In our last article we discussed the general impact the GDPR places on businesses. In this article we’ll focus on the impact on digital content and assets held by businesses that will ultimately be subject to the new regulation.
The ‘Natural Person’ and Purge Requests
The GDPR defines natural persons as those citizens who have data and privacy concerns, that trump those data and privacy concerns of businesses, government, and other organizations. In short, if the citizen doesn’t want an entity to have data that’s personally associated to them, they can request that entity to remove it. While the internal policies to honor those requests are still in the control of businesses (somewhat), there is a methodology of compliance they must follow to prove they’ve honored the request.
Under the Data Privacy Act, which the GDPR replaces, people submitted a Subject Access Request (SAR) which requested the various data a given business has pertaining to that person, what they were doing with it, when and how it was accessed and so on. The same application is part of the GDPR but it also requires businesses to divulge if they’ve sent any data to a third party and has waived fees that were traditionally charged to citizens, with exceptions concerning, “broad, vague, and lengthy requests.”
This means that the cost of producing results to citizens are now the business’ responsibility, and it also means they have to potentially expose any relationships they have with other organizations, business or otherwise, that request data from them that could be identifiable to a specific person. An obvious example would be collection agencies, but a less obvious could be that a business has a small contract in place with a government agency that collects data about financial customers in general, like the typical credit applicants, and that part of that survey process does involve some personally identifiable data being transmitted to the government agency, which in turn sanitizes it prior to statistical collection.
The GDPR does grant an exception to this type of data sharing in Article 1, Paragraph 62, where it is laid out that historical and statistical purposes (among others) is a valid reason to process data and seems to encompass the lawful sharing of that data.
As discussed previously, the real headaches won’t necessarily be with PII, or other documentary data. It will instead shift focus to digital content, in the form of audio, image, and video files that businesses hold, stemming from security systems, to room recording technologies, to access systems. This is where the GDPR will really make a mark.
How Businesses Process Digital Content
Most businesses have a video security system at their premises, and the goal is to identify those people that try to steal, or otherwise harm the business. Everything from graffiti, to corporate espionage gets captured on video, and is used later to hold people responsible for their crimes.
Most video content is not held for very long. In fact, most systems are designed to purge unrequested content after several days, so as to maintain storage space for the current content in the system. This in itself can alleviate dealing with copious amounts of content to satisfy a SAR. However, some businesses have to hold onto such content for longer periods of time. It can be for many reasons, like the content involves a serious incident unrelated from those depicted in frame. And the GDPR ensures that each person in the frame has a right to be unidentifiable in the content, even if the business has legitimate reason for holding onto the content.
Video systems don’t come with post-production tools, outside of a basic download/record function, which is usually directed towards a physical disc of some kind. If we’re going to work with digital content and regulations in the 21st century, we need to have tools that reflect that reality.
Tools for Digital Content
Recognition Software – considering that a SAR can be designed to encompass whole date ranges, you need the ability to scan audio, image, and video content in an automated manner, likely involving an algorithm that works off matching principles. In a SAR, the citizen will have to provide appropriate means to identify themselves in the content they are worried about. Audio samples, still images, and even video shot over a few different angles, can be used in recognition software to examine all content you have in your storage infrastructure, and as matches populate, you can manually identify the citizen, verify their existence in the content, and begin staging all applicable content to your next tool, redaction software.
Redaction Software- this is the software that will make or break your efficiency more so than anything else. There is a lot of redaction software available for purchase. Much of it uses frame-by-frame technology, which means that for this type of work you’ll be spending a lot of money on labor or professional services to get the content to comply with the citizen’s SAR. Instead, using redaction software that has automated algorithms is very important in these situations. You could very well handle a single SAR that involves over 40 files, 15 of which are video files with over 10,000 frames, and all of them need some form of redaction. We can tell by the numbers this isn’t going to be a one-day job. But algorithm-based redaction means that the video redaction work might be done that day, likely leaving plenty of time to get audio files completed.
The more the software can do the work for you, the easier it is to handle the requests. This takes strain of your personnel, off of your compliance concerns, and reduces the response time needed to achieve the result of honoring the citizen’s request. However, the work doesn’t end just by complying with removing the citizen in question. As always, you have to document what’s transpired. And if your software doesn’t create reports that stipulate search findings and verifications (from the recognition software), and the enhancement work completed (from the redaction software), then you will be missing the second half of the GDPR, which requires recording that this work was done, in compliance with the regulation, and that your methodology for honoring the request is solid.
Reports have to automatically capture what your software is doing, place those activities in a logical order (timeline), and then give you the ability to archive those reports to separate location in your storage infrastructure. Because the GDPR creates audit protocols that businesses must adhere to, and those reports are what will save you from a major fine (up to four percent of your business’ bottom line!) and demonstrate that you’ve put together the best practice when it comes to servicing GDPR SAR’s.
These reports have to reflect the date and time the content was located, where it was located, the date and time it was created, who located it, where they were when they located it (IP address), and how they handled it for SAR processing. It then needs to report the manual matching portion, indicating why content was selected for the SAR, versus why other content may not have been selected (didn’t meet criteria, etc.), and on the redaction side it needs to record all the same information, but in the context of where it was redacted, time frames of redaction, total frames, by who, and what was ultimately done with the completed content at that point.
Once this content is finished, the GDPR will require that the original file be deleted. If you as a business have a prurient need to retain the original, or the redacted copy, make sure you are documenting those reasons in a separate report, and what part of the GDPR your exception can be found in.
This article may make the idea of process digital content for GDPR compliance easy, but it’s anything but. GDPR compliance is going to ultimately become an evolving process. But you can rest assured that if you have heavy amounts of digital content, you will need recognition and redaction software, there can be no mistake on this point. Hopefully you get ahead of the regulation and get software that will make this process as painless as it can be.
Be safe out there!