Video Security Organizations’ Dual
Responsibility Under GDPR
GDPR - the EU General Data
Protection Regulation - is now in effect (on May 25th, 2018). The
regulations are designed to protect the data privacy of European Union (EU)
residents, but because the rules affect any company handling EU
data, the true influence of the GDPR is international in scope.
GDPR affects security
technologies like video surveillance systems. Here’s what you need to know to
improve your GDPR compliance.
GDPR is a regulation set forth to
protect personal data and ensure the privacy of individuals within the European
Union (EU), which is deemed to be a fundamental human right. The primary driver
behind the regulation is to give individuals greater control over their
personal data and how it is used. Despite its roots in the EU, GDPR also
addresses the collection or storage of personal data from any EU citizen, as
well as the export of data outside the region. Therefore, given the scope of
GDPR, compliance is a global concern.
Because cybersecurity was a main
driver behind GDPR, one of its mandates is that in the event that a data breach
occurs, companies that collect personal data are mandated to report it in to
the supervisory authority within 72 hours. Failure to comply with this
regulation could result in penalties equaling 4 percent of a company’s global
annual revenues or 20 million euros, whichever is greater.
Given the importance of
individuals’ privacy and the potential penalties for non-compliance, these are
important discussions; however, this focus is not enough for those of us in the
security industry, who have a dual responsibility under GDPR. Why is that?
In practical terms of protecting
individual privacy, GDPR places much of the responsibility and obligation on
businesses and other organizations that deal with personal data. One of the key
features of the new regulation is that those who are being monitored need to be
fully informed about what data is being held on them and how it is being used.
Under GDPR, this “personal data”
is defined very broadly as “any information relating to an identified or
identifiable natural person,” referred to as the “data subject.” Naturally, the
first types of personal data that come to mind are the classic examples such as
name, physical address, phone number and email address, all of which meet the
criteria. But these are only starting points, as the range of personal data
types is expansive, encompassing more than simply text-based data.
As security professionals, we
must recognize the reality that video in which a person can be identified is
also considered personal data and is therefore subject to GDPR guidelines and
requirements. Therefore, as organizations, we need to determine how best to
become compliant with how we handle customer and employee data, including
surveillance video. This dual responsibility must come into play when we
consider how we design and operate security systems and collect video data
through surveillance, including how we store and manage that video data after
collection.
To do so, it is important to
explore how many of the steps organizations must take to become GDPR compliant
are also necessary to ensure that video surveillance data is compliant as well.
These steps surveillance operators must take – and how they can be applied to
collected video – are outlined below.
Administration
In general, the first step in
ensuring GDPR compliance is to choose an administrator and record data
processing activities. As an organization seeking to become GDPR compliant, it
is essential to have a person on staff – known as a data processing officer –
who will ultimately be responsible for data integrity. Each company providing
video surveillance must choose an administrator.
In a security environment,
choosing this administrator allows for an open way to publicly identify the
person who is responsible for data collected from the surveillance systems and
provide that detail to anyone who is monitored by video upon their request. In
doing so, it is key to also make the name of this data processing officer
available to every person who requests data as prescribed under GDPR.
Every organization should also
have a procedure in place for when an individual chooses to exercise their
right of access to personal data or request its deletion, which allows them to
stay within the monthlong window within which GDPR requires them to comply with
these requests. When making such a request, it is reasonable to expect an
individual to provide adequate information in order to locate this data – for
example, an approximate timeframe, and the location where the footage was
captured.
Documentation
GDPR also recommends that record
of processing activities (ROPA) documentation be maintained and the following
information be made available upon request:
- Category of individuals that processed personal data relates to
- Purpose for which collected data is used
- Whether personal data will be transferred (to whom and for what reason)
- How long personal data will be stored
- Description of technical and organizational measures to ensure privacy
According to GDPR, administrators
should take all appropriate measures to provide this information concerning the
processing of their data by surveillance systems to monitored individuals in a
brief, transparent, comprehensible and easily accessible manner.
ROPA documentation must also include a risk assessment for individuals’ rights
and freedoms and planned measures to address these risks, which include
safeguards and mechanisms to ensure the protection of personal data and
compliance with GDPR. This should take into account the rights and legitimate
interests of individuals and other affected persons.
In a surveillance environment,
these items are equally important. Focusing for a moment on purpose and extent
of surveillance, it must be clear why and how much video is being collected,
and for what reason. One thing to discuss with potential solution providers is
the concept of privacy by design and “GDPR-ready” product features. In
evaluating solutions, organizations should look for those that will help them
more easily become GDPR compliant. An example would be technology supporting
defined view of a specific perimeter. By leveraging solutions to define the
perimeter, organizations adhere to GDPR in that they can more easily specify
the extent of video surveillance.
