Keeping watch: How does GDPR affect smart video?

16 Oct 2018

Andreas Pettersson. Image: Arcules

GDPR compliance extends far beyond just consumer web browsing, says Arcules CEO Andreas Pettersson.

After two years and plenty of preparation, discussion and hand-wringing, implementation day of the General Data Protection Regulation (GDPR) has come and gone.

An EU-introduced regulation, the GDPR governs the use of personally identifiable information (PII) by organisations – that includes data such as home address, date of birth, IP address and more.

It also allows consumers to exercise their right to be forgotten (meaning to not have their personal data stored and used forever) and to access their data record from the entity that collects it. The regulation may have jurisdiction over any EU citizen’s data, no matter their location. As a result, the GDPR’s impact is global.

Intelligent video not exempt from GDPR

While much of the focus of the GDPR involves consumer web browsing data, other emerging fields, such as intelligent video surveillance, aren’t exempt from the rules. As new intelligent video use cases arise, organisations are required to consider data privacy in every step of development in their surveillance strategies.

Vigilance in safe data handling holds particular importance within the smart video realm – a surprising amount of PII can be stripped from a simple surveillance shot of an individual. Plus, the EU considers a simple image of a person to be PII, without even extrapolating other data from that image.

For example, intelligent cloud video can support path analysis and people detection to identify employees entering a US-based workplace and understand who they are going to see based on their route within the building. If an employee from the London office is visiting, data is still collected on her, including the people she’s with and how long she stayed at the office. In such cases, the same video data surveillance and storage system might need to comply with GDPR stipulations regarding the handling of that employee’s personal data.

Because it would be challenging for an enterprise to know when to enable these measures solely when a European citizen is around, it’s best to follow the rules at all times and provide American consumers with the same data protection privileges afforded to Europeans. Ultimately, the responsible data use rules should apply to everyone globally from a moral standpoint.

As businesses move to embrace smart video solutions, they must comply with the new stipulations put forth by the GDPR. So, how will the revolutionary regulation – intended to protect consumer data from misuse – change the way the emerging field of connected intelligent video operates? Organisations looking to foray into the strategy must be mindful of the following aspects.

How you disclose recording

GDPR mandates that consumers receive notice when their data is collected. When it comes to video, surveyors must let private citizens know when they’re on camera. Additionally, the company needs to have procedures and timelines for how to process customer requests for access to their data.

How you store the data

IoT systems are covering new ground all the time. Our knowledge of how to secure these growing systems is also evolving and improving, but organisations are right to put concern on this issue. An intelligent surveillance vendor certainly has a role in ensuring protection. This is especially true when it comes to enabling end-to-end security, making sure that the cameras are always up to date, and upholding security standards for the devices the cameras seek to connect to.

When seeking to protect consumer video footage, the company should take crucial steps such as separating devices on to secure networks, enabling intrusion detection/prevention systems on firewalls, and encrypting all video data at rest and in transit.

How long you get to use the data

The GDPR also attempts to create a standard for how long an organisation can store and use consumer data. The rule of thumb is “as long as required and as short as possible (and only to serve intended purpose)”.

An organisation should keep all data for a uniform period of time, though certain high-risk areas may be required to be kept for longer. For example, high-risk data such as financial information stored within a bank may be kept for a longer period of time than a supermarket chain maintains consumer data.

How you release the data

Through the GDPR, consumers are entitled to request their profile of information from the organisation collecting it at any time.

To meet this request, physical security teams must be ready to pull a consumer’s data in a digestible format and package it into a report, which may include a verification process on the part of the requester. All packaged data should be anonymised so that other individuals captured within the same frame as the requester do not have their data shared as well.

Intelligent video can bring many positive changes to people’s lives. Organisations seeking to incorporate smart video into their strategies have the responsibility to all consumers – not just Europeans – to follow the GDPR best practices for safe and innovative video data use.

By Andreas Pettersson

Andreas Pettersson is CEO of Arcules, a company that transforms video into powerful business intelligence by aggregating video and IoT data using AI and cloud technologies.