The GDPR is making a huge impact on business. It’s fair to say that the regulation was adopted out of extreme concern that businesses were collecting personal data belonging to citizens, that was ultimately not secured with long-term principles in mind, leading to data breaches, which effected those citizens. Watching the news doesn’t paint a picture of confidence when it comes to the custodial nature of data held by businesses. The GDPR was set forth to address the issues surrounding these concerns, but to also provide citizens the ability to control what data business collects, and stores concerning them, to include the length of time those businesses can store that data. Certainly, there are situations where certain data must be held for longer periods of time (client data associated with a mortgage as an example), but much of the data being targeted in the GDPR is not necessarily data a business has a direct, legal responsibility to hold onto for any length of time.
Data that Businesses Collect that are Subject to GDPR
The definition the GDPR provides a wide range of data products. A major example the EU used in their initial publication was of a business in the EU that collects customer data as it relates to providing travel services. That data falls under the GDPR, and that the customers, not the business, have a right to insist on data protection, and elimination in most cases. The GDPR goes on to stipulate that businesses have to prove they eliminated the data in a formal report, given to the customer, and held in records for a specified period of time.
In Article 4, Subsection 1, the GDPR defines data as follows: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition literally translates to any information that denotes identity of a person in any way. Documents, audio, video, images, software-housed profiles, financial transactions, the list truly goes on. The implications for business are sophisticated and growing. So long as we continue to see data capturing technology increase, presenting more opportunities for business to hold different types of data, the more the GDPR will be relevant to that businesses operations.
And that means having to hire staff, or contract for services to deal with the requirements of GDPR. Citizens can request documented data to be purged, video files to be redacted, audio files to be stripped of their voice. But on the front end of these requests, citizens have to supply verifiable data to these businesses to accomplish these requests. This means pictures that can be used to locate digital media, personally-identifiable information that can be matched to the requested documents.
Managing hordes of data, and then inheriting similar data to locate that specific data is a new, challenging paradigm for all involved.
Do Businesses Have Protections in GDPR?
In Article 1, Subsection 4, the GDPR reads as follows: “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
And it would seem that the theme of the GDPR places the emphasis on business to process data, and only maintain it under specific circumstances, be it compliancy, historical, or another vested interest as it relates to society. But even those circumstances are not spelled out to the level that purging of data must be done. It’s safe to assume that was intentional, as the EU wants to have court rulings that decide whether data held by a business is lawful or not, based on the merits of the GDPR.
This means that businesses will have to make specific, well-researched arguments if they are deciding to maintain data. We’ve talked about some relevant examples, financial documents for one, especially if that data is tied to an active customer, as an example where data would be expected to be maintained for a long period of time. If that customer no longer wants that business to maintain that data, they would likely need severe their business relationship. However, we know in the US that financial services providers are required to maintain certain documents for auditing purposes.
It would seem the GDPR doesn’t necessarily outline this scenario, but it does provide several protections on the grounds of social, historical, and welfare concerns. On reading, the historical grounds seem to apply to the described scenario.
These types of scenarios are going to have to be considered on a near daily basis as the GDPR becomes evolved. But likely the biggest question for businesses is multimedia content, particularly video.
How Does This Impact Video Systems?
Businesses, especially those that interact with customers directly in their facilities tend to have video camera systems installed as a way to prevent crime, catch crime as it happens, and even review employee activities. Many businesses will use these real-world examples to train their new and established staff when it comes to identifying certain negative outcomes, like theft. Up until the GDPR, this was every business’ right to use in-house examples, and it was a very logical approach. You may as well use the most relevant examples to train your staff, especially in retail settings, on what to pay attention to.
However, what the GDPR outlines is that any personally identifiable data belongs to the citizen, not the company. And it outlines a process by which a citizen can request that all data depicting them is subject to purging or de-identification. Businesses that employ video technology can no longer rely on capturing video data, holding onto it for a predetermined amount of time, and then backing it up elsewhere. Sure, businesses can technically still employ this process, however, when a citizen requests that all data depicting them needs to be purged, the onus is on that business to search all possible data, identify any data that is associated with the citizen, and remove it. In the case of video data, this can be tricky because there may be relevant reasons (like those described above) for that data to remain in business ownership.
What this means is that businesses are going to have to employ facial recognition and redaction software to work on all video content that they are capturing. It also likely means that rather than storing old video content in a “vault” type setting, that storing content locally can make honoring requests easier to manage, because the citizen can specify where they believe content derives from, and that content can be found quickly, on-site. However, what will end up being the easiest way to deal with managing content that could be subject to GDPR requests, is to store all data on a cloud service, and use the described software tools to seek out content, and then take appropriate actions. We will discuss GDPR request processing in a future edition.
While we are still exploring the GDPR from an introductory standpoint, one can see that the process for handling how this regulation affects business is going to be quite sophisticated, and this is a major reason that the GDPR outlines that specifically trained staff needs to be hired on a full-time basis in some businesses. We will continue to look into the regulation, and point out as many specific requirements, as well as any language that leaves a challenging question to ponder. Continue to read, we’ll continue to lay out what this regulation will entail.
Be safe out there!