Video Surveillance Systems are viewed to be highly intrusive, taking away people's right to remain undetected, as stated in Video Surveillance guidelines by the European Data Protection Board (EDPB). EDPB is an autonomous European body that ensures the implementation of GDPR (data protection regulations for the EU region). With most businesses utilizing video surveillance, it is critical to meet all GDPR compliances in order to avoid the extremely high penalty. It might all seem overwhelming but worry not! This is blog piece covers in-depth all the "Dos-and-Don'ts" of working with video surveillance under GDPR.
But wait, you might ask why does GDPR regulates your video surveillance system? The simple answer is that GDPR regulates and protects the processing of any type of personal data. This includes audio-visual data collected through surveillance cameras. It is critical to note that any surveillance done by EU competent authorities to identify and prevent crimes or videos captured for private household purposes are exempted from GDPR.
All the hassle of you trying to decode what EDPB requires can simply be prevented by you opting for a GDPR-compliant enterprise-grade video management system (VMS), VIDIZMO EnterpriseTube. VIDIZMO allows you to swiftly meet all the security and processing requirements of GDPR through features including access controls, content segregation, redaction, audit logs, and content encryption.
But we are getting ahead of ourselves. Let us first go over some other critical steps you must take to ensure GDPR-compliant video surveillance.
Consent Alone is Not Enough
You might think that putting up a notice on-premise informing all the employees or visitors regarding the video surveillance might be enough to meet the GDPR requirements. Well, think again. Unless you can individually take the consent from each and every individual being recorded, simply posting a notice on your walls (like the one shown below) is not enough!
Transparently Share the Purpose of Surveillance
GDPR gives transparency the utmost priority, and rightfully so. People being recorded have the right to be aware of it. This is so they can exercise their right of access to their personal information being collected (GDPR Article 15), or they might want to exercise their right to be forgotten (GDPR Article 17). A GDPR-compliant enterprise video platform, like VIDIZMO, offers accelerated redaction of all the faces you need to hide to meet the GDPR requirements.
Hence, a GDPR-compliant notice should be placed in a prominent place where all visitors could easily view it with appropriate visual cues. You should also provide your organization's contact information so that they could contact you to enquire for further details.
Provide a Lawful Reason: Why Exactly Are You Monitoring?
GDPR Article 6 has provided some clear guidelines regarding the circumstances where it will be acceptable to process personal data lawfully (including that collected from video devices). You must meet one of the following reasons to justify the collection and processing of such data:
- Consent: The data subjects have clearly consented for their personal data to be processed.
- Contract: it might be a requirement for a contract with the data subject to be fulfilled or the
- Legal Obligations: recording might have been a requirement by the law for the data controller.
- Vital Interests: It could be that data is processed to safeguard the vital interests (like physical safety) of someone.
- Public Task: Video surveillance could be simply necessary for public interest or to exercise some other official functions
- Legitimate Interests: there could be some other valid interest that could require surveillance. These, however, cannot override the fundamental rights of the data subjects.
It is also critical for your legal reason to be authentic and currently applicable. An example could be you trying to protect your property from burglary. The reason needs to be reviewed and validated at regular intervals to check whether surveillance is still necessary. You must also first try alternative means and view video surveillance as a last resort.
Greater Protection Required When Processing Special Category Data
Processing personal data (like genetic data or biometric data) that allows you to uniquely identify a person requires heightened vigilance as there is a greater risk of a breach in terms of the rights of data subjects.
Biometric data especially links to the processing that can be done to video data, including facial measurements for running processes like facial recognition. As per GDPR Article 9, it is critical to have the explicit consent of data subjects or have one of the other special circumstances in such instances. Suppose some people refuse to provide consent and are not falling under the bracket of one of the exceptional circumstances. In that case, you should either stop the processing entirely or redact them out of the footage to avoid breaching GDPR.
Above all else, it is of utmost importance to protect this data through security to restrict unauthorized access or leakage and ensure that it is exploited for any other purpose.
Adopt a GDPR-Compliant Video Management System (VMS)
You must opt for a Video Management System that allows you to comply with GDPR that requires comprehensive security without compromising on your video processing and management capabilities. A standard VMS will not cut it in this modern era of AI and high availability requirements with critical security risks.
VIDIZMO is the best solution for this purpose, as detailed below:
How does VIDIZMO help?
VIDIZMO is a Gartner-recognized video content management system (VMS) best designed for enterprise-grade use cases. As opposed to legacy systems, VIDIZMO has been designed to handle large-scale video processing in a highly secure environment while allowing you to run AI-driven processes to accelerate capabilities like search and redaction. Here's how VIDIZMO will enable you to meet all your GDPR video processing requirements:
Access Controls & Data Segregation
Restrict access to your surveillance footage either by sharing it with specific users or user groups. Control what actions (like downloading or sharing) users can perform by assigning them roles with pre-defined permissions. You can also create entirely separate video portals with independent billing, custom security policies, and administrative policies.
VIDIZMO removes any need for you to download the footage for playback. There are optimized playback capabilities. Organize videos in relevant folders and search them for quick discovery and viewability. Limited sharing capability allows you to externally share password-protected videos by limiting the number of views allowed and the time frame of availability.
- Custom Retention Period
GDPR guides you to have the personal data be deleted automatically as soon as the validity of its purpose ends. VIDIZMO flexibly allows you to set a custom retention period for your videos.
There are various scenarios where you might have to redact certain people out of your surveillance footage in order to meet GDPR requirements. Here are two examples of such instances arising:
Some data subjects could exercise the "right of access" to their personal data being captured. Before showing the footage to these data subjects, you must redact the faces of all the other people in the footage as otherwise their privacy would be violated as well.
Data subjects could also exercise their "right to be forgotten", which would entail you to redact their faces from the footage.
While processing sensitive personal data, some data subjects could entirely refuse to give consent. So, in order to continue with the surveillance, you will need to redact out these individuals.
In such instances for redaction, manually finding and redacting a face is an extreme hassle that you might want to avoid. Instead, benefit from the automatic face detection capability of VIDIZMO that allows you to perform accelerated redaction of the required faces.
- Read More: Video Redaction for GDPR: What Is Required?
Maintain and monitor the audit logs for all the activities performed by each user on the surveillance footage. Ensure that no unauthorized access or action took place.
VIDIZMO provides robust security features that truly offer a safe environment for all your enterprise videos, including surveillance footage. Here are just a few of these features:
- End-to-end content encryption
- DRM support
- SSO integration with 25+ SSO providers
- Domain and Geo-Restriction
- Role-based access controls
Cloud-Based VMS with Additional Security
Opt for the cloud deployment option with a well-known cloud service provider like Microsoft Azure or AWS to benefit from additional security layers. You will also obtain a wide-range compliance coverage. Cloud deployment offers you greater scalability to swiftly scale up or down as your video needs shift. You can also create data redundancy with backups in place to avoid any potential loss. Choose to deploy in either commercial cloud or government cloud based on the level of your security requirements.
Finally, it is best to remember that a huge penalty is looming above your head in case of a breach against any GDPR requirements. The maximum penalty forces you to pay either €20 million or 4% of your revenue (higher of the two). Hence, it is best to take these requirements seriously and adopt appropriate measures.
Opt for VIDIZMO to rid yourself of all the hassle and quickly come up to speed with the current needs. Contact our team today to clear up any queries or go for a free trial to test out the solution yourself!
Disclaimer: This article is for information purposes only. We recommend you perform further due diligence by doing your own research and going over the official GDPR articles.