CCTV in the GDPR era - the importance of compliance

Since its inception a few years ago, General Data Protection Regulation (GDPR) has completely overhauled how we store, share, and repurpose personally identifiable data. Now, with a growing uptake and adoption of video surveillance systems such as CCTV cameras and smart video doorbells for commercial and security purposes, greater consideration is needed for how this visual data is used in accordance with GDPR. 

We are starting to see an uptick in the amount of CCTV video surveillance systems in public spaces including local parks, commercial real estate, and shopping districts and malls. This means that video surveillance controllers need to be mindful of how they handle sensitive consumer data in line with GDPR and Data Protection Act regulations. Although video footage data is often not viewed in the same light as other personal data when it comes to GDPR, it can still be used to identify individuals in the same exact way as other identifiable datasets such as names, date of birth and contact details.

GDPR is one of the most prominent and important data privacy and protection laws in the world today, and as a result there has been a strong emphasis on protecting personal identifiable data in all forms. Interestingly, this stringent focus on quantitative data including names, contact details, addresses, and any other data forms has caused some organizations to neglect another data type which is equally as important in the eyes of GDPR regulators - visual data. 

This type of data is often collected, stored and repurposed via CCTV video monitoring systems.

In accordance with GDPR, all data forms capable of identifying specific individuals are required to be handled in a secure, transparent, ethical and lawful manner. 

A lack of compliance can leave unsuspecting organizations open to severe punishments from data protection authorities responsible for enforcing regulatory data protection laws. For example, earlier this year, German computer electronics retailer Notebooksbilliger was handed a €10.4m GDPR fine over non-compliant video monitoring of its employees. The reason for the enforcement was because under GDPR guidelines, video monitoring was done without a proper legal basis and went on for significantly longer than necessary.

Historically, CCTV surveillance has largely been used for safety and security purposes, and fundamentally as an active crime prevention tool. However, we are starting to see video surveillance being combined with emerging technology such as AI and computer vision, which enables operators to biometrically analyze visual data for commercial use. 

As a result, organizations within the retail and real estate sectors in particular are starting to realize the massive commercial benefit of smart CCTV video monitoring adoption. In essence, tracking consumer footfall and other biometric details can help enhance the customer experience in a way that enables companies to target new consumers and improve customer retention rates. 

While this is great, it also means that organizations will have greater responsibility and accountability over the sensitive visual data they are handling and need to ensure they are fully GDPR compliant. So how exactly can businesses ensure the safety and privacy of visual consumer data without falling foul of GDPR?

All next-gen video surveillance systems are required to have the necessary safeguards in place to protect consumer privacy and security in accordance with GDPR. Organizations that adopt and implement smart AI-powered CCTV surveillance are responsible for ensuring the explicit and transparent use of such powerful and invasive tools in the interest of GDPR compliance. 

Moreover, highly intelligent video surveillance solutions that process sensitive datasets are deemed high-risk and organizations handling this data are required to carry out data protection audits and impact assessments before setting up such high-powered AI video monitoring systems. Such a requirement is certainly obligatory under GDPR guidelines, which also obliges users to carry out this assessment frequently throughout periods of use.

Fundamentally, AI-based video surveillance solutions need to contain privacy-by-design safeguards that provide that much-needed protection for the data subjects as well as having regular external GDPR compliance audits to prove their solutions withhold the standard of operation set out by the European data protection regulatory body. This is due to the nature in which these video solutions that utilize AI computer vision collect and store sensitive biometric information from subjects that can be used to identify them and infringe on their privacy and security.

To remain GDPR compliant, organizations need to adopt video surveillance solutions that are able to strictly collect and process anonymized visual data along with simple forms of metadata. As a result, this stops any sensitive consumer information that comes from the visual data that is collected from being identified. 

Organizations need to balance the need for consumer data for commercial gains with the careful and legal processing of personal data. This means ensuring that individuals cannot be tracked from camera to camera yet can be viewed and analyzed in a single camera field of view as long as the person cannot be identified. 

Furthermore, companies can also benefit from safely accessing key data that they need to gain invaluable insights about accessibility of spaces, safety issues and consumer behavior with regards to demographics and buyer habits.

Companies place high value on being able to track a customer’s journey and then using this intel to provide new or improved customer experiences. The most effective way to achieve this is by tracking and analyzing personally identifiable consumer data, yet this would already infringe on GDPR. 

What is often overlooked is that GDPR compliance doesn’t have to mean ‘blindness’ on camera-based video analytics - it is already a powerful tool within the boundaries of GDPR and without infringing on people’s privacy or security.  

For organizations looking to leverage the power of next-gen AI video monitoring solutions to gain great customer insights, they will have to do so in a GDPR compliant manner. Ever since its inception a few years ago, GDPR changed the way businesses collect and repurpose personal data as they are now expected to comply with its strict guidelines designed to provide consumers with high levels of privacy and data protection. 

This means operating with full transparency, minimizing data collection, and ensuring the safe and secure storage of anonymized data, while also conducting regular adequate GDPR impact assessments and audits.

Karen K Burns, CEO & Co-Founder,Fyma

Karen Burns is the CEO & Co-Founder of Fyma, a a computer vision company that takes in real time camera feed and turns them into actionable data insights in real-time.