Data Processing Inventory Assessment
(DPIA)
Once an administrator has been
chosen and ROPA documentation is complete, a DPIA is required for cases of
“extensive systematic monitoring of publicly accessible premises.”
This requires specifying in writing why and for what purposes the camera system
is recording. For example, a city needs to manage electrical and water utility
stations and must ensure the utilities provide residents with dependable
service. Therefore, the perimeter of these utility stations must be protected
against crime and theft. Under GDPR, the city can specify that the surveillance
is provided for this purpose. Another example would be to ensure the safety of
citizens during public events, as surveillance video may be used by the police
to provide real-time situational awareness for officers in the field. In this
case, it can be specified, in accordance with GDPR guidelines, that video is
being collected to support public safety.
This information directly correlates to ROPA documentation, so again we can see
the connection between becoming compliant as an organization overall, as well
as ensuring compliance for GDPR with information and data collected in a
surveillance environment.
Data Security
Cybersecurity has been a major
topic within the security industry for some years now. The importance of a
surveillance system being cyber secure extends to compliance with GDPR, with
tight control of video data being another key recommendation. It is vitally
important when specifying a system that these critical measures are taken into
account. The less data that is readily accessible to those outside the scope of
an organization’s video data management procedures, the less risk there is of
becoming non-compliant. The same philosophy applies to data breaches; administrators
must report any leaks within 72 hours of notification.
To ensure GDPR compliance, companies should employ strong measures to prevent
unauthorized access to the personal data they store, including video. The
specific tools and tactics used by each company will be unique to the
challenges they face. In all situations, however, companies must employ robust
security controls, stay up to date with cybersecurity best practices and ensure
they are working with trusted partners that provide secure hardware and
software, as well as thorough aftercare. Therefore, organizations must work
with security professionals and partners to better understand potential
cybersecurity risks and talk about ways they can harden their systems to ensure
GDPR compliance.
From a compliance perspective,
the processes that must be put in place to ensure the “right to be forgotten”
in an organization are very similar to those necessary to ensure a surveillance
system is also in compliance. This requires taking a systematic approach to how
video data is stored, transferred and deleted. These methodologies will ensure
that if an individual requests his or her video footage be deleted, business
systems and organizational structure will be in place to adhere to this request
in an efficient manner. The concept of “right to be forgotten” is a significant
part of the GDPR guidelines, and as we are just months into this new guideline,
the impact on organizations and system operators after requests are submitted
still remains to be seen.
Data audit
The first step
toward cybersecurity risk management knows what data your company is collecting
and how it is stored. A comprehensive data audit is fundamental because you’ll
need to discover what information your company handles that could create liability
under the GDPR. The GDPR is very inclusive in its scope, so a data audit should
look at all platforms, device types and departments.
Risk assessment
Once you've done a data audit to
establish a clear picture of how your company’s data management works, you’ll
be in a position to make a risk assessment:
- What cyber-threats could your company face?
- Where are the security weak-points in your technology infrastructure?
- Do you have effective cybersecurity measures in place?
End-to-End Compliance
It is important to consider the
full scope of video surveillance. As a surveillance operator collecting video
about living individuals, an organization will fall under the category of data
controller and be held responsible for data management in accordance with GDPR.
Anyone having access to video data, including subcontractors and hosted service
providers, must meet requirements as well. These companies or individuals who
have access to recorded video on behalf of an organization, such as hosting
providers, fall under the category of data processors. In terms of company
compliance, when reviewing contracts to ensure all companies comply in the same
way as an organization has planned. In terms of surveillance, be sure to check
that any persons or organizations who have access to video are also compliant
and that contractual relationships reflect these obligations.
Ultimately, it is the
surveillance system user (i.e., data controller) who is responsible for GDPR
compliance and safeguarding the rights of individuals whose personal data the
user collects and processes. While the data controller has ultimate
responsibility to follow GDPR, data privacy is a team effort. Remember: We are
all in this together.
Therefore, for users of
surveillance equipment, solutions and services, it is important to partner with
suppliers that are committed to respecting and safeguarding individuals’
privacy and protecting personal data. Users should also be able to rely on
suppliers and vendors for the support and technical assistance necessary to
facilitate GDPR compliance.
Due to its intent, the onset of
GDPR is a positive one. It will allow data processors and controllers to use
data in appropriate ways and have clear guidelines/procedures in place for data
collection, management and surveillance. Many companies follow guidelines such
as the UN Global Compact when it comes to sustainability and environmental
responsibility. The UN Global Compact provides 10 clear principles to help
guide companies in their sustainability efforts. GDPR provides similar clear
direction to companies looking to protect individual privacy, a fundamental
human right.
