On May 25 2018, the deadline for the implementation of the European Union’s General Data Protection Regulations (GDPR) loomed large on the calendars of organizations collecting and processing the personal data of people living in the EU. While the significant penalties for breach of the regulations were well-publicized, to many the implications of GDPR on their organization were less clear, particularly when it comes down to what constituted personally identifiable data.

Most organizations were aware that GDPR applied to text-based data – name, email, and physical addresses, etc. However, as was highlighted in a previous guest blog post, static and video images also represent personal information and must comply with GDPR.

Falling foul of the GDPR

Unfortunately the very first fine for non-compliance was issued by the Austrian regulator for breach of GDPR – only four months after the regulation came into effect – and it was related to the use of video surveillance. Capturing the detailed images of passers-by and not having adequate signage resulted in a 4,800 euro fine.

In the years since the GDPR came into effect, more organizations have been penalized for data protection violations linked to video surveillance. In 2021, regulators in Germany imposed one of the largest fines to date (€10.4 million) on an eCommerce company that was found to have conducted intrusive video surveillance against its employees.

In total, more than 500 GDPR fines were imposed between 25 May 2018 and 1 March 2021. Research has shown that Data Protection Authorities (DPAs) are cracking down on illegal video surveillance, with 70% of fines issued to the hospitality industry relating to this type of violation, as well as direct marketing activity, such as spam emails.

A force for good

However, even if the headlines may sound scary, GDPR’s impact has been positive. It has made both companies and end users aware of the value of their data, and of the necessity to protect it. As a result, companies are more clearly informing their customers of how they collect personal data, what they use it for and how they use it.

Critically, the regulation has also made it much easier for people to choose whether they are happy for their information to be gathered. This is because they now receive clearer communications about the benefits of allowing an organization to process their personal information.

When used ethically and responsibly, video surveillance is a positive force in creating a smarter, safer, and more secure world. It is essential that these benefits become part of the communication around the use of video surveillance. When informing people in any specific situation that they are being filmed, the benefits to their safety, security, and experience should also be clearly communicated. It’s also essential to inform people that though they might be under video surveillance, their privacy is a paramount consideration.

Over the coming months and years, we will see more stories of fines being imposed – both large and more modest – for breaches of GDPR, and further examples of data loss and theft. While the latter highlights the never-ending importance of a rigorous approach to cybersecurity, the former shows that GDPR is being actively enforced; and enforcement of regulation shows its effectiveness. This in turn, means improved protection for personal data, which is good news for us all.

Read more about GDPR in our whitepaper.

Download the white paper