5 min read

Why do organizations need face blurring software for CCTV

Where does GDPR apply & What are the Penalties?
July 20, 2022
min read
share this article:

Did you know that the average American is caught on CCTV security cameras around 70 times a day? There's no denying it—cameras are everywhere! They monitor crowds, observe traffic, protect retail stores, and serve as security guards on street corners across the globe.

Consequently, a vast amount of video footage containing personally identifiable information (PII) is continuously generated, processed, and archived. Generally, recorded individuals are not asked for permission, which would be impossible in most webcam surveillance situations.

Contravening Regulatory Compliance

The scope of the GDPR, which protects an individual's personal information, includes video and images. If CCTV footage contains sufficient data to identify an individual, GDPR rules for personal data processing must be applied.

The penalties for non-compliance can be hefty. The EU issued approximately 114 million euros in fines between May 2018 and January 2020, and analysts anticipate that enforcement and fines will continue to rise. With the ability to punish firms greater than 4% of yearly turnover or 20 million euros, surveillance camera-using businesses must defend themselves from severe penalties.

In addition to prohibiting improper data gathering, the European Data Protection Board (EDPB) mandates that CCTV operators be able to blur faces. According to Clause 95: "If a data subject requests a copy of their data processed through video surveillance at the entrance of a shopping mall with 30,000 visitors per day, the data subject should specify when they passed the monitored area within approximately a two-hour-timeframe." 

Technology has altered our daily lives in unfathomable ways. In exchange for 'free' services, it has also resulted in the emergence of corporations that collect enormous quantities of personal information. Before GDPR, tech titans functioned under a regulatory framework that did not permit them to be held accountable for data breaches. 

The respective punishments were negligible and constituted no significant deterrence effect. However, GDPR has altered the playing field. It grants authorities the authority to impose hefty fines on any corporation or organization operating within the EU that violates personal data.

GDPR defines personal data as any information relating to an identified or identifiable natural person, including appearance data. A Subject Access Request (SAR) is a right of access that permits an individual to access all of their personal information kept by an organization. 

To comply with GDPR, organizations are legally required to provide any personal data kept on an individual, including video footage. The legislation also stipulates that organizations must provide the requested information without delay, and GDPR allows organizations one calendar month to respond after getting a SAR.

GDPR has clear ramifications for releasing CCTV footage in response to a SAR, as appearance is considered personal data under GDPR. Therefore, while the person who supplied the SAR can stay visible, others who appear within the image must be blurred to prevent identification. The easiest to do this is to use face-blurring software made for CCTV video files. If you don't do this, you could be fined.

Where does GDPR apply & What are the Penalties?

Where does GDPR apply & What are the Penalties?

According to the EU website, GDPR applies to any organization that processes personal data as part of the operations of an EU-based branch (regardless of where the data is handled). It also applies to any corporation based outside the EU that offers products or services, whether for a fee or for free and monitors the behavior of individuals in the EU. 

What Privacy Laws Exist for US Companies?

While GDPR has set a global precedent that expands beyond EU borders there is an increasing amount of legislation that is putting US companies on notice to communicate, protect, and dispose of data that includes personal information. 

The Freedom of Information Act (FOIA) does not currently require that public entities disclose materials upon citizen request due to one of the FOIA’s exemptions. But conversations regarding the exemptions and the definition of personal information continue.  

Several states such as California, Colorado, Connecticut, Utah and Virginia have outlined provisions that cover right to access and deletion policies regarding consumer data. Over 35 states have introduced or considered additional consumer privacy legislation this year. Section (a) of Rule 1.201 of the California Rules of Court, states that all personal information in court filings must be redacted. This includes personally identifiable information that goes on public records which is required in Rule 8.83. 

It is more important than ever that businesses in the US review their data privacy policies and leverage technology like redaction solutions when storing or publishing video or image content that contains personally identifiable data. 

Data may be king, but data must be handled with care.

Integrating Technology to Meet Regulatory Needs

Companies should investigate how they can present tech solutions to enable regulatory and compliance requirements in a way that’s conducive to business objectives, without compromising important governance mandates.  

New and existing technologies should be assessed to see if they comply with the laws governing how personal data must be protected and managed. Transparency and coherence in the interactions between people, processes, and technology are crucial. 

Regulations like the ICO, for example, are tough on organizations that don't meet legal standards because of shortcomings in their existing technological solutions.

More and more IT businesses are developing unique solutions for automation, analytics, AI, and other emerging technologies. Companies desiring a competitive advantage should invest in technology that keeps legal and compliance procedures from stifling team productivity and responsiveness.

Face Blurring Applications for CCTV Video

Sighthound is one of the few firms that offers a video redaction system that lets you automatically redact faces, people, vehicles, and license plates from images and video. Offering flexible deployment options, Sighthound redactor's software is accessible directly via Desktop, Cloud, Client Server, or through custom integrations.

As a GDPR-compliant video face-blurring software tool, Sighthound Redactor is a great choice since it automatically blurs faces, vehicles, and license plates in video footage while still allowing manual editing of any other personal information. 

Sighthound's mission is to help clients get the most out of video content by extracting meaningful insights. When it comes to safety, security, consumer behavior, workflow optimization, and other considerations--storing a video stream for only 30 days isn't optimal. 

The video has genuine commercial value beyond 30 days; therefore, redaction enables a longer storage duration for extracting insights while still fulfilling compliance requirements.

Blurring out faces of a family that is shopping using Redactor

The Bottom Line

No matter where your organization is situated, compliance is obligatory for all businesses using CCTV systems. This includes operating with complete transparency, assuring data security, responding to requests for access, and conducting impact studies before installing or upgrading any CCTV system.

GDPR's heavy fines make it prohibitively expensive to disregard data security best practices. Without taking the essential steps to ensure complete GDPR compliance, any company that does not comply with the GDPR risks facing severe penalties and repercussions.

Get Started with Redactor