Implementing GDPR-compliant video security equipment without difficulty – which functions are necessary?
The subject of GDPR is currently under intense scrutiny, and particularly regarding the use of video technology there is still much confusion about which requirements companies must satisfy. Uncertainty also reigns about which system functions are need to be able to configure video security systems simply so that they conform to GDPR requirements.
Many end users are now realising that the new European General Data Protection Regulation (GDPR) does not itself contain any specific provisions for regulating video surveillance, and for this reason each company has its own idea of what constitutes GDPR-compliant implementation. It must also be assumed that, besides the continued absence of legal decisions and therewith a specific interpretation, differences with regard to video security may be expected in practice even within a given company – due to inconsistent decisions by the works councils, for example. Given this situation, greater significance is now also attached to data security in addition to data protection, since the purpose of data security is to protect data that has been collected from being lost or manipulated. Consequently, the following applies: No data protection without data security, and companies must comply with the GDPR in terms of both aspects. Many businesses then face the question as to which components are essential in order to be able to satisfy the requirements in specific terms. Manufacturers are offering various approaches, the data protection and data security module by Dallmeier for example offers 14 different components.
Data protection – protection of the rights of data subjects
For purposes of data protection, the question revolves around how to implement appropriate technical and organisational measures as stipulated in GDPR Art. 25 in order to safeguard the principles of data protection and the rights of the data subjects. The module from Dallmeier contains four main components designed to address this question:
- Pixellation of entire individuals with “People Masking“, which can be undone if necessary.
- Setup of “Private Zones“ in the capture image, to make public areas invisible, for example. This concealment cannot be undone either live or in the recording.
- Specification of the storage period for each individual camera and recording track to guarantee deletion upon fulfilment of purpose.
- Rendering areas that are insignificant for legal data protection purposes visible with detailed, virtual 3D-simulation as early as the project planning stage. In this way, it may be determined where the image quality does not allow individual identification and so no personal data is produced. On the other hand, functions such as People Masking can be planned in targeted manner in advance for areas that do have data protection implications.
Data security – protection of the personal data itself
With regard to data security, Art. 32 of the GDPR stipulates that appropriate technical and organisational measures must be taken to ensure a level of security appropriate to the risk. In order to protect confidential and personal data from manipulation, loss or unauthorised access, the Dallmeier module offers the following functions:
- The optional “dual control principle“ which requires the entry of two passwords for access to the recordings.
- User group management with AD/LDAP to control access rights.
- A secure network authentication procedure according to IEEE 802.1X for protecting the network against unauthorized access.
- End-to-end encryption with TLS 1.2 / 256 bit AES for protecting both the data and the video transmission between current Dallmeier systems.
- Specification of the recording time for each user group. Images that are older than the set period cannot be analyzed.
- Reliable detection and prevention of attempts to connect in the course of hacker attacks. If repeated attempts to connect are detected from an unknown IP address, the address is blocked automatically for an extended period.
- The capability to use recording appliances as the security gateway to the video system. In this way, the video network and the production network are separated from each other. This prevents unauthorized access, e.g., via outdoor cameras and reduces the network load.
- Development of all hardware, software and firmware solutions in-house, thereby preventing any hidden access potential via backdoors, and hardened operating systems.
- Failover and redundancy mechanisms against data loss.
- LGC certification for preservation of evidence which satisfies all criteria governing admissibility as evidence in a court of law.
Caution with GDPR-“conforming“ data protection certificates
In general, the EU encourages the introduction of certifications and data protection seals specifically for the area of data protection, since they increase transparency and are intended to make it easier for companies to prove their compliance with the GDPR. However, there are a number of important points to bear in mind on this subject: Firstly, despite the two-year transition period, it was not possible to prepare any valid certifications confirming conformance with the requirements of the GDPR before 25 May 2018. Secondly, no certifications are possible for products or services themselves, only for data processing processes. Thus for example, it is not possible for a surveillance camera to be “GDPR-compliant”. With regard to certificates and data protection seals, it must be born in mind that both the certifying office itself and the test procedures it offers must be officially accredited according to the GDPR for a data processing procedure. If not, these certificates have absolutely no legal effect regarding the GDPR. A “genuine” accredited certificate may be recognised for example by the corresponding logo of an official national accreditation body – in German for example this is the Deutsche Akkreditierungsstelle, abbreviated to DAkks. Accreditation offices “test“ the testers, that is to say the offices which issue a certification or a data protection seal. Therefore, companies should make very sure that certificates and data protection seals are compliant with the GDPR and not waste money on “show certificates“.
Conclusion: Good preparation is the best strategy
Many inches of print and articles have been written about data protection law since 25 May 2018. But its ultimate interpretation in practical application has by no means been decided definitively, and it will continue to be vigorously debated and defined by the national and European data protection supervisory authorities well after the end of 2018 – including a definitive ruling by the European Court on disputed points.
Accordingly, the best way for companies to proceed with regard to video security: Instead of relying on isolated, possibly “ornamentally certificated“ parts of a video security solution, it is more prudent to acquire the necessary equipment and procedures relating to data protection and data security in the overall field of video data processing so that business can respond as agilely as possible to the expected requirements.