Download PDF version Contact company

The introduction of the GDPR has deeply affected businesses using video surveillance. Striking a balance between the safety and security needs and safeguarding third-party privacy when processing personal data can be a challenge. But with planning, the right documentation, the right tools, and the right partner, it can be done.

The European Union General Data Protection Regulation, GDPR, was introduced in May last year to protect the privacy of individual citizens; how personal data is collected, processed, and shared. As the regulation isn’t just about written details, like names and addresses; it also applies to any information that can identify someone, which therefore includes video surveillance data such as pictures and videos.

Guidelines that help compliancy

As a business owner, there are some things that one needs to get straight when handling personal data. Trying to bring some clarity and helping companies do the right thing, the European Data Protection Board (EDPB) has published useful guidelines. These cover all GDPR compliance aspects, from planning and installing to running the video surveillance. For example, it includes what one may record, how long one can save it, and how and when one can export it.

A professional supplier should also be able to help, both with the information that one needs as well as the right hardware and software to protect third-party privacy.

Starting on the right foot

Let’s say that, as a store owner, one is in the process of installing video surveillance. It might be to protect the premises against vandalism or to keep track of what happens in the store to reduce thefts, or to improve staff and customer security. Generally, this will make one the data controller. Documentation and processes are critical to comply with GDPR

Documentation and processes are critical to comply with GDPR. The first step is to explain why one needs to install cameras that could potentially infringe on third-party individuals. This balance of interest is vital in the regulation, the legitimate interests versus those individuals whose personal data is being collected, held, or processed, also known as the data subjects.

Video surveillance – areas to consider

Once established the legitimate need to install video surveillance, it’s time to design the system. From an overall system perspective, there are a few areas that one needs to consider.

System design

When designing the video surveillance system, AXIS Site Designer helps to ensure that GDPR obligations are properly considered. Here one can define the retention time, define the camera's field of view and resolution to ensure the right images are captured.

AXIS Site Designer provides installation notes which can be used to inform the installer of GDPR considerations such as the need for privacy masks and specific installation requirements.

Data storage

Data storage covers two areas: how long one should store the data and how to protect it. In general, one is not allowed to store data for “longer than is necessary for the purposes for which the data are processed,” what the GDPR calls “storage limitation”. Depending on the purpose, three or four days is usually enough. The longer one wants to store the data, the greater legitimate interests must be.

To protect the data, one should secure physical access to the location where the video management system and data is stored. The video management system itself must be secured against unauthorized access to the stored recordings containing personal data.

Using AXIS Camera Station, one can easily set safe passwords, both for the VMS and the camera and they can even be randomized. User permissions can also be applied to limit functionality appropriate for the operator. Any leaks of personal data or security breaches must be reported to the relevant supervisory authority promptly.

Third-party privacy in VMS

Tools for the protection of privacy should be core functions of video management software. Sometimes one may need to mask objects and innocent bystanders or staff in a video to comply with regulations.

Using the inbuilt video redaction in AXIS Camera Station one can easily pixelate parts of the video before exporting. Any individuals’ requests to access any personal data can be met quickly and efficiently due to the simple export of masked video.


The GDPR puts a strong focus on surveillance system documentation, during the planning as well as the operation. One should be able to provide information about how data is processed and who will have access to the collected data, and must keep a written record of the operation. AXIS Site Designer and the installation verifier and logs in AXIS Camera Station provide useful information to document the installation.

Camera placement

Axis PTZ cameras support for 3D masking allow masking to be maintained when the camera’s field of view changes It’s crucial that the cameras only cover relevant areas, what the GDPR calls “data minimization”. It states that personal data must be “adequate, relevant, and limited to what is necessary for the purposes for which they are processed”. For example, if one wants to protect the shopfront, the cameras shouldn't include irrelevant parts of the street.

Static privacy masks should be utilized to prevent viewing of public areas such as windows. Axis offers privacy masking in most cameras. It enables selected areas of a scene to be blocked or masked from viewing and recording. Axis PTZ cameras with support for 3D masking allow masking to be maintained even as the camera’s field of view changes through panning, tilting, and zooming as the masking moves with the camera’s coordinate system.

AXIS Live Privacy Shield offers dynamic privacy masking. It’s a camera analytic, which one can use to monitor live indoor activities without collecting any sensitive personal data. It safeguards privacy by anonymizing people in a video but allows monitoring of activities or movements.

Accurate information

One must put up clear signs to inform third-party individuals that the area is under camera surveillance. They have the right to know the details of why they are being recorded and how the data will be used.

Individuals also have the right to access any personal data that one has collected, both an overview and the actual data.

