“Smart video solutions are boosting security by collecting more valuable data than ever before. But balancing privacy requirements with effective video security is never easy, requiring compliant data management practices, solutions that are ‘secure-by-design’, and partnerships with security conscious installers and manufacturers,” says Fred Streefland, Director of Cybersecurity and Privacy at Hikvision EMEA.
Smart video solutions have advanced by leaps and bounds in a very short space of time – helping organizations of all types and sizes to boost their site security.
Just a few years ago, for example, cameras recorded video footage and stored it locally, with security teams reviewing it manually in the event of an incident. Today, machine learning and artificial intelligence (AI) technologies mean smart cameras can collect and process vast quantities of data about people accessing sites and buildings, helping security teams to work more effectively and respond to incidents faster.
But in spite of the many operational and security benefits of machine learning and AI, every organization has to consider and mitigate the privacy implications of cameras and other devices collecting and processing citizens’ Personally Identifiable Information (PII). In other words, you need to balance privacy requirements carefully with the capabilities of your video solutions.
Follow the rules and you’ll be fine
It’s a common myth that video solutions are not permitted by the GDPR and other privacy regulations, but this is not actually the case. In fact, you are free to record video footage of your business or site under the GDPR – provided you follow the rules, including article 5 and article 6 of the GDPR.
These articles state, very clearly, that the processing of all PII must be lawful and that all PII, collected about EU citizens, must be processed and stored securely, from end to end.
Of course, this includes video footage where the identity of a person or people can be recognized. However, the rules also apply to other data, such as temperature screening data, which is not personal data on its own, but which becomes sensitive data when it’s linked to recognizable individuals. In this case, this data also needs to be protected from end to end.
The ‘power of 3’
Any organization that takes privacy seriously will know that balancing privacy concerns with smart video security solutions isn’t something you can achieve on your own. In fact, 3 key partners are needed to help you achieve this delicate balance and ensure compliance with the GDPR.
1) The end-user (i.e. your company)
Under the terms of privacy rules, including the GDPR, the buck stops with the end-user (that’s you) as far as secure data processing responsibilities are concerned. After all, the devices, systems, and networks used for processing and sharing data are under your control, and you should be able to vouch for them. Fortunately, you are not alone, and your technology partners, installers, and legal teams should all be available to help you ensure your data is processed and stored securely at all times.
2) The installer
The smart video installer has a key role in terms of ensuring that your network and device access are totally secure. This can be achieved with a combination of techniques, from deploying cameras and other devices on a ‘partitioned’ or secure part of the network, to changing factory passwords to minimize the risk of security breaches.
3) The device manufacturer
Manufacturers of smart video technology have a major responsibility in terms of securing their devices and ensuring that no security ‘loopholes’ exist anywhere. This can only be achieved by implementing ‘secure-by-design’ principles across the development, penetration testing, and production processes to ensure that security is ‘baked’ into all products.
Another key responsibility of the manufacturer is to make all products ‘secure-by-default’ at the point of delivery. This is to say that factory settings put the product in the most secure mode possible in terms of how data is collected and processed, even if this limits some of the advanced capabilities of the device. Of course, security settings can be toned down to access advanced features if you so choose – but this should only be done under legal guidance to ensure that all your solutions remain GDPR-compliant.
Ask all the right privacy questions
For all organizations, balancing privacy requirements with effective video security is all about understanding your responsibilities – and ensuring that your technology solutions match up. The only way to do this is to ask the right questions of your device manufacturers and installers.
Ask your device manufacturer, for example, if products are developed and tested in line with ‘secure-by-design’ principles, and if data processing meets the security requirements of the GDPR. You should also consider asking if devices are set for maximum security-by-default, and preferably also privacy-by-default, when they are delivered from the factory.
How Hikvision can help
At Hikvision, we’re always happy to talk to our customers about privacy requirements and how our products are built to meet and exceed them. Based on end-to-end implementation of security-by-design and security-by-default principles and processes, we can help you protect your data, your business, and your customers.
Find out more about our cybersecurity capabilities here, or contact me to discuss your specific privacy requirements.