Metadata Compliance for HR: Preventing Data Leaks in Company Photos

Company photos — employee headshots, office events, team pages, and press materials — routinely contain hidden EXIF metadata that constitutes personal data under GDPR. GPS coordinates from photos taken at offices or homes, device serial numbers identifying individual employees' phones or cameras, and timestamps recording when photos were taken are all embedded in image files by default. Businesses that store, publish, or distribute these photos without stripping metadata are processing personal data they may not have a lawful basis to retain. A metadata scrubbing step at the point of image ingestion eliminates this liability. What personal data is hidden in company photos? A photo taken by an employee on their smartphone and submitted for use in company materials typically contains GPS coordinates of where it was taken (potentially their home address if taken remotely), their device make, model, and unique serial number, the exact date and time of capture, and any name or copyright information auto-populated by their device settings. Photos processed through professional software may additionally carry XMP metadata including editing history and creator details. Our guide to EXIF vs XMP vs IPTC explains the full range of embedded data types. Why does this create GDPR liability? Under GDPR Article 5, personal data must be processed with data minimisation — only what is necessary for the stated purpose should be retained. A headshot published on a company website serves the purpose of identifying the employee visually. The GPS coordinates of where the photo was taken, the employee's camera serial number, and the timestamp serve no legitimate business purpose. Retaining this data without a lawful basis or legitimate interest justification exposes the organisation to compliance risk. Article 25 requires data protection by design and by default. Building metadata removal into your image processing workflow is a straightforward implementation of this principle. It demonstrates that your organisation actively minimises personal data rather than retaining it passively. Our GDPR photo metadata guide covers the compliance obligations in detail. What are the highest-risk scenarios for HR teams? Remote and hybrid work has significantly increased the risk. Employees submitting headshots taken at home embed their home GPS coordinates into images that may then be published publicly on company websites, LinkedIn, or press materials. A malicious actor who discovers that an employee's headshot contains their home address has more information than they should. This is not a theoretical risk — it is a straightforward extraction from a publicly available file. Office event photos shared internally via email, Slack, or SharePoint often contain metadata from the photographer's personal device. These files may be forwarded externally, saved on personal devices, or retained indefinitely in email archives — all with the original metadata intact. Medical offices, legal firms, and other regulated environments face additional obligations. HIPAA in the United States and equivalent frameworks in the UK and EU impose stricter requirements on any data associated with individuals in those contexts. How should HR and IT implement metadata scrubbing? The most effective approach is to build metadata removal into the standard image intake process. When an employee submits a headshot, when an event photographer delivers files, or when any image enters your systems for publication or distribution, strip all metadata before storing or distributing. For individual files, ExifVoid provides a fast browser-based solution that processes files without uploading them to any external server — relevant for organisations with data handling restrictions. For larger volumes, command-line tools like ExifTool can be integrated into existing workflows. Document your metadata scrubbing process as part of your data protection policy. In the event of a regulatory inquiry, demonstrating that you have a defined process for minimising personal data in images is a material compliance advantage. Frequently asked questions Are employee headshots personal data under GDPR? Yes — both the image itself and any metadata embedded in it. The image is biometric data if used for identification purposes. The embedded metadata is personal data relating to the employee. Both require a lawful basis for processing and appropriate data minimisation measures. What about photos shared in internal Slack channels or Teams? Photos shared internally via Slack, Microsoft Teams, or other collaboration platforms are stored on those platforms' servers with all metadata intact unless stripped before upload. Internal data is still subject to GDPR obligations, and internal shares can become external if files are forwarded or downloaded. Clean photos before sharing regardless of whether the platform is internal or external. Do we need employee consent to remove metadata from their photos? No. Removing metadata is a privacy-protective action that reduces the personal data you hold. It does not require consent. However, if you are processing the images themselves in ways beyond their original stated purpose, you may need to review your lawful basis.