Additional considerations

In addition to the areas already covered, general IT system security should be considered as this could lead to a data breach:

  • Make sure that the system is secure by implementing strong passwords and policies for all devices and software
  • Choose equipment from companies that apply cybersecurity best practices
  • Consider and if possible, restrict internet exposure
  • Ensure that all devices are running with the latest firmware since the newest version could close vulnerabilities
  • AXIS Camera Station, will prompt the user for firmware updates and simplify the management of the video surveillance devices
  • Ensure that the system supports encrypted data communication between devices in the system, such as HTTPS
  • AXIS Camera Station supports HTTPS between the server-client and the cameras so that the system handles data safely

Get the right partner

Offering the required third-party privacy protection and complying with the GDPR may seem overwhelming. And while an individual, as the data controller, is generally responsible for GDPR compliance, installers, distributors, and manufacturers are there to help and support.

With the right surveillance supplier or partner, users will get equipment that safeguards personal data, but also support and services that will take the weight off the shoulders. They can help get the best of both worlds – GDPR compliance as well as the safety and security that one needs.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)
Why Visualization Platforms Are Vital For An Effective Security Operation Center (SOC)

Display solutions play a key role in SOCs in providing the screens needed for individuals and teams to visualize and share the multiple data sources needed in an SOC today. Security Operation Center (SOC) Every SOC has multiple sources and inputs, both physical and virtual, all of which provide numerous data points to operators, in order to provide the highest levels of physical and cyber security, including surveillance camera feeds, access control and alarm systems for physical security, as well as dashboards and web apps for cyber security applications. Today’s advancements in technology and computing power not only have increasingly made security systems much more scalable, by adding hundreds, if not thousands, of more data points to an SOC, but the rate at which the data comes in has significantly increased as well. Accurate monitoring and surveillance This has made monitoring and surveillance much more accurate and effective, but also more challenging for operators, as they can’t realistically monitor the hundreds, even thousands of cameras, dashboards, calls, etc. in a reactive manner. Lacking situational awareness is often one of the primary factors in poor decision making In order for operators in SOC’s to be able to mitigate incidents in a less reactive way and take meaningful action, streamlined actionable data is needed. This is what will ensure operators in SOC truly have situational awareness. Situational awareness is a key foundation of effective decision making. In its simplest form, ‘It is knowing what is going on’. Lacking situational awareness is often one of the primary factors in poor decision making and in accidents attributed to human error. Achieving ‘true’ situational awareness Situational awareness isn’t just what has already happened, but what is likely to happen next and to achieve ‘true’ situational awareness, a combination of actionable data and the ability to deliver that information or data to the right people, at the right time. This is where visualization platforms (known as visual networking platforms) that provide both the situational real estate, as well as support for computer vision and AI, can help SOCs achieve true situational awareness Role of computer vision and AI technologies Proactive situational awareness is when the data coming into the SOC is analyzed in real time and then, brought forward to operators who are decision makers and key stakeholders in near real time for actionable visualization. Computer vision is a field of Artificial Intelligence that trains computers to interpret and understand digital images and videos. It is a way to automate tasks that the human visual system can also carry out, the automatic extraction, analysis and understanding of useful information from a single image or a sequence of images. There are numerous potential value adds that computer vision can provide to operation centers of different kinds. Here are some examples: Face Recognition: Face detection algorithms can be applied to filter and identify an individual. Biometric Systems: AI can be applied to biometric descriptions such as fingerprint, iris, and face matching. Surveillance: Computer vision supports IoT cameras used to monitor activities and movements of just about any kind that might be related to security and safety, whether that's on the job safety or physical security. Smart Cities: AI and computer vision can be used to improve mobility through quantitative, objective and automated management of resource use (car parks, roads, public squares, etc.) based on the analysis of CCTV data. Event Recognition: Improve the visualization and the decision-making process of human operators or existing video surveillance solutions, by integrating real-time video data analysis algorithms to understand the content of the filmed scene and to extract the relevant information from it. Monitoring: Responding to specific tasks in terms of continuous monitoring and surveillance in many different application frameworks: improved management of logistics in storage warehouses, counting of people during event gatherings, monitoring of subway stations, coastal areas, etc. Computer Vision applications When considering a Computer Vision application, it’s important to ensure that the rest of the infrastructure in the Operation Center, for example the solution that drives the displays and video walls, will connect and work well with the computer vision application. The best way to do this of course is to use a software-driven approach to displaying information and data, rather than a traditional AV hardware approach, which may present incompatibilities. Software-defined and open technology solutions Software-defined and open technology solutions provide a wider support for any type of application the SOC may need Software-defined and open technology solutions provide a wider support for any type of application the SOC may need, including computer vision. In the modern world, with everything going digital, all security services and applications have become networked, and as such, they belong to IT. AV applications and services have increasingly become an integral part of an organization’s IT infrastructure. Software-defined approach to AV IT teams responsible for data protection are more in favor of a software-defined approach to AV that allow virtualised, open technologies as opposed to traditional hardware-based solutions. Software’s flexibility allows for more efficient refreshment cycles, expansions and upgrades. The rise of AV-over-IP technologies have enabled IT teams in SOC’s to effectively integrate AV solutions into their existing stack, greatly reducing overhead costs, when it comes to technology investments, staff training, maintenance, and even physical infrastructure. AV-over-IP software platforms Moreover, with AV-over-IP, software-defined AV platforms, IT teams can more easily integrate AI and Computer Vision applications within the SOC, and have better control of the data coming in, while achieving true situational awareness. Situational awareness is all about actionable data delivered to the right people, at the right time, in order to address security incidents and challenges. Situational awareness is all about actionable data delivered to the right people Often, the people who need to know about security risks or breaches are not physically present in the operation centers, so having the data and information locked up within the four walls of the SOC does not provide true situational awareness. hyper-scalable visual platforms Instead there is a need to be able to deliver the video stream, the dashboard of the data and information to any screen anywhere, at any time — including desktops, tablets phones — for the right people to see, whether that is an executive in a different office or working from home, or security guards walking the halls or streets. New technologies are continuing to extend the reach and the benefits of security operation centers. However, interoperability plays a key role in bringing together AI, machine learning and computer vision technologies, in order to ensure data is turned into actionable data, which is delivered to the right people to provide ‘true’ situational awareness. Software-defined, AV-over-IP platforms are the perfect medium to facilitate this for any organizations with physical and cyber security needs.

