How to record, store and share videos in compliance with GDPR

Updated: 10 September, 2024

Navigating the complexities of GDPR compliance when recording videos is crucial yet manageable with the right approach. GDPR, or the General Data Protection Regulation, is designed to safeguard personal data and uphold privacy standards. This post will guide you through understanding GDPR, ensuring your video recordings meet these stringent requirements by following the regulation’s rules. From obtaining consent to secure data storage, every step will be covered. Additionally, discover how Videolab can assist in maintaining compliance, providing a seamless and secure platform for secure video recording, storage and sharing.

 

Key takeaways:

  • Video recording patients requires strict adherence to GDPR to protect patient privacy and data security.
  • Key GDPR principles include obtaining explicit consent, data minimization, and ensuring data integrity and confidentiality.
  • Videolab offers a GDPR-compliant platform for patient video recording, ensuring technical and organizational measures are in place.
  • Organizations using Videolab must follow a checklist to ensure GDPR compliance, including appointing a Data Protection Officer and conducting a Data Protection Impact Assessment.
  • Codific’s privacy by design architecture underpins Videolab, emphasizing the importance of secure software and privacy-focused solutions in healthcare settings.

 

What is the GDPR?

GDPR stands for the General Data Protection Regulation. It is a European Union (EU) law that regulates the handling of personal data of EU citizens. It gives individuals greater control over their personal data and sets strict rules for businesses on how to handle and protect personal data. GDPR aims to protect individuals’ privacy and data protection rights. To understand this further it is important to understand the key definitions and the data protection principles of the GDPR, also covered in this blog about GDPR compliance in software development.

 

What are key definitions to understand the GDPR?

The main legal terms specified in the GDPR are:

  • Personal data: Any information that relates to an individual who can be directly or indirectly identified. This can be for example names and email addresses or also ethnicity, gender, biometric data, etc. Pseudonymous data can also fall under this definition if it’s relatively easy to ID someone based on it.
  • Data processing: Any action performed on data, whether automated or manual.
  • Data subject: The person whose data is processed.
  • Data controller: The person who decides why and how personal data will be processed.
  • Data processor: A third party that processes personal data on behalf of a data controller.

 

What are the Data Protection Principles of the GDPR?

GDPR compliance means that one needs to follow the following data protection principles when processing data:

  1. Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent to the data subject.
  2. Purpose limitation: Data processing must be done for the purpose specified explicitly to the data subject when the data was collected.
  3. Data minimization: You should only collect the strictly necessary data for the purpose specified.
  4. Accuracy: Personal data must be kept accurate and updated.
  5. Storage limitation: Personally identifying data should only be stored as long as necessary for the specified purpose.
  6. Integrity and confidentiality: Processing must be done in a way that ensures security, integrity and confidentiality.
  7. Accountability: The data controller is responsible for demonstrating GDPR compliance with all these principles.

 

What are the rules you need to follow to comply with GDPR?

GDPR compliance means that organizations handling the personal data of individuals in the EU and EEA must protect that data and respect the individual rights granted by the GDPR. This means that organizations need to comply with the principles stated above. For this, they must follow the following rules:

  1. Obtain explicit, freely given, and informed consent from individuals before collecting, using, or processing their personal data.
  2. Only collect personal data that is necessary for the specific purpose for which it is being processed.
  3. Protect personal data with appropriate technical and organizational measures.
  4. Allow individuals to access, rectify, erase, restrict, or object to the processing of their personal data.
  5. Allow individuals to withdraw their consent or exercise their right to data portability at any time.
  6. Report any data breaches to the relevant authorities within 72 hours.
  7. Appoint a data protection officer (DPO) if the organization is a public authority, engages in large-scale processing of special categories of data, or carries out large-scale monitoring of individuals.
  8. Keep detailed records of data processing activities.

Respecting the rules above is imperative when recording, storing and sharing videos. In the following section we will go over this in-depth, explaining how each rule applies to this context.

 

How does the GDPR apply to video content?

As mentioned, the rules imposed by the General Data Protection Regulation need to be followed carefully when recording, storing and sharing videos. Below an explanation of each.

 

Obtain explicit, freely given, and informed consent from data subjects before collecting, using, or processing their personal data

Consent to record, store or share a data subject’s video needs to be explicit, freely given and informed. What do the regulators behind the GDPR mean by this? This means that consent must be explicitly stated by the individual, given voluntarily without any coercion, and provided with full awareness of how their personal data will be used. Bear in mind that this consent doesn’t necessarily have to be in written form but can be given in video form, for example, at the beginning of the your video recording .

 

Collect only the personal data that is necessary for the specific purpose for which it is being processed

It is important to note that this rule only relates to personal data, which as previously explained is data that allows you to identify an individual. In the context of videos this can be for example recordings of someone’s face. These types of footage need to be handled with care, under GDPR you should not be keeping any footage with personal data that you do not need.

