Video Security Organizations’ Dual
Responsibility Under GDPR
GDPR - the EU General Data
Protection Regulation - is now in effect (on May 25th, 2018). The
regulations are designed to protect the data privacy of European Union (EU)
residents, but because the rules affect any company handling EU
data, the true influence of the GDPR is international in scope.
GDPR affects security
technologies like video surveillance systems. Here’s what you need to know to
improve your GDPR compliance.
GDPR is a regulation set forth to
protect personal data and ensure the privacy of individuals within the European
Union (EU), which is deemed to be a fundamental human right. The primary driver
behind the regulation is to give individuals greater control over their
personal data and how it is used. Despite its roots in the EU, GDPR also
addresses the collection or storage of personal data from any EU citizen, as
well as the export of data outside the region. Therefore, given the scope of
GDPR, compliance is a global concern.
Because cybersecurity was a main
driver behind GDPR, one of its mandates is that in the event that a data breach
occurs, companies that collect personal data are mandated to report it in to
the supervisory authority within 72 hours. Failure to comply with this
regulation could result in penalties equaling 4 percent of a company’s global
annual revenues or 20 million euros, whichever is greater.
Given the importance of
individuals’ privacy and the potential penalties for non-compliance, these are
important discussions; however, this focus is not enough for those of us in the
security industry, who have a dual responsibility under GDPR. Why is that?
In practical terms of protecting
individual privacy, GDPR places much of the responsibility and obligation on
businesses and other organizations that deal with personal data. One of the key
features of the new regulation is that those who are being monitored need to be
fully informed about what data is being held on them and how it is being used.
Under GDPR, this “personal data”
is defined very broadly as “any information relating to an identified or
identifiable natural person,” referred to as the “data subject.” Naturally, the
first types of personal data that come to mind are the classic examples such as
name, physical address, phone number and email address, all of which meet the
criteria. But these are only starting points, as the range of personal data
types is expansive, encompassing more than simply text-based data.
As security professionals, we
must recognize the reality that video in which a person can be identified is
also considered personal data and is therefore subject to GDPR guidelines and
requirements. Therefore, as organizations, we need to determine how best to
become compliant with how we handle customer and employee data, including
surveillance video. This dual responsibility must come into play when we
consider how we design and operate security systems and collect video data
through surveillance, including how we store and manage that video data after
collection.
To do so, it is important to
explore how many of the steps organizations must take to become GDPR compliant
are also necessary to ensure that video surveillance data is compliant as well.
These steps surveillance operators must take – and how they can be applied to
collected video – are outlined below.
Administration
In general, the first step in
ensuring GDPR compliance is to choose an administrator and record data
processing activities. As an organization seeking to become GDPR compliant, it
is essential to have a person on staff – known as a data processing officer –
who will ultimately be responsible for data integrity. Each company providing
video surveillance must choose an administrator.
In a security environment,
choosing this administrator allows for an open way to publicly identify the
person who is responsible for data collected from the surveillance systems and
provide that detail to anyone who is monitored by video upon their request. In
doing so, it is key to also make the name of this data processing officer
available to every person who requests data as prescribed under GDPR.
Every organization should also
have a procedure in place for when an individual chooses to exercise their
right of access to personal data or request its deletion, which allows them to
stay within the monthlong window within which GDPR requires them to comply with
these requests. When making such a request, it is reasonable to expect an
individual to provide adequate information in order to locate this data – for
example, an approximate timeframe, and the location where the footage was
captured.
Documentation
GDPR also recommends that record
of processing activities (ROPA) documentation be maintained and the following
information be made available upon request:
- Category of individuals that processed personal data relates to
- Purpose for which collected data is used
- Whether personal data will be transferred (to whom and for what reason)
- How long personal data will be stored
- Description of technical and organizational measures to ensure privacy
According to GDPR, administrators
should take all appropriate measures to provide this information concerning the
processing of their data by surveillance systems to monitored individuals in a
brief, transparent, comprehensible and easily accessible manner.
ROPA documentation must also include a risk assessment for individuals’ rights
and freedoms and planned measures to address these risks, which include
safeguards and mechanisms to ensure the protection of personal data and
compliance with GDPR. This should take into account the rights and legitimate
interests of individuals and other affected persons.
In a surveillance environment,
these items are equally important. Focusing for a moment on purpose and extent
of surveillance, it must be clear why and how much video is being collected,
and for what reason. One thing to discuss with potential solution providers is
the concept of privacy by design and “GDPR-ready” product features. In
evaluating solutions, organizations should look for those that will help them
more easily become GDPR compliant. An example would be technology supporting
defined view of a specific perimeter. By leveraging solutions to define the
perimeter, organizations adhere to GDPR in that they can more easily specify
the extent of video surveillance.
Data Processing Inventory Assessment
(DPIA)
Once an administrator has been
chosen and ROPA documentation is complete, a DPIA is required for cases of
“extensive systematic monitoring of publicly accessible premises.”
This requires specifying in writing why and for what purposes the camera system
is recording. For example, a city needs to manage electrical and water utility
stations and must ensure the utilities provide residents with dependable
service. Therefore, the perimeter of these utility stations must be protected
against crime and theft. Under GDPR, the city can specify that the surveillance
is provided for this purpose. Another example would be to ensure the safety of
citizens during public events, as surveillance video may be used by the police
to provide real-time situational awareness for officers in the field. In this
case, it can be specified, in accordance with GDPR guidelines, that video is
being collected to support public safety.
