HOW TO DESIGN A GDPR COMPLIANT VIDEO SURVEILLANCE SYSTEM?

The European Data Protection Authorities’ Guidelines No. 3/2019 on the “Processing of Personal Data through Video Devices” address the application of privacy principles by design and by default to a video surveillance system. EU Regulation 679/2016 does not define “video surveillance,” while a technical description is found in CEI EN 62676- 1-1, the recent Guidelines 3/2019 adopted by the European Data Protection Board, which they refer to. The IEC EN 62676-1-1 regulation identifies three typical functional blocks of video surveillance systems, defining their minimum performance requirements; the video environment; the system management function; and the system security function that oversees data and system integrity.

A video surveillance system, observing the European authorities , before being put into operation must be designed following the provisions of Article 25 of the regulation, in such a way as to implement adequate technical and organizational data protection measures.

The processing owner must adequately protect all components of a video surveillance system and data during all processing stages, such as; during storage, transmission, and use.

On the subject of organizational measures, in addition to the possible need for a data protection impact assessment, when developing their video surveillance policies and procedures, data controllers will need to define:

– Who is responsible for the management and operation of the video surveillance system;

– The purpose and scope of the video surveillance project;

– The permitted and prohibited uses;

– The brief and complete disclosures to be made to interested parties about to enter a video surveillance area;

– The duration of video recordings;

– The methods of storing video recordings;

– Training for operators assigned to use the video surveillance system;

– How video recordings can be accessed, specifying in which cases it is allowed;

– Procedures in the event of a data breach;

– Procedures to be followed in case of third party access requests to images;

– Le procedure da seguire in caso di richieste di accesso alle immagini provenienti da terzi;

– Procedures for video surveillance system maintenance; the physical security of all system components are referenced, concerning technical security, as well as the integrity of the system, i.e., protection and resilience in the event of intentional and unintentional interference in its routine operation and access control. In addition: confidentiality, integrity, and availability must be ensured.

The measures taken are essentially the same as measures used in other IT systems and may cover:

  • Protection of the entire CCTV system infrastructure against physical tampering and theft;
  • Protection of transmission channels;
  • Data encryption;
  • The implementation of firewalls, antivirus or intrusion detection systems against cyber attacks;
  • Fault detection of software components and interconnections;
  • The use of tools to restore availability and access to personal data in case of physical or technical problems.

Proper implementation of organizational and technical measures requires internal regulation on the use of the video surveillance system. This document will enable the data controller to demonstrate that it has implemented appropriate technical and organizational measures per the accountability principle.

Sourse: Federprivacy – Articoli by Marco Soffientini, Data Protection Officer by Federprivacy.