On May 25 the General Data Protection Regulation or GDPR officially took effect, requiring better protection of personal data across the EU region. In this regard, making video surveillance GDPR-compliant has become critical.On May 25 the General Data Protection Regulation or GDPR officially took effect, requiring better protection of personal data across the EU region. In this regard, making video surveillance GDPR-compliant has become critical.
When talking about personal data, people tend to associate it with their names and addresses. However, a person’s face is as relevant as it gets when it comes to personal data. That’s why GDPR has set guidelines dictating how video footage of people should be used and protected. In fact, GDPR has become a major trend in security.
A recent GDPR.Report post authored by Edwin Roobol, Regional Director of Axis Communications, suggests while video surveillance plays an important role in detecting threats and protecting the public, it is not exempt from ethical and legal obligations. “They have the potential to protect, but cameras also have the potential to threaten people’s freedoms,” it said. “That’s why video footage is included in the GDPR as personal data. With this in mind, it is vital for those collecting and processing the data produced by video surveillance are ensuring they do so in line with guidelines.”
That said, making sure the end user’s video surveillance, from cameras to storage, complies with GDPR is critical. According to the post, the following are some of the things to consider:
Use a secure system
According to the post, while video surveillance has become more and more IP-based and connected, it’s subject to more cybersecurity risks as well. “To significantly reduce the chances of a breach, invest in high-end security software and secure hardware for your video surveillance and connectivity, stay abreast of the latest cybersecurity best practices and make sure your system is regularly updated and maintained in line with patches and guidance from the manufacturer,” it said.
Users are also advised to pick major risk/interest points for camera installation and develop a data protection impact assessment (DPIA). “Ask yourself whether they are areas someone would expect to be seen and also ensure you have a ‘legitimate interest’ to put a camera there. By making your surveillance targeted, you are only gathering necessary data, meaning you have reasonable grounds to store it, analyze it and catalogue it,” the post said. “Furthermore, it makes the process easier than if you had to process footage from every single corner of the building. With the public’s right to ask about what data you hold on them, narrowing down the points of video data capture also speeds up the process if anyone ever makes an enquiry.”
Work with trusted partners
According to the post, what type of GDPR obligations that arise – and who owns those obligations – varies cases by case. As an example, the post cites a hosted surveillance service which involves various stakeholders, including the alarm operator’s customers, the alarm operator, the system provider and hosted web services. “As you can see there are multiple stakeholders contributing to the handling of the data, so it is vital to use a reputable company to ensure your footage is managed correctly,” it said.
Do your homework
It is ultimately the user’s responsibility to ensure GDPR compliance. “It is therefore important to make sure you have done your homework on current requirements so you can manage your obligations as well as guarantee you partner with compliant suppliers and vendors,” the post said. “You should also be able to rely on technical aid from your suppliers and vendors to facilitate your GDPR compliance, via updates and maintenance support.”