The General Data Protection Regulation (GDPR) currently stands as the toughest privacy and security law in the world today. Post Brexit there are two branches of GDPR- the EU and UK- both aiming to protect people’s rights to data privacy. Thus, any form of data collection which can help identify an individual is subject to the GDPR law, including videos and images.
Many video analytics software companies present aggregated data rather than biometric, which means GDPR does not apply to them or the businesses who use their services. The GDPR explains in Article 9, data becomes biometric, according to the Independent Commissioner’s Office (ICO), when specific technical processing of image reveals physical, psychological, or behavioural characteristics of an individual directly or indirectly.
GDPR does however apply when processing biometric data; and explicit consent is required from individuals prior to gathering such personal data: some examples of biometric data are fingerprints, voice, facial patters, iris recognition, and DNA etc. Therefore, video analytics is subject to GDPR laws in the UK and EU if facial recognition is integrated.
The ICO requires a Data Protection Impact Assessment (DPIA) to be completed by all data processors in the UK in order to determine and minimise risks relating to personal data. Some of the important responsibilities data controllers (i.e., retailers) have are: 1) they must provide a legitimate reason for gathering biometric data; 2) they must the take reasonable measures to protect the data at all stages; 3) they must not store data for longer than necessary. This also applies to the retailers who only gather aggregate data and thus are not subject to GDPR compliance.
Data subjects have the right the right to transparency. In accordance to Article 15 of the GDPR, when requested by a data subject, data controllers are obliged to present all the data held on the said individual while protecting others’ personal data.
While the EU GDPR and UK’s Data Protection Act of 2018 (or UK GDPR) sets the standards for data protection in the western world, the USA does not have a single law at the national-level for data protection. Each state has a different law and it can differ from industry to industry.
At the time of writing, a handful of UK’s MPs are urging Prime Minister Boris Johnson to review and update the data protection laws of the UK. They believe the consent mechanism is overwhelming for users and should be simplified; and that UK GDPR restrictions limit the growth of AI.
If you would like more information on GDPR complaint video analytics software, please contact: firstname.lastname@example.org.