Functions and tips for implementing GDPR/EU video surveillance technology

The General Data Protection Regulation (GDPR) European does not contain specific regulations applicable to video security systems. Jorgen Seiler, davidiT manager, Dallmeier's consulting subsidiary, Clarifies doubts in this regard.

The application of the GDPR in terms of the use of video technology still generates a lot of uncertainty about what requirements companies have to comply with. There is also uncertainty about what system functions are required to be able to easily configure video security systems in accordance with this regulation.

Many end users now note that the new European GDPR does not contain specific regulations applicable to video surveillance systems, therefore, the implementation in accordance with the GDPR is different for each company. Also, It is presumable that, in addition to the jurisprudence that develops it,, I mean, Real Interpretation in Practice, specific differences appear in each company – for example, due to various decisions of the works councils- In terms of video security.

Together with data protection, Greater importance is also placed on data security, as they must be protected from loss or tampering. Consequently: There is no data protection without data security, and companies have to comply with the GDPR in both areas.

For many companies, the question now arises as to what components are needed to meet the requirements. Manufacturers are proposing different approaches and, specifically, Dallmeier's data protection and security module offers fourteen different components.

Data protection – protection of the rights of the data subject: as required by Article 25 of the GDPR, Appropriate technical and organisational measures must be taken to safeguard the principles of data protection and the rights of data subjects.

The Dallmeier module contains four essential components to achieve this. The graphic shows how the individual functions of the data protection and security module of this manufacturer are implemented during the video data processing process.

• Pixelation of people using People Masking, which can be cancelled if necessary.
• Definition of 'privacy zones' in the image captured for, For example, Hide Public Areas. This concealment cannot be disabled, neither live nor in the recording.
• Setting the recording duration for each camera or recording track, ensuring its abolition once the objective has been achieved.
• Visualization of areas irrelevant to data protection through detailed 3D virtual simulation during project planning. In this way it is possible to, on the one hand, find out where the image quality does not allow for recognition of people, and, therefore, No personal data is generated.

On the other hand, Functions can already be planned in advance and tailored to data protection-relevant areas, such as People Masking.

Data security – protection of one's own personal data: the RDPG states in its article 32 that appropriate technical and organisational measures are in place to ensure a level of security appropriate to the risk. To protect sensitive or personal data from tampering, Loss or Unauthorized Access, the Dallmeier module offers the following functions:

• Optionally, The 'Four Eyes Principle', that requires two passwords when accessing recordings.
• Management of user groups via AD/LDAP for control of access rights.
• A Secure Authentication Procedure, according to IEEE 802.1X, To protect the network from unauthorized access.
• End-to-end encryption with TLS 1.2 / 256 AES Bit for Transmission Protection, both data and video, among the current Dallmeier systems.
• Defining the Recording Period for Each User Group, Images prior to this period cannot be consulted.
• Reliable detection and prevention of connection attempts due to cyberattacks. If repeated connection attempts from an unknown IP address are detected, is automatically blocked for some time.
• Possibility to use AppliancesRecording as a video system security gateway. In this way, Video Network and Production Network Separate, preventing unauthorized access, For example, through cameras outside, and reduces the load on the network.
• Development of all hardware solutions, software and firmware in-house and, with it, the impossibility of concealed access through rear doors, as well as hardened operating systems.
• Mechanisms of Failoverand redundancy against data loss.
• LGC certification for a preservation of evidence that meets all the criteria for admission to the courts.

Beware of GDPR-compliant data protection certificates

In principle, EU encourages the introduction of data protection certifications or data protection seals, as these should increase transparency and make it easier for companies to prove compliance with the GDPR.

However, In this area, there are some important points to keep in mind: on the one hand, despite the two-year transition period, Valid certifications are not produced before the 25 May 2019 ensuring compliance with GDPR requirements. On the other hand,, Certifications are not possible for specific products or services, but only for data processing processes.

In short, It's not possible, For example, a 'GDPR-compliant' surveillance camera. In addition, With regard to data protection certificates and seals, it should be noted that both the certification body itself and the evaluation procedure it offers for a data processing process, are officially accredited under the GDPR. Otherwise, these certificates have no legal effect in relation to the GDPR.

A 'real' accredited certificate is recognized, For example, by the corresponding logo of an official national accreditation body, such as the Deutsche Akkreditierungsstelle in Germany (Dakks). Accreditation bodies 'vet' those bodies that, turn, Grant a certification or a data protection seal. That's why, companies should give prominence to an official accreditation of GDPR-compliant data protection certificates and seals and not spend money unnecessarily on 'dummy' certificates.

From the 25 May 2018, While there are many paragraphs and articles on paper about the Data Protection Act, Its final interpretation in practical implementation is not yet at all clear and will be intensively discussed and defined by national and European data protection supervisory authorities, including a final assessment by the European Court of Justice on the disputed points.

That's why, The best path for companies when it comes to video security is not to rely on individual parties – possibly with 'dummy' certificates- of a video security solution, but to dispose of, During the entire video data processing process, of those technologies and procedures relevant to the protection and security of data that are necessary, in order to react flexibly to foreseeable requirements.

Jorgen Seiler

davidiT Manager, Consulting subsidiary of Dallmeier

 

 

 

 

 

Other articles on Dallmeier