The GDPR and Privacy: What Security Leaders Need to Know
If You Think the GDPR Doesn’t Affect You, Think Again
The European Union’s new General Data Protection Regulation (GDPR) came into effect in May of this year. While many in North America believe that since they are not located within the European Union the regulation does not apply to their operations, the territorial scope of the GDPR is well and truly global. Many of these companies are unaware that the GDPR is applicable to any organization conducting business within the EU, including those simply collecting data there. Any business that is collecting or storing Personal Identifiable Information (PII) of EU citizens, including surveillance video and license plate recognition, can now be held accountable, regardless of where the organization is based. This includes any business with offices, stores, warehouses, websites or employees in the EU.
Should a security breach occur, companies are mandated to report it within 72 hours. Failure to comply with these new regulations could result in up to U.S. $25 million (EUR20 million) or 4% of the company’s global annual turnover, whichever is higher. In spite of the threats of heavy fines, a surprising number of North American companies are either uncertain about or unprepared for the GDPR. Just a month before the GDPR was due to come into effect, CompTIA, a leading technology association, surveyed 400 U.S. companies and found that 52% of the 400 U.S. companies they surveyed were either still exploring how the GDPR applies to their businesses, have decided that it does not relate to their businesses, or are unsure. In fact, they found that only 13% of the companies say they were fully compliant.
Maintaining Privacy in Video Surveillance
In order to comply with the GDPR and safeguard the right to privacy, companies have to implement controls that allow them to protect individual privacy in video streams both as they are being captured and then once they are shared or stored. There are a variety of methods of protecting privacy in video surveillance, including permanent masking, redaction and dynamic anonymization.
The most basic method is through permanent masking. This involves permanently anonymizing individuals in video footage. Because the permanent masking process cannot be reversed, this method is not ideal in situations where a person’s identity might be relevant for future investigations.
Redaction, which is usually done after the fact, involves hiding the identity of selected people in video footage. This is typically done in instances where an organization is sharing video with law enforcement. But it does not protect individual privacy in live streams.
The most effective method of live anonymization, especially for organizations conducting video surveillance of public spaces, is dynamic anonymization. Using this approach, a video management system (VMS) monitors actions and movements and automatically anonymizes individuals in live and recorded streams. Then authorized personnel can unmask the video in the event of an investigation. In this way, dynamic anonymization both protects individual privacy and organizations in their efforts to keep people safe.
Privacy by Design
To help organizations build a solid foundation for continued compliance over the long-term, the GDPR stipulates that, in order to meet its requirements, organizations cannot simply deploy add-on options. You must use solutions that implement privacy by design. This means that organizations are going to have to work with vendors who, in addition to understanding the importance of keeping systems and networks secure, focus on providing the tools and features that can continue to make this possible.
Specifically, solutions that implement privacy by design allow companies to leverage the latest technologies to encrypt their data – both in motion and at rest – keeping it hidden from prying eyes. They also allow for a high level of identity assurance by authenticating user access in order to make sure that everyone – app, user, server – is who they claim to be.
At the same time, organizations are going to have to ensure that they control access to personal data. With proper authorization protocols, they can ensure that people or other entities who gain access to the system only have access to information they are supposed to see. It gives organizations control and flexibility over what people can see and do once authenticated to the system. This can be achieved using partitions (what they can see) and privileges (what they can do). This is particularly important as companies grow in size and reach and as they share data with stakeholders outside their organizations. A company must allow enough access to ensure that people can do their jobs effectively without putting anyone’s PII at risk.
With the potential for heavy penalties looming, North American organizations, from big multi-national retail chains to small and medium-sized businesses, are seeking strategies that will keep them compliant across all their data collection processes. If you are in the process of putting in place a GDPR-compliance strategy, be sure to work with trusted technology partners that can provide valuable insight into the extent of your GDPR obligations and can advise you on how best to design and develop your video systems to meet compliance requirements. Seek out certified and sanctioned organizations, such as the European Privacy Seal group “EuroPriSe,” a professional organization whose purpose is to ensure companies meet the “GDPR-ready” privacy compliance standards – fostering certified trust and reliability.
And while it might be tempting to think that only European and multinational organizations need be concerned about privacy regulations in order to become GDPR-compliant, the reality is that it is our collective responsibility, as manufacturers, end users and systems integrators, to continually think about the best ways to balance privacy and security today and in the future.