How GDPR Impacts Commercial Video Security Systems

When we talk to anyone with a European presence, GDPR (General Data Protection Regulation) is often one of their first questions.

At Rhombus Systems, we put all of the controls and safeguards in place to ensure that your company can use our security cameras with complete confidence. With our experience in helping customers with GDPR, we want to share with you what we’ve learned as part of this process.

Heads-up, this article is a bit on the long side, but we wanted to give you enough background about GDPR so you feel well-informed when deploying a video security solution. This article will provide a background on GDPR and then discuss how it relates to companies that want to use security cameras at their office locations within the EU. And finally, it will offer some best practices for when you're ready to deploy those cameras.

Given how complex a topic this is, we hope you find it helpful. If you any questions about this topic or video security, please reach out to us, and we’ll be more than happy to help guide you through it.

Background and Definitions

GDPR Overview

GDPR went into effect on May 25, 2018 and is primarily a set of data privacy laws for everyday people or consumers. The laws are meant to guide how organizations and businesses handle the personal data of the end users that interact with them. If companies do not properly safeguard this information and comply with these regulations, then there are potential fines (which can be large) they are subject to.

At the heart of GDPR is personal data. By definition, personal data can be anything used to directly or indirectly identify a person. This might be a name, email address, session cookies, or in the case of video security, biometric data.

There are 3 main parties involved when considering GDPR:

• Data subjects
• Data controllers
• Data processors

Data Subjects

These are the people whose information might be collected. These could be employees or just people in public passing by a security camera.

Data Controllers

According to the UK’s data protection regulator, the Information Commission’s Office (ICO), “Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.” In terms of video surveillance solutions, data controllers are the businesses or organizations that are using the solution. Ultimately, data controllers bare most of the exposure of GDPR compliance.

Data Processors

"Processors act on behalf of, and only on the instructions of, the relevant controller," according to ICO. They are the ones that process personal data on behalf of a data controller. Examples of data processors are web analytics firms, an online medical records company that hosts this information for healthcare providers, or even video security providers. Processors must work closely with data controllers to ensure the data controller is compliant with GDPR. Generally, this working relationship is defined within a Data Processing Agreement (DPA).

Even though a processor might be based in the US, it is still subject to the GDPR regulations if its customers (the data controllers) are based in the EU or handling the data of EU people. The same applies to data controllers.

With respect to video security solutions, Rhombus Systems and other vendors like us would be a data processor as we generally sell our solutions to businesses to use for their own purposes.

Data Processing Agreement

The data processing agreement (DPA) is an agreement between the data controller and data processor outlining the rights and obligations of each party when handling personal data. It’s required for data controllers to have these in place with their data processors to remain in compliance of GDPR.

Biometric Data, Facial Recognition, and License Plate Recognition

Perhaps the most identifiable forms of information that video systems will pick up are faces and license plates. The regulations are still a bit gray of whether you can use facial recognition for internal purposes. However, if you use it in a public setting, it can only be used for “reasons of substantial public interest”. A good example of public interest is law enforcement, but an example where there is little “public interest” is identifying loyal shoppers that are coming into a store.

In the first GDPR fine over facial recognition, a school in Sweden was fined for using facial recognition to check for student attendance. Even though the school asked for student consent, it was determined the consent was not valid since there is an unequal balance of power between the school and students. Secondly, the school did not conduct a Data Protection Impact Assessment (DPIA) which is used to assess the impact of “new technologies” when “processing on a large scale of special categories of data”. A special category of data includes biometrics.

As you can see, even when using facial recognition for a very defined case in your own private setting, it’s possible to run afoul of GDPR.

GDPR Considerations When Deploying a Video Security Solution

Public Signage

Articles 12 and 13 stipulate that the data controller should specify contact information, the purpose of the security cameras, and the duration it is stored.

Bottom line, it’s very important to tell anyone that might be captured by the cameras (whether in public or internal employees) that the cameras are in use and how to contact the appropriate people about them.

Data Retention Requirements

There are no specified data retention requirements within GDPR, but it does state you shouldn’t keep data longer than necessary for its original purpose. If you store data indefinitely, you’ll probably violate GDPR.

Data Breaches and Notifications

GDPR requires that a data controller has 72 hours to inform their country’s data protection authority about any data breaches. If the breach directly impacted any people, then it also needs to inform those people within 72 hours.

If the data processor has a breach, then they must notify the controller “without undue delay.” A maximum timeframe can often be set in the data processing agreement between the data controller and data processor.

Data Encryption

There are no stated standards for data encryption within GDPR, but it does state “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.

Given the sensitive nature of video footage, it’s incredibly important that processors have incredibly strong controls around the data and protect it with the latest safeguards.

Data Residency

In general, it’s best if data is resident in the country where it originated. With a cloud video security system, it’s possible that some data is transferred to other countries outside of where the video was collected.

When this happens, it’s imperative to have a DPA in place that governs these restricted data transfers.

Data Request From Data Subjects and the Right to Forget

Data subjects have the right to ask for any personal data collected about them and data controllers (and in turn data processors) have one month to deliver this data.

In the case of video security, it’s unclear how far controllers and processors have to go to comply with these requests. If the data controller cannot identify the data subject or the request is excessive (far too much data to sift through), then the data controller does not have to comply. All denials though must be accompanied with an explanation when responding to the data subject. Furthermore, a data controller must also ensure they are not giving away the personal information of others when complying with these requests which might be tricky.

Data subjects also have the right to be forgotten which means a controller must remove all personal data they have about a data subject free of charge. A good processor would make tools available to a data controller to easily comply with these types of requests or to handle these requests on behalf of the data controller.

An example of the right to be forgotten being applied to a video security solution is a data subject asking to remove any facial recognition data. The resolution here is removing any associations of their name to their face within the system as well as possibly removing any stored images of their face.

What do I need to do to be compliant for GDPR with video security?

We recommend a few simple steps.

1. Choose a vendor with experience handling GDPR deployments
2. Put a data processing agreement (DPA) in place between your company and the video security vendor.
   • At Rhombus, we provide these to our customers which is tailored to video solutions
3. Hang signage in public areas and within your offices explaining your usage of security cameras and giving contact information for more details about their purpose
4. Double and triple check with your legal teams if you intend to use facial recognition and/or license plate recognition
5. Choose a vendor that can help you comply with data subject requests
   • The obligations for both parties to comply with these should be defined in your DPA
6. Choose a vendor that takes cyber-security and protecting customer data seriously and regularly publishes the results of 3rd party security audits • Cyber-security lives at the core of Rhombus. Read more about our practices here and here.
7. Choose a vendor you ultimately trust in this relationship

If you made it this far, congrats! We know that was a long article, but for those considering a deployment in the EU, we think that knowing the ins and outs of GDPR is really important. Please feel free to reach out to our team if you have additional questions about GDPR and how it might affect your use of a video security solution.