Why we need an automated, privacy-first approach to subject access requests

Privacy concerns and inefficiencies can arise from manual data redaction and reliance on physical storage mediums. But DPOs can take a digital approach to evidence management, giving better visibility and control, says JP Deby

The EU GDPR threw a few curveballs for businesses when it was introduced – and bar a few high-profile hiccups – there has been a positive step-change in how companies handle and process data. However, in my view, with video footage there is one consistent thorn in their side – Article 15.

This is because fulfilling subject access requests involving recordings from security cameras throws up a particular set of challenges. For example, Article 15 states “the right to obtain a copy… shall not adversely affect the rights and freedoms of others”. That’s easier said than done when every relevant frame of video could contain many other third parties, unaware of how their data is then being passed on, potentially in ways they could not provide consent to. The only solution is to automate.

Logistical problems cause delays

Organisations face multiple issues when it comes to data subject video access requests. First, data from security cameras is distributed and, as a result, it often requires the collaboration of multiple persons to collect and process the request. This is because the required information sits on recorders which are near the cameras – but for most businesses with a regional or global footprint, this is a headache. For example, ensuring a timely flow of data from a data subject in Hamburg to a data team in London can be tricky.

There’s also the issue of uniformity. Lots of organisations use disparate CCTV equipment, each with their own recording equipment and standards. Normalising these different standards can be time-consuming. There is also the balance of adhering to Article 15 and not impacting other people’s privacy. Manually redacting the identity of every individual not pertinent to an investigation is an expensive exercise, especially without a video editing expert. According to Guardum, each subject access request costs an average of £4,884.53 and, worryingly, 75% of DPOs believe lockdown has affected their ability to meet data compliance obligations. When you consider the respondents were processing an average of 28 requests per month, you can see how quickly time and costs add up.

As outlined below, adopting a digital evidence management system drives efficiencies at every stage, enabling a rapid return on the investment.

The benefits of digital evidence management

What always surprises me is that in today’s technologically driven world, a lot of what we do is still manual – especially regarding certain security practices. Data collection is no different. Often when a subject access request comes in the required footage is copied onto a DVD and must then be delivered to the data subject. This is not only exceptionally process-driven but also creates a chain of custody issue as the organisation loses all control over how that copy continues to be stored and shared.

This necessitates a solution which affords data protection officers better efficiencies and less reliance on physical storage – not only to provide better visibility, but also to lower the cost of processing each subject access request. This solution is known as a Digital Evidence Management System, which contributes four key benefits.

  1. Evidence Acquisition

Taking a digital approach means data privacy personnel can collect evidence and organise it by adding it to cases – i.e. including only what is necessary. By adding evidence to cases, you can automate the security, access and retention policies of your information. Evidence can be uploaded from many different sources, such as body wearable cameras, mobiles and more, while evidence can also be collected from the public by publishing a link to an upload page, where people can easily upload their videos to aid in investigations.

A proper platform should also be able to support various video codecs’ formats, and this functionality allows you to eliminate time spent on manual conversion of different video formats and aggregate video coming from disparate systems.

It’s a much faster, smoother and auditable process than the accepted manual way of operating, which typically involves copying footage onto DVDs. Furthermore, it eliminates the time and cost penalties of dealing with compatibility issues and courier fees.

  1. Associating your video evidence request with your other DSAR systems

Organisations will, for the most part, already have DSAR (data subject access request) systems, so taking a digital approach to evidence management allows for direct integration and the removal of silos.

It also allows for smarter ways of working. For example, digital tagging via keyword or map-based search to find digital evidence further enhances the ability to use the platform for collaboration.  This is especially interesting for business segments like retail, education or hospitality, which can have recurrent incidents.

  1. Distribution of Evidence

As already stated, a digital evidence management system facilitates the exchange of information with other stakeholders inside and outside your organisation by linking them through email, eliminating the clunky DVD approach and the cost of registered mail. Granted, we have seen digitised alternatives used over the years, such as File Transfer Protocol (FTP) and other cloud-based file hosting solutions. However, while they are user-friendly and require minimal integration, they still lack certain functionalities. Even though files stored on these sites and platforms are secure, the data is vulnerable if an unauthorised third party gains access to the login credentials. In other words, anyone who has a client’s username and password, which are often in plain text form and sent via email, could possibly violate any information on an FTP site.

Furthermore, FTP sites and cloud-based file hosting do not have audit trails that detail when a user views, uploads, or downloads a file. If ever a breach occurs, there is little information to detect who caused the violation and who has been impacted. Links to FTP sites do not expire either, further exposing companies that do not manage or update their settings regularly.

With a dedicated digital evidence management system, however, these issues can be negated. Access to information is controlled by user permissions and all actions are tracked within the system’s audit trail report, which include detailed information about the user, activity type, and timestamps, meaning there is always a clear chain of evidence.

  1. Redaction and Editing

The GDPR and CCPA (California Consumer Privacy Act) require that when sharing information with data subjects, it does not put other persons’ privacy at risk. You should make sure that your Digital Evidence Management System provides a smart solution for video redaction or “blurring”.  These built-in features allow users to protect the privacy of bystanders or witnesses if video must be shared with third parties, or when fulfilling public records requests. Smart, built-in video redaction modules enable users without advanced video editing knowledge to spend less time redacting, while also ensuring accurate results are maintained.

Subject access requests have the potential to overwhelm a company, if maliciously used due to the sheer time and resource it requires to process each file. Transforming your evidence management to a digital process has the potential to not only save time but also drive better compliance opportunities. Keeping costs relatively low whilst also enhancing shareability with third parties like law enforcement. Of course, rules need to be in place, such as user privileges, as assigned by the administrator, but leveraging digital management systems equips DPOs with the tools to manage costs, improve operations and simplify Article 15 compliance.

 

By JP Deby, Building and Industrial Commercial Lead for Europe, Genetec


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.