The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on exactly how these new regulations will impact the video surveillance industry.
We have compiled the following guide, based on our own research into the primary sources for the regulation as well as numerous discussions, covering the following:
- GDPR basics
- Surveillance industry concerns
- New regulations / no legal precedent
- GDPR terms defined
- Public signage requirements
- Design concerns
- Impact on recording video
- Usage of biometrics / facial recognition / gender / age recognition
- Dealing with data requests from people
- Dealing with cybersecurity / vulnerabilities
- Who has 'exceptions' to the GDPR
- Do I need to get certified?
- Do I need to hire a Data Protection Officer?
- Do DPOs need a certification or some sort of qualification?
When finishing this guide, you should be able to answer our 10 question quiz on GDPR.
GDPR Basics And Industry Concerns
The GDPR regulates all companies processing the personal data of people in the EU, regardless of where the company might be based. Because video footage of someone is considered their data, the video surveillance industry is directly impacted by the GDPR.
The GDPR gives data subjects in the EU significant new rights to access and remove their data while imposing restrictions on how this data can be collected. But the GDPR itself makes no mention of how it applies to video surveillance and threatens tough penalties on misconduct.
Surveillance Industry Concerns
That has led to a significant amount of uncertainty and fear for video surveillance, an industry where unprepared companies could find themselves subject to big fines. GDPR provisions like the right of people to request their data be removed or the need to obtain consent from data subjects also raise significant logistical hurdles in video surveillance, especially in areas like Artificial Intelligence / AI / Deep Learning where attempts are made at categorizing people by face, age, gender and ethnicity.
Warning - Regulations New / Imprecise / No Legal Precedent
Before reading this guide, you should be aware of the following factors:
- GDPR regulations are imprecise and can be interpreted in a number of ways. Most importantly, the GDPR makes no explicit mention of video surveillance, so we have yet to see exactly how GDPR regulations will be applied to the security industry.
- The GDPR only goes into effect on May 25th, so there are no legal precedents we can refer to in order to interpret its regulations.
- Despite 1 and 2, manufacturers, consultants, and many others often claim to provide fully accurate insights GDPR compliance, something which can require paying them substantial fees. Taking their advice at face value may present risks, so we have compiled our guide using primary EU documents to the fullest extent possible rather than the opinions of third parties.