On the 25th May 2018 the General Data Protection Regulation (GDPR) entered into force. The GDPR builds on the previous 1995 Data Protection Directive and adds some innovations, clearer rules and the threat of sanctions for companies that do not comply with it. So how will the GDPR impact drones?
1. Broader meaning of personal data
Data protection law applies whenever you process personal data. The GDPR lays down a slightly broader definition of the term compared to the Directive. Personal data is any information which relates to an identified or identifiable person. (Article 4). It can be images, videos, sounds, biometric data (facial recognition markers, for example), location markers and traffic data, telecommunications data or any combination thereof – as long as an individual can be identified, it is personal data. In practice, this means that the GDPR rules may apply to you when operating a drone. As a precaution, you should treat any footage capturing people as personal data. Apply anonymisation techniques to your recordings, such as blurring of people, their faces and any recognisable clothing they might be wearing, to mitigate risks to individuals and to your operation
2. Similar rules, new sanctions
Personal data is considered a fundamental right worthy of protection and you should act accordingly. Like the Directive before it, the GDPR prescribes some legal principles to keep in mind, including:
- collecting and storing as little data as possible,
- using data only for the reason for which it was collected,
- deleting unnecessary data; and
- ensuring a high level of security to protect your data assets and infrastructure.
Although the GDPR does not significantly change underlying data protection rules, it does raise the stakes in terms of potential liability for organisations that do not comply. From 25 May 2018, you could be facing monetary sanctions of up to EUR 20 million or 4% of your annual worldwide turnover, if you fail to comply with the requirements of the GDPR.
3. Data protection by design and by default
The GDPR codifies the principle of data protection by default and by design. Manufacturers, operators and pilots should all consider how to incorporate principles of data protection into their business functions and products that process personal data through technical and operational means. For example, drone manufacturers could consider how to build and equip drones in a way that would minimise unnecessary data collection, while operators and pilots should think about data protection and privacy when choosing the most appropriate drone for their task, when planning their flight path and when establishing procedures for handling data they have collected.
4. Rights of individual
Individuals have a variety of rights which they can exercise with regard to their own personal data. Most of these rights are not new, but all of them are enforceable now. You should be aware of them and establish clear, accessible and efficient procedures to help individuals exercise their rights. You should also inform people that they have these rights. Some of these rights are:
- Right to withdraw consent – people can agree to their data being captured by your drone and subsequently change their minds;
- Right of access – if people ask, you should let them know if you are processing any data related to them, where and for what purpose, and to give them a copy of the data;
- Right to be forgotten – people can request that you delete their personal data, for example if your activities do not comply with GDPR principles, if people never agreed to their data being captured, or if they have previously agreed to being taped but changed their minds and you have no other basis to retain that data.
Under GDPR, you are now accountable for your activities involving personal data and you bear the responsibility to demonstrate you have met the requirements of the GDPR. The GDPR places some administrative requirements on companies that can assist you with demonstrating that your personal data processing activities are GDPR compliant. For example, depending on your size, you may be required to maintain a record of your data processing activities, data flows and GDPR compliance and, depending on the risks raised by your activities, you may be required to carry out a mandatory data protection impact assessment (DPIA) and hire a specially designated data protection officer (DPO). All these steps may help you demonstrate your compliance with the law in the event of an audit or external request from a national data protection authority.
Remember that with the new GDPR regime, you will be held responsible for your actions from the moment you capture, collect and store personal data up until the moment you anonymise or delete such data securely and permanently.