Security Organizations’ Dual Responsibility Under GDPR

GDPR affects security technologies like video surveillance systems. Here’s what you need to know to improve your GDPR compliance.

Since the General Data Protection Regulation (GDPR) was implemented on May 25, much of the information has been focused on how organizations can – and must – approach their data practices to not only become compliant but also maintain that compliance.

GDPR is a regulation set forth to protect personal data and ensure the privacy of individuals within the European Union (EU), which is deemed to be a fundamental human right. The primary driver behind the regulation is to give individuals greater control over their personal data and how it is used. Despite its roots in the EU, GDPR also addresses the collection or storage of personal data from any EU citizen, as well as the export of data outside the region. Therefore, given the scope of GDPR, compliance is a global concern.

Because cybersecurity was a main driver behind GDPR, one of its mandates is that in the event that a data breach occurs, companies that collect personal data are mandated to report it in to the supervisory authority within 72 hours. Failure to comply with this regulation could result in penalties equaling 4 percent of a company’s global annual revenues or 20 million euros, whichever is greater.

Given the importance of individuals’ privacy and the potential penalties for non-compliance, these are important discussions; however, this focus is not enough for those of us in the security industry, who have a dual responsibility under GDPR. Why is that?

In practical terms of protecting individual privacy, GDPR places much of the responsibility and obligation on businesses and other organizations that deal with personal data. One of the key features of the new regulation is that those who are being monitored need to be fully informed about what data is being held on them and how it is being used.

Under GDPR, this “personal data” is defined very broadly as “any information relating to an identified or identifiable natural person,” referred to as the “data subject.” Naturally, the first types of personal data that come to mind are the classic examples such as name, physical address, phone number and email address, all of which meet the criteria. But these are only starting points, as the range of personal data types is expansive, encompassing more than simply text-based data.

As security professionals, we must recognize the reality that video in which a person can be identified is also considered personal data and is therefore subject to GDPR guidelines and requirements. Therefore, as organizations, we need to determine how best to become compliant with how we handle customer and employee data, including surveillance video. This dual responsibility must come into play when we consider how we design and operate security systems and collect video data through surveillance, including how we store and manage that video data after collection.

To do so, it is important to explore how many of the steps organizations must take to become GDPR compliant are also necessary to ensure that video surveillance data is compliant as well. These steps surveillance operators must take – and how they can be applied to collected video – are outlined below.

Administration

In general, the first step in ensuring GDPR compliance is to choose an administrator and record data processing activities. As an organization seeking to become GDPR compliant, it is essential to have a person on staff – known as a data processing officer – who will ultimately be responsible for data integrity. Each company providing video surveillance must choose an administrator.

In a security environment, choosing this administrator allows for an open way to publicly identify the person who is responsible for data collected from the surveillance systems and provide that detail to anyone who is monitored by video upon their request. In doing so, it is key to also make the name of this data processing officer available to every person who requests data as prescribed under GDPR.

Every organization should also have a procedure in place for when an individual chooses to exercise their right of access to personal data or request its deletion, which allows them to stay within the monthlong window within which GDPR requires them to comply with these requests. When making such a request, it is reasonable to expect an individual to provide adequate information in order to locate this data – for example, an approximate timeframe, and the location where the footage was captured.

Documentation

GDPR also recommends that record of processing activities (ROPA) documentation be maintained and the following information be made available upon request:

• Category of individuals that processed personal data relates to
• Purpose for which collected data is used
• Whether personal data will be transferred (to whom and for what reason)
• How long personal data will be stored
• Description of technical and organizational measures to ensure privacy

According to GDPR, administrators should take all appropriate measures to provide this information concerning the processing of their data by surveillance systems to monitored individuals in a brief, transparent, comprehensible and easily accessible manner.
ROPA documentation must also include a risk assessment for individuals’ rights and freedoms and planned measures to address these risks, which include safeguards and mechanisms to ensure the protection of personal data and compliance with GDPR. This should take into account the rights and legitimate interests of individuals and other affected persons.

