GDPR and video surveillance: guidelines on how to process surveillance data


March 5, 2018

GDPR and video surveillanceTo say a lot has been written and said about GDPR is an understatement. The new data security regulations, of which the enforcement date is May 25th of this year, keep minds busy in companies inside and outside of Europe. The complexity of the regulations leaves a lot of companies guessing on how they have to prepare for the enforcement of the new data laws. Especially when it comes to the use of video surveillance and the processing of its data, it is unclear to many what is and what is not allowed. To guide you towards a smooth transition to the new rules, we’ve set-up some guidelines to help you prepare for its enforcement.

What is GDPR?

The general data protection regulation (GDPR) of the European Union is the latest addition to data privacy regulations and replaces the Data Protection Directive 95/46/EC. The GDPR is an extension of the existing data laws and reinforces the current rules on data privacy.

An essential difference between the old and new rules is that from May 25th the data protection regulations do on not only apply to European organisations which process personal data, but also to foreign organisations doing business in the EU. Furthermore, in the new regulations, the concept of personal data has been modified. Personal data can now be understood to mean: all information about an identified or identifiable person. This means that if the data can be used to a identify or single-out a person of a group, it is considered personal data and should be processed according to data protection regulations.

Another significant change is that from May on you have to ask for permission to collect personal data in a clear and unambiguous way. The person has to give permission purposefully and can retract this permission anytime they want. Also, you are only allowed to gather data which you specifically need for a particular purpose or goal. When personal data is no longer explicitly required to attain this goal, the data has to be deleted. Finally, you always have to be able to prove that you comply with all GDPR regulations.

Can video surveillance data be considered personal data?

When a specific type of data can be used to identify people, you have to collect and process this data in compliance with GDPR. Personal data can be divided into two subsections: personal data and sensitive personal data.

Personal data is data which relates to a living person who can be identified. Examples of personal data are email addresses, social security numbers, phone numbers, civil statuses etcetera. Sensitive personal data is data which consists of information on racial or ethnic origin, political opinions, religious beliefs, physical or mental health status, sexual preferences and the commision of any offence. Photos, videos and fingerprints are also considered to be sensitive personal data.

Since mobile surveillance videos often contain footage of people, this type of data can be considered sensitive personal data. In case you are using mobile video surveillance, this means that before May 25th you might have to make some changes if you want to keep using your surveillance equipment lawfully.

gdpr and video surveillance

GDPR best practices for processing video surveillance data

To assist you in getting ready for the enforcement of GDPR, we’ve summarised five best practices which we believe help you take the first steps in processing video surveillance data in compliance with GDPR.

  • Be explicit on justification and purpose of data collection

Crucial for the collection of sensitive personal data through video surveillance is the identification of a specific security problem. To be allowed to gather personal data, the exact purpose of the data collection has to be clear and specified. As a user of video surveillance, you always need to have a justification for the video footage you are collecting and storing.

  • Limit data collection and processing to what’s necessary

The GDPR allows only targeted data collection of specifically identified security problems. This minimises the collection of irrelevant footage and reduces intrusions into privacy. When making use of video surveillance, this means you have to explicitly identify your security problem and describe what information you need to solve this problem. What areas do you specifically have to monitor? Parts of the data you’re collecting which are not necessary to solve your security problem should be blanked out. For example in Milestone’s Xprotect, you have the ability to mask area’s preventing identification of people in areas of surveillance that are not relevant.

  • Define who is processing the data and for how long it is kept

The way you store the data collected through video surveillance has to be compliant with the new GDPR. This means that personal data has to be stored securely and that it has to be deleted when it no longer serves its purpose.

As a user of video surveillance you have to ensure that your footage is securely stored and that cybercriminals cannot get a hold of this data. Furthermore, the timely and automatic deletion of the footage is essential. The GDPR requires all organisations using video surveillance to have a policy regarding the use of video surveillance and the storage of its footage.
 

  • Right of information

According to the GDPR, people should always be aware that their data is collected. Either by intentionally giving their permission or by clearly being informed that their data is collected when, for example, visiting a specific location. When using video surveillance in a building, clear signs which make people aware of the fact that they are being filmed are mandatory. These signs should inform visitors about the monitoring, its purpose and the length of time for which the footage is kept and by whom.  

Mobile video surveillance, however, is used in dynamic situations which do not facilitate the use of signs to make people aware of the filming. When using mobile live streaming for surveillance purposes, make sure that people who are being filmed are aware of this. Exceptions are made for specific law enforcement projects. Find a specification of these exceptions here. 

  • Establish processes for handling data

Cybercriminals are getting more active, and as an organisation which handles personal data, you do not want this kind of sensitive data to become public. To be able to guarantee a secure data stream encryption should be used when sending data from one place to another. Special surveillance equipment or software solutions can help you set up a secure data stream and reduce the risk of data breaches. Soliton’s mobile surveillance solutions can be enabled to ensure all live streams are encrypted securely using AES256 encryption.

 

Are you prepared for the GDPR enforcement?

Privacy and data security are important issues that should not be taken lightly. The new GDPR regulations help to secure personal data and protect people’s privacy.

This, however, does not mean that video surveillance cannot be used as a security tool anymore. With the right adjustments, of which we gave you some examples in this blog, video surveillance can be used under the new GDPR enforcement and help public safety departments increase safety levels.

Knowing exactly how to process video surveillance footage in compliance with GDPR is essential since mobile video surveillance can help public safety departments to fix blind spots, accelerate decision making and enhance public safety. Do you want to know more about mobile surveillance, the latest innovation in public safety surveillance?

Then our white paper could offer you valuable insights. In our white paper Mobile Surveillance in the Public Safety Domain we explain how mobile live streaming could help solve pressing challenges of public safety departments and can improve public safety. 

White paper Mobile Surveillance

Get our newsletter direct to your inbox

Articles you might enjoy