25th May 2018 was a ground breaking day for data protection as it ushered in the general data protection regulation (GDPR). Prior to GDPR, the only data protection legislation in place was the old Directive 95/46/EC, which became enshrined within the 1998 Data Protection Act for the UK; both pre-dated the launch of Google, Social Media and Smartphones. Incredibly, GDPR delivered the first major reform of data protection for over 20 years.
Technology has transformed our modern day lives in unimaginable ways. It has also led to the proliferation of tech giants, which hover up incredible amounts of personal data in return for ‘free’ services. Prior to GDPR, tech giants operated within a regulatory framework that was unable to hold them to account for related breaches. Respective penalties were tiny and did not form any sizable level of deterrent. However, GDPR has changed the ball game. It gives regulators the power to impose significant fines on any business or organisation operating within the EU for personal data breaches.
GDPR classifies personal data as any information related to an identified or identifiable natural person, which includes, amongst other data, appearance. GDPR also gives individuals the right to perform a Subject Access Request (SAR), this is a Right of Access that allows an individual to obtain records to all of their personal information held by an organisation. Although framed as a ‘request’, to comply with GDPR organisations are under a legal obligation to supply all personal data held on that individual, including video footage. Legislation also specifies that organisations must get back to the individual with the requested information without undue delay, and upon receiving a SAR GDPR gives organisations up to one calendar month to respond.
When releasing CCTV video footage in response to a SAR, GDPR has clear implications, since appearance is classified under GDPR as personal data. Therefore, although the individual that submitted the SAR needs to remain visible, others that appear within must be somehow obscured, so that they cannot be identified. The easiest and most common way to do this is to use some form of face blurring software application designed to handle CCTV video files; a failure to do so can lead to significant fines.
The EU website states that GDPR applies to either a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. It also applies to any company established outside the EU that is offering goods or services, whether paid for or for free, which is monitoring the behaviour of individuals in the EU. The latter is clearly targeted at the tech giants, as they gather incredible amounts of personal data in return for ‘free services’, from their respective platforms.
A failure to comply with GDPR can lead to the imposition of significant fines for related infringements. For example, the EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover, whereas in the UK there is a maximum fine of £17.5 million or 4% of annual global turnover, whichever is greater. The size of these penalties highlight the need for all organisations, when responding to a SAR and releasing CCTV footage, to ensure they are using some form of GDPR compliant face blurring software. Otherwise, they will not have the capability to obscure the identities of others that may appear within – a clear breach of GDPR.
In short, yes. The GDPR was retained in domestic law as the UK GDPR and those that breach it are potentially exposing themselves to the huge fines that may be imposed under it, which are noted above. UK GDPR runs concurrent to the amended version of the Data Protection Act (DPA) 2018, however following Brexit the UK now has independence to keep this legislation under review.
For those looking for a low cost, easy to use face blurring software application for video so that they comply with GDPR, Pixelate by Ocucon provides an ideal solution. Hosted within the Ocucon Cloud, Pixelate does all the heavy lifting through utilising state-of-the-art graphics processing units ran on secure infrastructure that complies with all current and future data protection regulations. Accessed through Pen Tested, private, closed circuit connectivity to Tier 3 level data centres using end-to-end military grade (256-bit) encryption, Pixelate gives you hassle free secure access to face blurring software for multiple users under the same account. This easy to use application allows your organisation to remain GDPR compliant at minimal cost.
Why not explore what Pixelate can do for you? Simply Contact us now for a demo.