By Karen K Burns, CEO & Co-Founder, Fyma
The General Data Protection Regulation (GDPR) has completely overhauled how companies collect, store, and share personal data that can directly or indirectly identify individuals. For a long time now there has been much caution and interest invested in how tech companies can best ensure the safe and secure use of consumer data in line with GDPR regulations. However, not much consideration has been placed on the use of CCTV visual data in the same way.
We are now experiencing a growing uptake and adoption in smart video monitoring in public spaces such as shopping malls, commercial real estate, local parks, and public spaces. This means that both service providers and their customers need to think carefully about how they handle such sensitive consumer data in line with GDPR and Data Protection Agency regulations. Although video footage data is often not viewed in the same light as other personal data when it comes GDPR, it can still be processed for analysis in a way that can identify individuals and therefore should not be taking a backseat to other forms of identifiable datasets such as names, D.O.B, and contact details when it comes to GDPR compliance.
All forms of personal data are subject to GDPR
Ever since its inception back in 2018, GDPR has become one of the most important data protection laws in this digital age. As a result, there has been a strong focus on protecting personal data in the form of names, contact details, D.O.B, addresses, and any other data criteria that can be used to identify someone. At the same time, this strict focus on one type of data – quantitative, has caused some organisations to neglect another data type which is equally as important in the eyes of GDPR regulators – visual data. This type of data is often collected, stored and repurposed via CCTV video monitoring systems.
GDPR requires all data forms capable of identifying an individual to be handled in a lawful, transparent, and ethical way in accordance with its stipulations. Failure to do so will leave organisations open to hefty penalty fines. Early this year, German computer electronics retailer Notebooksbilliger was handed a €10.4 million GDPR fine over non-compliant video monitoring of its employees. Reason for this penalisation was that under GDPR guidelines, video monitoring was done without a proper legal basis and went on for significantly longer than necessary.
The use of CCTV monitoring has generally been for security and safety purposes, but it is now used in combination with emerging tech such as AI and machine learning which enable biometric analysis of the visual data captured for commercial use. This is why we are starting to see the growing adoption of smart CCTV video monitoring amongst organisations in retail and real estate for commercial purposes. Tracking consumer footfall and other biometric details to improve customer experience are just some of the many ways in which companies are targeting new consumers. This means that these organisations will now need to be even more mindful of handling sensitive visual data in a manner that is GDPR compliant. So how exactly can businesses ensure the safety and privacy of visual consumer data without falling foul of GDPR?
Remaining GDPR compliant with smart video monitoring
Smart CCTV monitoring systems must have the necessary safeguards in place to ensure GDPR compliance. Respecting consumer personal privacy should be at the forefront of their core tenets.
Firstly, businesses that adopt and implement smart AI-based CCTV monitoring need to ensure the explicit and transparent use of such tools in the interest of GDPR compliance. Further to this, given the video monitoring systems they are using are deemed high risk data processing tools, organisations will be required to carry out data protection audits and impact assessments before setting up such high-powered AI video monitoring systems. Such a requirement is certainly obligatory under GDPR guidelines which also obliges users to carry out this assessment frequently throughout periods of use.
Crucially, companies need to adopt intelligent AI-based camera systems that contain privacy-by-design safeguards as well as having regular external GDPR compliance audits to prove their solutions withhold the standard of operation set out by the European data protection regulatory body. Reason for this is that computer vision powered-AI solutions are capable of collecting and storing sensitive biometric information from subjects that can be used to identify them and infringe on their privacy and security.
By adopting a solution that only collects and processes simple metadata along with anonymising other visual data, businesses will be able to protect any sensitive consumer information that comes from the visual data that is collected, and stops them being identified. This will therefore help organisations remain GDPR compliant. Take for instance the U.K who basically shifted the GDPR into its legislation without much amendment hence why compliance is a must still, even after Brexit. The line between what is the legal basis for processing personal data and an operational necessity is thin: compliance means individuals cannot be tracked from camera to camera, yet can be viewed and analysed in a single camera field of view as long as their person cannot be identified. Furthermore, companies can also benefit from safely accessing the key data that they need to gain invaluable insights about accessibility of spaces, safety issues and consumer behaviour with regards to demographics and buyer habits.
Many organisations yearn for personally identifiable data to track a person during their entire customer journeys, yet that would already infringe on GDPR. What is often overlooked is that GDPR compliance doesn’t have to mean ‘blindness’ on camera-based video analytics – it is already a powerful tool within the boundaries of GDPR and without infringing on people’s privacy or security.
For any company looking to leverage the personal data of consumers they will have to do so in a GDPR compliant manner, this includes organisations adopting and utilising next generation AI video monitoring solutions. Ever since its inception a few years ago, GDPR changed the way businesses collect and repurpose personal data as they are now expected to comply with its strict set guidelines designed to provide consumers with high levels of privacy and data protection. This means operating with full transparency, minimising data collection, and ensuring the safe and secure storage of anonymised data whilst also conducting regular adequate GDPR impact assessments and audits.