Unlock the Benefits of Computer Vision without Breaching the GDPR - A Guide to Protecting Personal Data

Data protection is essential, especially when it comes to the use of computer vision (CV) technology. 

This blog will discuss how to apply GDPR's six data protection principles to the use of CV, including transparency, specified purposes, data minimization, storage limitation, and accuracy.

How does GDPR impact computer vision in the workplace?

People, including your workforce, expect their personal information to be protected in their domestic lives and at work. 

The General Data Protection Regulation (GDPR) originated in the EU but affects organizations worldwide that trade with or hold data for EU countries. 

Following BREXIT, the UK has incorporated the EU GDPR principles into the UK GDPR, which has been accepted by the EU as “essentially equivalent.” 

The shift in personal data protections with the GDPR

Earlier data protection laws applied largely to computer records of textual information such as bank accounts and staff records. GDPR defines “data” as “any information relating to an identifiable living individual.” 

This broader definition includes still and moving images, such as the use of CCTV cameras, and any imagery captured from the CCTV by an AI camera if individuals can be identified. 

6 Data Protection Principles To Uphold With Computer Vision Systems

You can still benefit from computer vision technology without breaching GDPR. Here is how to apply the six data protection principles from GDPR to the use of computer vision systems.

1. Lawful, fair, and transparent

Clearly indicate where CCTV cameras are located, such as by displaying GDPR-compliant CCTV signs. In the workplace, you should back this up with briefings (for example, during induction) to inform employees about who can see the live stream, any recordings made, and how these will be used. 

When you introduce computer vision for security to an existing CCTV system, you need to tell people when still images or film clips might be captured and clarify who will have access to them. 

The most transparent approach would be to show staff examples of the data collection. Remind people of their rights. Under EU and UK law, they have the right to view any recorded video in which they are identifiable.

2. Purpose limitation 

If you have existing CCTV cameras, ensure you have a description of their legal basis. This should balance the legitimate interests of the organization with the privacy rights of individuals. 

Adding a computer vision in safety management changes the purpose of the cameras and might impact the legal basis. Your aim might be to identify safety concerns with the working environment, such as lighting or layout.

Ensuring transparency and trust

You might also be looking for examples of behavior to identify training or coaching needs. 

If later, you decide to use the technology to compare how long different individuals spend on a task or as evidence in a disciplinary case; you will be breaching this principle - and the trust of your workforce.

Communicate new functions for CCTV to workers. Be transparent that in the event of an accident, you might have to identify people within the video, particularly where a regulator is involved in an investigation.

3. Data minimization

Visual data collected should be limited to what is necessary for the task. If the aim is to see how many people are too close to vehicles at a location within a shift, identifying individuals is not required. 

Use computer vision systems that blur the faces of people within the video clips to comply with this principle. Additionally, avoid recording the audio of personal conversations, as this also breaches this principle. 

Control access to information by restricting who can view or edit it. Look for systems that allow you to manage access levels for different staff.

4. Storage limitation

Faces in the original CCTV stream can lead to identification. Smart Computer Vision identifies which clips need to be kept, and blurs faces in clips that need to be retained, ensuring compliance with the principle of storage limitation. 

There should be a written retention policy for any images stored. Your organization must justify how long the video is kept. For example, a month is probably long enough for a crime to be detected. 

If an accident occurs, relevant CCTV footage may be stored longer for investigation purposes.

5. Accuracy

Social media images prove that “the camera never lies” is a myth. Any CCTV images retained must be accurate. Time stamps and locations must be retained, and it should be obvious if any annotations have been made to the images. 

If people are identifiable in images, they have the right to challenge any labels assigned to those images. For example, don’t label a clip “worker being careless.” 

6. Integrity and confidentiality

Unless the circumstances are exceptional, such as a criminal investigation, CCTV cameras should not be located in areas such as changing rooms or toilets. 

Make sure there is a clear organizational policy about who accesses the original video and who can see anonymized clips. 

The policy should also specify the conditions under which images may be shared with third parties, such as the police or occupational health and safety inspectors. 

While domestic CCTV systems connected to the Internet have gained a negative reputation for data breaches, workplace CCTV and any recordings made must be protected by technical means from unauthorized access. 

Maximize computer vision with Protex AI’s GDPR-compliant solution

Make sure that any technology you use provides the functionality you need to meet GDPR principles, and you can get the best out of your CV while maintaining people’s rights. 

Want to stay ahead of the curve in data privacy protection and revolutionize EHS management with Protex AI's GDPR-compliant CV software? Schedule a call with one of our product experts today!

‍