In a surveillance environment, these items are equally important. Focusing for a moment on purpose and extent of surveillance, it must be clear why and how much video is being collected, and for what reason. One thing to discuss with potential solution providers is the concept of privacy by design and “GDPR-ready” product features. In evaluating solutions, organizations should look for those that will help them more easily become GDPR compliant. An example would be technology supporting defined view of a specific perimeter. By leveraging solutions to define the perimeter, organizations adhere to GDPR in that they can more easily specify the extent of video surveillance.

Data Processing Inventory Assessment (DPIA)

Once an administrator has been chosen and ROPA documentation is complete, a DPIA is required for cases of “extensive systematic monitoring of publicly accessible premises.”
This requires specifying in writing why and for what purposes the camera system is recording. For example, a city needs to manage electrical and water utility stations and must ensure the utilities provide residents with dependable service. Therefore, the perimeter of these utility stations must be protected against crime and theft. Under GDPR, the city can specify that the surveillance is provided for this purpose. Another example would be to ensure the safety of citizens during public events, as surveillance video may be used by the police to provide real-time situational awareness for officers in the field. In this case, it can be specified, in accordance with GDPR guidelines, that video is being collected to support public safety.
This information directly correlates to ROPA documentation, so again we can see the connection between becoming compliant as an organization overall, as well as ensuring compliance for GDPR with information and data collected in a surveillance environment.

Data Security

Cybersecurity has been a major topic within the security industry for some years now. The importance of a surveillance system being cyber secure extends to compliance with GDPR, with tight control of video data being another key recommendation. It is vitally important when specifying a system that these critical measures are taken into account. The less data that is readily accessible to those outside the scope of an organization’s video data management procedures, the less risk there is of becoming non-compliant. The same philosophy applies to data breaches; administrators must report any leaks within 72 hours of notification.
To ensure GDPR compliance, companies should employ strong measures to prevent unauthorized access to the personal data they store, including video. The specific tools and tactics used by each company will be unique to the challenges they face. In all situations, however, companies must employ robust security controls, stay up to date with cybersecurity best practices and ensure they are working with trusted partners that provide secure hardware and software, as well as thorough aftercare. Therefore, organizations must work with security professionals and partners to better understand potential cybersecurity risks and talk about ways they can harden their systems to ensure GDPR compliance.

From a compliance perspective, the processes that must be put in place to ensure the “right to be forgotten” in an organization are very similar to those necessary to ensure a surveillance system is also in compliance. This requires taking a systematic approach to how video data is stored, transferred and deleted. These methodologies will ensure that if an individual requests his or her video footage be deleted, business systems and organizational structure will be in place to adhere to this request in an efficient manner. The concept of “right to be forgotten” is a significant part of the GDPR guidelines, and as we are just months into this new guideline, the impact on organizations and system operators after requests are submitted still remains to be seen.

End-to-End Compliance

It is important to consider the full scope of video surveillance. As a surveillance operator collecting video about living individuals, an organization will fall under the category of data controller and be held responsible for data management in accordance with GDPR. Anyone having access to video data, including subcontractors and hosted service providers, must meet requirements as well. These companies or individuals who have access to recorded video on behalf of an organization, such as hosting providers, fall under the category of data processors. In terms of company compliance, when reviewing contracts to ensure all companies comply in the same way as an organization has planned. In terms of surveillance, be sure to check that any persons or organizations who have access to video are also compliant and that contractual relationships reflect these obligations.

Ultimately, it is the surveillance system user (i.e., data controller) who is responsible for GDPR compliance and safeguarding the rights of individuals whose personal data the user collects and processes. While the data controller has ultimate responsibility to follow GDPR, data privacy is a team effort. Remember: We are all in this together.

Therefore, for users of surveillance equipment, solutions and services, it is important to partner with suppliers that are committed to respecting and safeguarding individuals’ privacy and protecting personal data. Users should also be able to rely on suppliers and vendors for the support and technical assistance necessary to facilitate GDPR compliance.

Due to its intent, the onset of GDPR is a positive one. It will allow data processors and controllers to use data in appropriate ways and have clear guidelines/procedures in place for data collection, management and surveillance. Many companies follow guidelines such as the UN Global Compact when it comes to sustainability and environmental responsibility. The UN Global Compact provides 10 clear principles to help guide companies in their sustainability efforts. GDPR provides similar clear direction to companies looking to protect individual privacy, a fundamental human right.