Data Protection Impact Assessment – Part 11 of 13

Video surveillance has become a common tool for businesses, organizations, and government bodies to monitor and protect their premises, employees, and citizens. However, with the increasing use of video surveillance, it is important to ensure that personal data is processed and protected in accordance with data protection laws, particularly the General Data Protection Regulation which came into effect in May 2018 (“GDPR”).

One way to ensure this is through conducting a Data Protection Impact Assessment (“DPIA”). DPIAs are a crucial component of the GDPR. The GDPR requires organizations to carry out DPIAs in certain circumstances, to ensure that personal data is processed in a manner that is compliant with the regulation. In this blog post, we will look at what a DPIA is, when they are required, how they help organizations to comply with the GDPR, and will share a brief step-by-step guide to a DPIA for video surveillance activities.

A DPIA is a process of evaluating the potential privacy risks of a project or activity that involves the processing of personal data, and it is regulated under Article 35 of the GDPR. The aim of a DPIA is to identify and mitigate potential privacy risks, and to ensure that personal data is processed in a manner that is consistent with the GDPR’s requirements. DPIAs are a proactive tool that organizations can use to assess the privacy implications of their activities and identify potential privacy risks. It is particularly important for video surveillance activities, as they typically process large amounts of personal data and can have significant privacy implications.

💡 Intenseye integrates with the cameras that already exist in your facility, does not perform 24/7 uninterrupted data processing, and does not record its customers’ camera footage continuously.

Article 35 of the GDPR requires organizations to carry out DPIAs in certain circumstances, such as when processing is likely to result in high privacy risks to individuals, or when processing large amounts of personal data. DPIAs are also required when using new technologies, or when using personal data for new purposes. Given the requirements of Article 35 of the GDPR, it seems reasonable to assume that many video surveillance cases will require a DPIA. Where this is necessary, DPIA may rely on the previously mentioned assessment of legitimate interests.

💡 We believe that the Intenseye solution will provide great added value in terms of occupational health and safety when a data protection impact analysis is made. In a production facility, while the cameras are recording 24/7, it is almost impossible for an occupational health and safety specialist to monitor these recordings continuously, and for the occupational health and safety specialists who follow every move of the employees to be instantly and constantly present in the facilities. With the artificial intelligence-supported solution it offers, Intenseye eliminates these deficiencies in a way that would not be possible otherwise, and contributes to zero workplace accidents in production facilities.

DPIAs help organizations to comply with the GDPR by ensuring that personal data is processed in a manner that is consistent with the regulation. By carrying out a DPIA, organizations can identify and mitigate potential privacy risks, and ensure that their activities are compliant with the GDPR. This not only protects the rights of individuals, but also helps organizations to avoid costly penalties for non-compliance.

The process of carrying out a DPIA typically involves several steps, including identifying the data that will be processed, evaluating the potential privacy risks of the processing, and identifying measures to mitigate these risks. Organizations must also consult with relevant stakeholders, such as data protection authorities, and consider the views of individuals who may be affected by the processing.

Here is a step-by-step guide to a Data Protection Impact Assessment process for video surveillance activities:

1. Identify a need for DPIA: The first step in conducting a DPIA is to determine whether it is necessary. This will typically involve an assessment of the scope and purpose of the video surveillance activities, the type of data being processed, and the potential privacy risks associated with the processing.
2. Describe the personal data processing: The next step is to describe the processing of personal data. This includes the type of data being processed, the source of the data, the purpose of the processing, and the categories of data subjects.
3. Consider consulting: It is important to consider consulting with relevant stakeholders, such as employees, data protection authorities, and privacy advocacy groups, to obtain their views on the privacy risks associated with the video surveillance activities.
4. Assess necessity and proportionality: The DPIA should assess whether the video surveillance activities are necessary and proportional to the purpose for which they are being conducted. This involves weighing the benefits of the activities against the privacy risks they pose.
5. Identify and assess risks: The DPIA should identify and assess the potential privacy risks associated with the video surveillance activities. This may involve an assessment of the security measures in place to protect the data, the likelihood of data breaches, and the potential consequences of such breaches.
6. Integrate outcomes to plan: The outcomes of the DPIA should be integrated into the overall plan for the video surveillance activities. This may involve implementing measures to mitigate the identified risks, such as implementing security measures or limiting the scope of the activities.
7. Sign off and record outcomes: The DPIA should be signed off by the relevant stakeholders and the outcomes should be recorded and made available to relevant parties.
8. Identify measures to mitigate risk: The DPIA should identify measures to mitigate the identified risks, such as implementing security measures or limiting the scope of the activities.
9. Keep under review: The DPIA should be kept under review and updated regularly to ensure that it remains relevant and effective.

In conclusion, conducting a DPIA is essential for ensuring that video surveillance activities are conducted in a privacy-friendly manner. The DPIA process helps to identify and mitigate potential privacy risks, and ensures that personal data is processed in accordance with data protection laws.

Please don’t forget to tune in for our next post right before concluding our GDPR and Video Surveillance blog post series, where we will be exploring -arguably- the most important topic of the GDPR: Data Subject Rights.