GDPR Video Surveillance

Issue link: https://resources.genetec.com/i/894178

Contents of this Issue


Page 10 of 21

Whitepaper / What the GDPR means for video surveillance 12 2.2.4 Right to data portability Individuals can ask to receive their data and port it to a new data controller. Data controllers must provide the data in a common- ly-used, machine-readable format. Individuals can also ask for their data to be transferred directly to a new data controller. 2.2.5 Breach notification The GDPR imposes a mandatory data breach reporting rule on data controllers. Breaches must be reported to EU DPAs within 72 hours after the data controller first becomes aware of the breach. Data processors will also be required to notify data controllers—who are their customers—about data breaches "without undue delay". In addition, if a data controller has determined that a data breach is likely to pose a high risk to the rights and freedoms of individuals, the data controller is required to also notify affected individuals "without undue delay". However, the GDPR contains an exception to this requirement to notify affected individuals, and it applies to data controllers that make their data unintelligible to unauthorized persons through the implementation of appropriate technical and organizational protection measures, including encryption and anonymization. 2.3. Accountability and appointment of DPOs Currently, data controllers must register with their local DPA. While this requirement will disappear, the GDPR imposes new record- keeping requirements on data controllers and processors. Data controllers will also be obliged to conduct a Data Protection Impact Assessment (DPIA) and consult the DPA in cases where processing is high risk. Organizations will also have to appoint a DPO in cases of high-risk data processing, including video surveillance applica- tions involving the systematic monitoring of a public area on a large scale—for example, in the case of city-wide or campus-wide surveil- lance systems. 2.4 Privacy by design Under the GDPR, privacy must be by design instead of 'in addition'. The privacy by design obligation in the GDPR requires an approach to systems engineering in which data protection principles, such as encryption and the anonymization of video footage, for example, are included from the outset in any system design. In addition, data controllers will also be responsible for ensuring that, by default, the minimum amount of data is collected. Video surveillance systems that record constantly and store images indef- initely will be in breach of this provision; as a result, data controllers

Articles in this issue

view archives of EN-Whitepapers - GDPR Video Surveillance