This information directly correlates to ROPA documentation, so again we can see
the connection between becoming compliant as an organization overall, as well
as ensuring compliance for GDPR with information and data collected in a
surveillance environment.
Data Security
Cybersecurity has been a major
topic within the security industry for some years now. The importance of a
surveillance system being cyber secure extends to compliance with GDPR, with
tight control of video data being another key recommendation. It is vitally
important when specifying a system that these critical measures are taken into
account. The less data that is readily accessible to those outside the scope of
an organization’s video data management procedures, the less risk there is of
becoming non-compliant. The same philosophy applies to data breaches; administrators
must report any leaks within 72 hours of notification.
To ensure GDPR compliance, companies should employ strong measures to prevent
unauthorized access to the personal data they store, including video. The
specific tools and tactics used by each company will be unique to the
challenges they face. In all situations, however, companies must employ robust
security controls, stay up to date with cybersecurity best practices and ensure
they are working with trusted partners that provide secure hardware and
software, as well as thorough aftercare. Therefore, organizations must work
with security professionals and partners to better understand potential
cybersecurity risks and talk about ways they can harden their systems to ensure
GDPR compliance.
From a compliance perspective,
the processes that must be put in place to ensure the “right to be forgotten”
in an organization are very similar to those necessary to ensure a surveillance
system is also in compliance. This requires taking a systematic approach to how
video data is stored, transferred and deleted. These methodologies will ensure
that if an individual requests his or her video footage be deleted, business
systems and organizational structure will be in place to adhere to this request
in an efficient manner. The concept of “right to be forgotten” is a significant
part of the GDPR guidelines, and as we are just months into this new guideline,
the impact on organizations and system operators after requests are submitted
still remains to be seen.
Data audit
The first step
toward cybersecurity risk management knows what data your company is collecting
and how it is stored. A comprehensive data audit is fundamental because you’ll
need to discover what information your company handles that could create liability
under the GDPR. The GDPR is very inclusive in its scope, so a data audit should
look at all platforms, device types and departments.
Risk assessment
Once you've done a data audit to
establish a clear picture of how your company’s data management works, you’ll
be in a position to make a risk assessment:
- What cyber-threats could your company face?
- Where are the security weak-points in your technology infrastructure?
- Do you have effective cybersecurity measures in place?
End-to-End Compliance
It is important to consider the
full scope of video surveillance. As a surveillance operator collecting video
about living individuals, an organization will fall under the category of data
controller and be held responsible for data management in accordance with GDPR.
Anyone having access to video data, including subcontractors and hosted service
providers, must meet requirements as well. These companies or individuals who
have access to recorded video on behalf of an organization, such as hosting
providers, fall under the category of data processors. In terms of company
compliance, when reviewing contracts to ensure all companies comply in the same
way as an organization has planned. In terms of surveillance, be sure to check
that any persons or organizations who have access to video are also compliant
and that contractual relationships reflect these obligations.
Ultimately, it is the
surveillance system user (i.e., data controller) who is responsible for GDPR
compliance and safeguarding the rights of individuals whose personal data the
user collects and processes. While the data controller has ultimate
responsibility to follow GDPR, data privacy is a team effort. Remember: We are
all in this together.
Therefore, for users of
surveillance equipment, solutions and services, it is important to partner with
suppliers that are committed to respecting and safeguarding individuals’
privacy and protecting personal data. Users should also be able to rely on
suppliers and vendors for the support and technical assistance necessary to
facilitate GDPR compliance.
Due to its intent, the onset of
GDPR is a positive one. It will allow data processors and controllers to use
data in appropriate ways and have clear guidelines/procedures in place for data
collection, management and surveillance. Many companies follow guidelines such
as the UN Global Compact when it comes to sustainability and environmental
responsibility. The UN Global Compact provides 10 clear principles to help
guide companies in their sustainability efforts. GDPR provides similar clear
direction to companies looking to protect individual privacy, a fundamental
human right.
Information on individuals is a
valuable asset and needs to be properly protected. Apart from making good
business sense, the reputation and success of your organization can be under
threat if personal information isn’t managed appropriately. Organizations can
demonstrate effective management of personal information with BS 10012 from BSI.
It helps you:
- Identify risks to personal information and put controls in place to manage or reduce them
- Demonstrate compliance with data protection legislation and gain preferred supplier status
- Gain stakeholder and customer trust that their personal data is protected
- Gain a tender advantage and win new business
- Safeguard your organizations reputation and avoid adverse publicity
- Protect you and your organization against civil and criminal liability
- Benchmark your own personal information management practices with recognized best practice.
Basic Principles of the GDPR
Clearly Justified Purpose
All organizations must have a valid lawful basis for collecting and processing
personal data
·
Privacy by Design
The GDPR mandates that privacy must be a priority throughout system design and
commissioning. The approach taken with respect to data privacy must be
proactive, not reactive. Risks should be anticipated and the objective must be
preventing events before they occur.
Right to Access
Under Article 15, the GDPR gives individuals control over their personal data
including the right to see that data.
Right to be Forgotten
Under Article 17, the GDPR gives individuals control over their personal data
including the right to have their personal data erased if it is no longer
necessary for the intended purpose of the system.
Security
The GDPR requires organizations have comprehensive policies and procedures
ensuring personal data remains within control of the organization at all times.
Additionally, personal data breaches must be reported within 72 hours to the
competent supervisory authority appointed by their country’s government.
Reference:
- https://www.mailguard.com.au/blog/gdpr-security-responsibility
- https://www.bsigroup.com/en-IN/
- https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf
- https://gdpr-info.eu/art-13-gdpr/