How public CCTV operators can avoid eye-watering fines under the GDPR [including video]

The General Data Protection Regulation (GDPR) comes into force across the EU – including the UK – from 25 May 2018.

With fines for non-compliance potentially being a staggering 79 times greater than under the existing data protection regime, the stakes for organisations in a range of sectors are enormous.

As security practitioners are well aware, a CCTV image featuring people counts as personal data just like a date of birth or someone’s marriage status or political views.

Jean-Philippe Deby, business development director for Europe at Genetec, very kindly shared his thoughts on the implications for CCTV operators and the wider security industry with IFSEC Global.

The conversation touched upon the importance of CCTV gap analyses, managing authorisations and privacy by design, as well as how the GDPR could accelerate adoption rates in the surveillance-as-a-service market.

(How physical access systems will be affected by GDPR was also topic under discussion during IFSEC 2017.)

IFSEC Global: What are the implications of the forthcoming GDPR on how organisations manage their CCTV systems?

Jean-Philippe Deby: I’ve heard that the UK was very vocal and implemented this regulation prior to Brexit. So even post-Brexit, from what I understand, the UK will still apply the regulation.

Effectively, as this is a regulation and not a directive, all EU countries have agreed to apply it. A fundamental notion of the European Privacy Regulation is that you need to get explicit consent when you acquire people’s data.

On top of the way they collect information, there’s now the notion of responsibility or accountability on how organisations hold this data. The regulation is telling them “this is what you know you can or can’t do”.

If they are irresponsible they will be fined. If they are hacked and data is compromised, they have 72 hours to disclose it to the public authorities – otherwise they will also be fined.

“Because of the lack of consent and the mass accumulation of data, public CCTV basically falls under the category of high-risk data”

As we speak, organisations as well as the industry as a whole, are reviewing the regulation to determine the steps that need to be taken in order to meet their obligations.

How CCTV comes into play is especially interesting for public CCTV.

As we know, it’s impossible to get the explicit consent of people being filmed. You can obviously announce that you have CCTV in the train station or store, which is how it’s done today, but the specific person being filmed can’t say “hey, I don’t want you to record my images.”

As part of the regulation there’s actually a notion that certain data constitutes a higher risk to a person’s rights, where organisations need to make a data protection impact assessment test. Because of the lack of consent and the mass accumulation of data, public CCTV basically falls under high-risk data.

GDPR Article 35 is where they mention the activities that make data high risk and the steps which an organisation needs to take.

IG: What are the implications of being classified as high risk for CCTV operators?

JPD: As I mentioned earlier, it’s a learning curve. There are so many different types of data that a lot of people are trying to understand how it’s going to impact their organisations, but basically there are two things that come up.

For high risk-data they will need what is called a DPO, a data protection officer, who will report directly to the CEO. It will be interesting to see how it impacts small and medium-sized businesses.

The other big thing that comes out is that, de facto, they need to build a system which implements what is called ‘privacy by design’. For example, encryption is a recommended method of increasing privacy around the information that has been collected.

Another area of focus should be the access to the information itself. Breaches don’t necessarily come from hackers; they can be internal, either intentional or unintentional.

So managing the process of identifying who is connecting to your system and who has access to the system is also key to privacy.

Who do you authorise, for example, to view live images or live recordings?

IG: The fines sanctioned by the GDPR are pretty steep…

JPD: It’s either a €20m fine or 4% of worldwide annual revenue – whichever is higher.

Many companies with retail branches have billions of dollars’ worth of revenue. I’ve been talking recently to a company that has about $11bn in sales – they could be fined $420m.

“Until now the argument for SaaS was around operational savings. With the GDPR it’s really around helping people meet their compliance obligations”

There is a process in place which means companies will first be warned before being fined, but really, it’s about good governance. Compare the cost of a breach or a company’s reputation versus the cost of implementing a properly designed and executed solution.

But I do believe that the EU will apply fines around data protection as they already apply large fines for other subjects. , Google was recently fined more than €2.7bn.

If an organisation isn’t careful about the way they handle data, I believe the EU will apply the full force of the regulation.

IG: It’s not hard to imagine court cases where organisations dispute accusations that their cyber-defences were not robust enough…

JPD: That’s true, but the onus will then be on the organisation to demonstrate the steps they have taken. Ultimately, it’s all about responsibility.

Under the GDPR, an organisation collecting personal information is the data controller and is responsible for handling the data.

The GDPR also introduces another player called a data processor. These companies can help data controllers in managing the collection of information by providing adequate infrastructure or services.

This is why companies like Microsoft are quite engaged with their cloud offering, because the data processor is almost synonymous with software as a service [SaaS].

Genetec has a solution called Stratocast, which is surveillance as a service. Small businesses can rely on our solution to encrypt their recorded CCTV, for example.

It monitors their systems 24 hours a day to detect hacks or any unusual activity via our utilisation of Microsoft Azure. It is really to help any businesses where video surveillance is not their core business and they either don’t want, or don’t have the resources to dedicate one of their employees to monitor the state of their CCTV systems.

IG: So the GDPR could really be a spur for the software as a service market?

JPD: Absolutely. Until now the argument was around operational savings. Here it’s really around helping people meet their compliance obligations on top of helping them with their operation. It’s an even stronger argument as to why they should be looking into those solutions.

IG: How does Genetec see its role in preparing the industry for the GDPR?

JPD: The GDPR is an incredible framework for something we’ve been pushing now for a few years: the security of security.

You cannot have trust without security. Cameras have become IoT devices that connect to IP networks like PCs or other IP devices. So we’re making sure tools and processes are available for customers to build the security policy they want to put in place, like encrypting information.

“A CCTV gap analysis is especially important for end users filming public areas. They are exposing themselves to high risk”

With certain partners – like Bosch for example – we even have the ability to encrypt from the camera. So it’s all about protecting access to data. It’s also about protecting the integrity of that data.

And with the GDPR we have the European Commission and the British Government putting in a legal framework, with financial penalties, that ties in very well with what we’ve already been pushing.

IG: Any tips for how businesses can strengthen their systems before the GDPR comes into force?

JPD: I think it’s important for companies to do gap analyses of their systems – not just CCTV but also how they are collecting information on their website, their CRMs and so forth. A CCTV gap analysis is especially important for end users who are filming public areas. They are exposing themselves to high risk.

But depending on what they have in place and who they talk to, they don’t necessarily have to do a full upgrade of their systems. There are ways to simply strengthen systems, but this is where one vendor will differentiate from the other.

Another thing is there’s a lot of ‘requests for proposals’ and ‘requests for information’ happening as we speak. If you were about to invest a large sum of money to upgrade your analogue system to IP, for example, all the people who are going to participate in your project – starting with the consultant, but also integrators and manufacturers – should explain their take around cyber security. This is part of our security of security message.

Again, if your system is monitoring public areas, there should be a chapter within your RFP to have a well explained position and solution to meet your compliance.

Even outside GDPR, it is good practice in any case to ensure you utilise the tools available.