10 years of GDPR: Balancing privacy and protection with physical security technology innovation

It has been 10 years since the European Union adopted the General Data Protection Regulation (GDPR), triggering a fundamental overhaul of data protection and privacy law. Today, GDPR is embedded in the day-to-day operations of organizations working with, or within, EU member states.
 
GDPR was introduced in recognition that the world had changed profoundly and that existing data protection laws were no longer adequate in an increasingly digital and interconnected environment. The regulation was also designed to be forward-looking, providing a framework capable of governing innovation and emerging technologies. However, the rapid growth of AI-driven applications is prompting national data protection authorities to revise guidance for systems that process personal data.
 
Some of this innovation was already gaining momentum before GDPR, most notably body-worn video, which was being tested and deployed primarily by police forces. At the same time, more advanced projects, such as live streaming, were receiving funding, while organizations across the public and private sectors moved quickly to achieve compliance ahead of the regulation’s entry into force in 2018.
 
Today, body-worn video is widely used by police forces in the U.K., France, Germany and Italy, with adoption continuing to grow elsewhere. Uptake in commercial environments is more uneven. Some member states apply stricter rules than others, particularly around whether and how the technology may be used, and whether it infringes the rights of workers or members of the public.
 
These concerns are amplified in relation to live facial recognition. In the U.K., no longer an EU member state but still aligned with GDPR, the government is encouraging police use of the technology and concluded a consultation on a new legal framework in February 2026. While reported deployments have been positive, the technology remains controversial and continues to attract opposition from civil liberties groups.
 
The picture is further complicated by the fact that many facial recognition systems rely on AI. As a result, they may breach the EU AI Act, which entered into force in 2024 and largely prohibits real-time biometric identification in public spaces.
 
Over the past decade, video use across Europe has expanded significantly, encompassing CCTV, body-worn video, smartphone footage and video doorbells. At the same time, major advances in technology now allow security professionals to manage larger and more complex video environments while remaining compliant with GDPR. Modern video management systems (VMS) are a clear example.
 
Security control room operators, whether on site or working from centralized locations, can now retrieve relevant footage quickly and efficiently. This capability is critical not only for operational needs but also for responding to data subject access requests (DSARs), which require organizations to provide personal data on request, within reasonable limits, or for sharing footage with law enforcement during investigations.
 
Masking and blurring technologies have also improved significantly, reducing the time and effort required to redact footage before it is shared, either digitally or physically. Because GDPR applies to both public and private sector organizations, redaction requirements also apply when footage is shared with police.
 
The shift from on‑premises systems to cloud-based and hybrid video environments has introduced new challenges, particularly around data residency and the risk of EU citizens’ personal data being stored outside GDPR jurisdiction. However, the economic and operational benefits of these systems have driven greater transparency and the development of stronger controls, enabling organisations to adopt them with greater confidence.
 
GDPR replaced the EU’s 1995 Data Protection Directive. In the 21 years between that directive and GDPR’s adoption, the world moved decisively from analogue to digital. Ten years on, the regulation has proved resilient in delivering meaningful protections for EU citizens’ personal data. While there have been several high-profile fines related to CCTV use, some exceeding €10 million, the security industry has adapted effectively.
 
Challenges, debate and controversy will undoubtedly continue as AI creates new opportunities to enhance safety and security operations. Taken together, GDPR and the EU AI Act provide a robust legal framework that allows security professionals to innovate while maintaining strong safeguards for privacy and data protection.
 
Andreas Beerbaum is vice president of global sales and service, physical security, for Octave