I have had a request to supply a client with all of their files (including InDesign docs) due to the General Data Protection Regulation (GDPR). My client also wants me to delete the files from my machine. I’m really not comfortable doing this as the time involved would also be lost as they won’t want to pay.
How should I respond to such a request?
TL:DR The client is fundamentally mistaken about the type of data covered under GDPR, although there are possibly things in the files that are covered under it. You should not send them the files, though you do need to respond with any personal information in them.
I’m doing some of the data protection work for my company, so I’ve been reading a lot around this. I’m definitely not a lawyer, so a bunch of this should be taken with a pinch of salt. That said, this example has a fairly clear correct course of action:
GDPR covers only personal information related to individuals https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
This means that the only thing affected in your design by GDPR is personal information
Your response should, therefore, only cover the personal information contained in your design. Did you put a personal email address in of theirs? Is there a client name or address in the text? any photos of clients or people in general? If so, send them an email stating the personal information you found in the design, and asking if they’d like you to delete those specific bits
If they say yes, delete the email addresses/any names/client photos any other personal information you can find.
Remember to also delete it from any backups you have, and from the history of the file. If you’re feeling friendly, you might want to point out this will make the files harder to use for them
They absolutely cannot force you to hand over ownership of the files under GDPR. Unless stated in the contract, they remain your intellectual property.
Edit: forgot an important bit. This only applies to the personal data of the person making the request. Anything else, even data from one of their employees, is not covered, and you probably can’t and shouldn’t hand any of the data over. Their employees will have to make their own requests for their personal data. To protect yourself, however, it’s probably worth reviewing and deleting any unnecessary personal information you hold.
Hope it’s helpful!