Technology tends to advance much faster than the law. For example, when GDPR was first implemented in May 2018, biometric recognition was still very niche, but three years later it’s going mainstream. This serves to illustrate how important it is that you keep assessing your technology in the light of GDPR. Here are some key points to consider.
What area are you monitoring?
As a rule of thumb, you’re far more likely to have the right to monitor your own private space than you are to monitor a public space. This obviously poses challenges for perimeter control. In most environments, you’d probably be expected to focus any surveillance on access points to your property. This would probably include windows (as they can be broken).
If you want the very highest security, you might need to implement two layers of access. The first layer would funnel people out of the public area and into your private area. The second area would have the surveillance equipment. Even here, however, the surveillance would need to be proportionate.
Always remember that your right to protection has to be balanced with other people’s right to privacy. This includes your employees. Therefore you need to be able to justify every item of monitoring equipment you use. You also need to make people aware that they’re being monitored and give them the option to opt-out.
However, you need to be aware that the law recognizes the imbalance of power between employers and employees. This means that it can be very risky to base your data collection purely on the grounds of consent.
How invasive is the monitoring?
This is probably the area where technology has raced ahead of GDPR. In the old days, CCTV just meant basic cameras with standard recording capabilities. They might have been able to zoom in on individuals, but they would usually only have done so under human instructions. That human could and should have been trained on the legal use of CCTV. These days, facial-recognition technology is going mainstream.
This presents a dilemma. Firstly, there’s the question of whether or not you can use it in a GDPR-compliant manner. Secondly, there’s the question of how your employees/customers will react to it. Similar comments apply to other forms of biometrics such as body-part scanning.
How are you processing the data?
If it’s reasonable to collect data, then it’s also reasonable to store it while it’s still relevant. What this means in practice depends on the nature of the data. As a rule of thumb, if data hasn’t been used/requested in six months, it should be deleted.
While data is being stored, it needs to be stored with due regard to safety and privacy. This is possibly the single biggest reason why biometric data can be a practical minefield. If biometric data is compromised, the data subject can be impacted for the rest of their lives. Any company involved in such a breach could therefore expect the most severe consequences.