Information on individuals is a
valuable asset and needs to be properly protected. Apart from making good
business sense, the reputation and success of your organization can be under
threat if personal information isn’t managed appropriately. Organizations can
demonstrate effective management of personal information with BS 10012 from BSI.
It helps you:
- Identify risks to personal information and put controls in place to manage or reduce them
- Demonstrate compliance with data protection legislation and gain preferred supplier status
- Gain stakeholder and customer trust that their personal data is protected
- Gain a tender advantage and win new business
- Safeguard your organizations reputation and avoid adverse publicity
- Protect you and your organization against civil and criminal liability
- Benchmark your own personal information management practices with recognized best practice.
Basic Principles of the GDPR
Clearly Justified Purpose
All organizations must have a valid lawful basis for collecting and processing
personal data
·
Privacy by Design
The GDPR mandates that privacy must be a priority throughout system design and
commissioning. The approach taken with respect to data privacy must be
proactive, not reactive. Risks should be anticipated and the objective must be
preventing events before they occur.
Right to Access
Under Article 15, the GDPR gives individuals control over their personal data
including the right to see that data.
Right to be Forgotten
Under Article 17, the GDPR gives individuals control over their personal data
including the right to have their personal data erased if it is no longer
necessary for the intended purpose of the system.
Security
The GDPR requires organizations have comprehensive policies and procedures
ensuring personal data remains within control of the organization at all times.
Additionally, personal data breaches must be reported within 72 hours to the
competent supervisory authority appointed by their country’s government.
Reference:
- https://www.mailguard.com.au/blog/gdpr-security-responsibility
- https://www.bsigroup.com/en-IN/
- https://edps.europa.eu/sites/edp/files/publication/10-03-17_video-surveillance_guidelines_en.pdf
- https://gdpr-info.eu/art-13-gdpr/
Nice post!
ReplyDeleteThat blog is very useful for us, So thanx for sharing.
Secure system solutions UAE
Looking for Biometric Systems Supplier In Assam ,SM Infotech provides you best service for all Fire Alarm System in Guwahati for your home /office .Just Call Now and get service as you want.Fire Alarm System Supplier in Guwahati
ReplyDeletehey Indian, Awareness of police misconduct and calls for reform in the United States have increased over the last decade. In some cases, officers were investigated and prosecuted at the state level for their actions. Other incidents investigated by the U.S. Department of Justice resulted in criminal prosecution of a police officer for violating a person’s constitutionally protected rights.
ReplyDeleteFor example, from 2009 to 2012 the U.S. Department of Justice charged 254 police officers throughout the United States with violating the individual rights of Americans.
The private security industry remains historically insulated from claims of civil rights-related violations and the resulting criminal sanctions that can be imposed against security personnel. The private security industry in the United States is much larger than the public sector police force; the industry outnumbers public police by a ratio of at least three to one. This growing number of security personnel could lead to increased civil rights violations.
The security industry is also less regulated, meaning that security personnel have varying amounts of training while public sector police counterparts have mandated training programs. This discrepancy in training can also become a problem because many private security personnel have direct contact with the public, often performing quasi-judicial police-related activities.
Thanks for the information CCTV security systems
ReplyDeleteHey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads along with DL Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
There's nothing like a Residential Video Intercom Systems to add convenience and safety at your front door or gate. And these days you don't even need to be home to see who is at your door.
ReplyDeleteNice post, if you are searching for well secure security system for your building or apartment or even for your office. UnikCCTV offers you wide range of security system for example CCTV system, contactless door system, Building Intercom Systems, and surveillance hardware
ReplyDeleteFirstly, what is the General Data Protection Regulation (GDPR)? And who is it that really needs an EU Representative?
ReplyDeleteYour post content is very informative. Really I like this. I think it is very effective for those persons who are thinking of Video Surveillnace Services of their business. Keep Sharing. Thanks for sharing such kind this post.
ReplyDeleteIntercom System Accessories are stand-alone voice communications systems. An intercom system is a device that contains a circuit that is used for transmitting and receiving audio or video. The intercom systems are available in different varieties depending upon the placement and usage of the intercom systems such as office intercoms systems, apartment entry systems, and window intercom systems, etc. Unikcctv provides all types of Intercom systems for offices and societies with industry-best products as well as installation services.
ReplyDeleteNice Post!!
ReplyDeletePlease look here at Data Protection Service
Thanks for such an informative There is an amazing fact you have mentioned.
ReplyDeleteKeep posting!
Data Protection Act
Data Protection Act Australia