What New Technologies And Trends Will Shape Video Analytics?
What New Technologies And Trends Will Shape Video Analytics?

The topic of video analytics has been talked and written about for decades, and yet is still one of the cutting-edge themes in the physical security industry. Some say yesterday’s analytics systems tended to overpromise and underdeliver, and there are still some skeptics. However, newer technologies such as artificial intelligence (AI) are reinvigorating the sector and enabling it to finally live up to its promise. We asked this week’s Expert Panel Roundtable: What new technologies and trends will shape video analytics in 2021?

Tackling The Challenge Of The Growing Cybersecurity Gap
Tackling The Challenge Of The Growing Cybersecurity Gap

The SolarWinds cyberattack of 2020 was cited by security experts as “one of the potentially largest penetrations of Western governments” since the Cold War. This attack put cybersecurity front and center on people’s minds again. Hacking communication protocol The attack targeted the US government and reportedly compromised the treasury and commerce departments and Homeland Security. What’s interesting about the SolarWinds attack is that it was caused by the exploitation of a hacker who injected a backdoor communications protocol.  This means that months ahead of the attack, hackers broke into SolarWinds systems and added malicious code into the company’s software development system. Later on, updates being pushed out included the malicious code, creating a backdoor communication for the hackers to use. Once a body is hacked, access can be gained to many. An explosion of network devices What has made the threat of cyberattacks much more prominent these days has been IT's growth in the last 20 years, notably cheaper and cheaper IoT devices. This has led to an explosion of network devices. IT spending has never really matched the pace of hardware and software growth Compounding this issue is that IT spending has never really matched the pace of hardware and software growth. Inevitably, leading to vulnerabilities, limited IT resources, and an increase in IoT devices get more attention from would-be hackers. Bridging the cybersecurity gap In the author’s view, this is the main reason why the cybersecurity gap is growing. This is because it inevitably boils down to counter-strike versus counter-strike. IT teams plug holes, and hackers find new ones, that is never going to stop. The companies must continue fighting cyber threats by developing new ways of protecting through in-house testing, security best practice sources, and both market and customer leads. End-user awareness One of the key battlegrounds here is the education of end-users. This is an area where the battle is being won at present, in the author’s opinion. End-users awareness of cybersecurity is increasing. It is crucial to educate end-users on what IoT devices are available, how they are configured, how to enable it effectively, and critically, how to use it correctly and safely. Physical security network A valuable product that tackles cybersecurity is, of course, Razberi Monitor™, which is new to ComNet’s portfolio. Monitor™ is a software platform that provides a top-down view of the physical security network and ecosystem. Monitor™ is a software platform that provides a top-down view of the physical security network and ecosystem It monitors and manages all the system components for cybersecurity and system health, providing secure visibility into the availability, performance, and cyber posture of servers, storage, cameras, and networked security devices. Proactive maintenance By intelligently utilizing system properties and sensor data, Razberi’s award-winning cybersecurity software prevents problems while providing a centralized location for asset and alert management. Monitor™ enables proactive maintenance by offering problem resolutions before they become more significant problems. Identifying issues before they fail and become an outage is key to system availability and, moreover, is a considerable cost saving.