management.

Organizations can maximize the value of their digital assets by centralizing their content and creating a standard process for how it is approved, uploaded to their DAM, and shared. And centralizing your content is an important step towards better compliance, improved data security, and increased productivity.

2. What Personal Identifying Information (PII) is Collected?

It’s critical that you gain a clear understanding of how PII is captured, tagged, and stored. Metadata — information about a digital asset — can be defined in two ways:

  • Explicit Information - Where information is stated clearly and refers to how files are named and labeled in folders within the operating system. For example, the naming convention could disclose personal information when the network path to the image references an individual's name. PII data might exist in the way an asset has been described within its file name or within common metadata fields like 'description', 'caption,' and 'keywords.'  
  • Implicit Information - Some applications and devices capable of capturing or recording image data may also embed sensitive metadata where it might not be known to exist.

A good example of implicit metadata is geographical information. These geodata can be created and embedded in photos and video by some digital cameras including smartphones. If you question the importance of implicit metadata, consider the New York Times article Twelve Million Phones, One Dataset, Zero Privacy. When companies fail to safeguard their geodata, it can have far-ranging consequences.

If your organization stores user-generated content – especially images captured on smartphones – you must be sensitive to these metadata. For some companies geodata can provide valuable insights. Yet for organizations involved in the military, government, or conservation, inadvertently revealing an individual’s location could be very dangerous. 

3. How Do Employees Access Digital Content?

How you manage access to your digital assets is key to ensuring compliance with GDPR and other data privacy regulations. By centralizing content in a DAM, approved files can easily be shared with your internal teammates or external partners.

Of course, simply saving content in a DAM is not enough. In many cases, organizations would benefit from categorizing their content and metadata within a DAM to comply with GDPR. Once you centralize content within a DAM and manage access within your team, you can track who uses which pieces of content and how often. The best DAMs give organizations the flexibility to centralize content in a way that works for them, while still making that content easy to find and share with appropriate parties.

Sustrans is UK charity dedicated to making it easier for people to walk and cycle. Once Sustrans began using the Portfolio DAM, they discovered two key facts about their content:

  1. Creating one central repository for their digital content improved access for everyone who needed it.
  2. Centralizing all their files in a DAM made it much easier for them to comply with data privacy legislation.

Managing digital content is just the start. Managing access to that digital content is where you can start to see real benefits.

4. Have You Received Unambiguous Consent to Share Images from People Identifiable in these Files?

For many organizations, the idea of seeking consent from employees whose image might appear within a photo might seem excessive or completely unwarranted. Consent, however, should never be assumed. The use of an anyone’s image should not be a condition of employment, enrolment, attendance, membership, or affiliation of any kind.  

Unambiguous consent is necessary for two reasons:

  1. To confirm all those featured in the shot are satisfied with how the information will be saved
  2. These individuals must also be made aware of how the organization will use the content that features their images.

Keep in mind that consent forms themselves represent another type of digital asset. Many organizations that rely on DAM solutions now ask that the original versions of consent forms be scanned and then stored alongside images from that photoshoot. Some organizations that have experienced disputes over consent have gone even further when commissioning photography. These teams now request that the first picture of any photoshoot feature the model holding up the signed consent form to avoid any later confusion as to the identity of the signatory.  

5. How is Data Going to be Used?  

Whether it’s a customer testimonial shared on social media, a presentation to your board of directors, or anything in between, PII can be present in images and videos intended for a wide range of audiences. You should also consider the following types of content:

  • Customer case studies
  • Event video and photography
  • Webinars
  • Training videos
  • Press releases

This is not an exhaustive list. Your consent forms need to address all possible instances where PII might be stored as metadata. Be sure to make these distinctions in your legal agreements when you work with models, third-party photographers and videographers, and anyone who might be featured in your digital assets.

6. Do Procedures and Processes Exist to Modify, Purge or Delete PII Data?

Of course, adding, appending, or editing metadata one file at a time can be extremely time-consuming. A DAM system can simplify these steps by first highlighting those files that include certain sensitive terms, and then allowing you to edit or purge these files in batches. This works even when you need to update hundreds or thousands of files at a time.

But sometimes even batch-editing capabilities like these aren’t enough. For example, many organizations require certain metadata to be added to files while other terms are deleted, all based on specific criteria. When you need to conduct operations like this on thousands of digital assets at a time, a DAM system like Extensis Portfolio running alongside Corbit can be configured to automate repetitive tasks, removing human error and ensuring compliance.

These types of measures can also be extended to files that originate from third parties. Externally created files submitted via email, FTP, and other processes could be intercepted and held for approval before being accepted into a company’s DAM. Alternatively, if these externally created files do not meet GDPR standards, they could be automatically rejected. Email notifications can also be automated to simplify communications between DAM administrators and content creators.

7. Are Digital Assets Being Held Any Longer Than Necessary?

Managing your digital assets to ensure metadata integrity is a major aspect of GDPR compliance. But content isn’t static. Each of your digital assets has an extending from an initial audit and creation to a time when it’s no longer needed. And your content must adhere to GDPR standards at all times; that’s the foundation of effective digital asset lifecycle management. There are several good reasons to retire digital assets:

  • If content is added to a DAM and never removed, managing the system can become an administrative nightmare.
  • When an asset can’t be found or is unusable — either functionally or legally — the value of retaining it comes into question.
  • Certain information may also be time-limited in scope, both at the time of capture and as laws and regulations evolve.

Follow digital asset lifecycle management best practices so that your DAM will be a valuable resource now and in the future.

8. Do We Audit Our Metadata and Keep it Up To Date?

You can’t assume compliance. At the start, a full audit of your content management system can help you identify necessary updates. But you also need to perform audits on a regular schedule, and you will need to monitor new legislation to ensure you stay compliant. For example, legal obligations to keep certain PII data for a set amount of time might change, but these obligations may also override an individual’s ‘right to be forgotten’ under GDPR.  


On its own, no DAM can ensure perfect compliance with GDPR. You still need the right processes in place, and you will need to train your team members on proper digital content etiquette. The right DAM is what makes your people and processes more effective. And when you have all three working together, you have all the tools you need to comply with GDPR and any new legislation that might arise.