 

Protect personal data with appropriate technical and organizational measure

“Appropriate technical measures” refers to using a system that follows the principles stated in Article 32 of the GDPR. To fulfil this rule, record using a secure software like the Videolab Recorder. Moreover, use a system like Videolab to store the videos, ensuring you are using the proper technical measures.

Organizational measures means to inform the individuals within your organization about the GDPR. This could be in the form of training of its principles and how to apply them.  With this, you are facilitating compliance and training your staff to follow the best practices when it comes to data privacy and security.

 

Allow individuals to access, rectify, erase, restrict, or object to the processing of their personal data

This means, data subjects can access, restrict use of the video, trim the video and modify the connected information.

 

Allow individuals to withdraw their consent or exercise their right to data portability at any time

In our example, you should delete the recordings or stop using them for their purpose if the data subjects ask you to. The recordings need to then be deleted for everyone that had received access. Moreover, in this case, data portability means that data subjects have the right to obtain and reuse the recording for their own purposes.

 

Report any data breaches to the relevant authorities within 72 hours

This means that you have 72 hours to inform individuals and the authorities about a data breach. This is especially the case if you know that the data breach involved the data subject’s recording.

 

Appoint a data protection officer (DPO) if the organization is a public authority, engages in large-scale processing of special categories of data, or carries out large-scale monitoring of individuals

If your organization falls under the qualifications above then you need to appoint someone as the person responsible for GDPR compliance.

 

Keep detailed records of data processing activities

In this case this means to have detailed information of the uses of the video recording.

 

Hopefully this illustrates well how the GDPR principles apply to video recording, storage and sharing. Nevertheless, consulting on how the legislation applies to your particular setting might be a good idea.

Moreover, when you record videos with personal data compliance requires you store these videos in a secure and privacy aware system. It might also be of great use for you if this system provides a secure way to share the video with other members of your organization. Let me introduce you to Videolab.

 

Videolab –  a GDPR compliant platform for your video recordings

Videolab is a GDPR compliant video sharing platform, following technical standards. We will explain further why this is the case in the subsequent section. The system was built to facilitate GDPR compliance, specifically for the use case of patient video recording. The Videolab Recorder app enable safe recording and the Videolab system allows a safe storage and sharing of said recordings.

Nevertheless, the use of the platform may not automatically be GDPR compliant. To comply with GDPR, your organization needs to fulfill all the principles prompted above, using Videolab accordingly. Thus, using Videolab does not guarantee GDPR compliance but rather facilitates it.

Let us go over the GDPR compliance checklist for Videolab. In this section we will explain how Videolab follows the technical standards required for GDPR compliance and how your organization should use it to ensure compliance.

video recording patients with Videolab

 

 

Videolab GDPR compliance checklist

 

Controller and processor

The institution that deploys Videolab has the role of data controller and Codific has the role of data processor.

 

Lawfulness, fairness and transparency

To ensure lawfulness, fairness and transparency in the use of recordings, we have implemented the appropriate security measures you can see here.

Nevertheless, the data subject must give consent (can be in video form) to the data controller before they process the recording. The patient needs to give consent before and after the recording has started.

Finally, Videolab only processes video/audio recordings that contain identifiable information on the patient, so it does not process personal identifiers in metadata.

 

Purpose limitation

The controller defines the purposes for which they want to video record patients. To ensure GDPR compliance, the data controller must only process recordings for the specific purpose they stated. These are stated in the Data Processing Impact Assessment (DPIA) and in Data Processing Agreement (between the data controller and the data processor) .

 

Data minimisation

Audio/video recordings solely contain personal data. Thus, data minimization occurs by definition. To ensure compliance, controllers must only record data subjects when needed, and not write personal identifiers in the meta data.

 

Storage limitation and data hosting

The Data Processing Officer defines a fixed period of time after which the data is automatically destroyed. Moreover, there is a single encrypted backup of the video recordings which is also destroyed.

All the data is stored and encrypted within the EU. As the processor, Codific uses state-of-the art encryption and an advanced encryption key management system. A master-key access to the system follows a “two-man rule”, so rare glass-break procedures are possible.

 

Integrity and confidentiality (Security)

Guaranteeing data integrity and confidentiality on a technical level is Codific’s job, as privacy by design experts it is our bread and butter. The only thing you need to worry about is having good password hygiene, enforce multi-factor authentication in your organization and never share accounts.

 

Data subject rights

Legally the data subject always remains the owner of his data, but in Videolab we treat the user who made the recording as the owner. This means he has a responsibility in managing the rights of the data subject. For example, he must ensure that there is adequate informed consent and must delete the video upon request.

 

Contracts

There always is a data processing agreement that specifies all the relevant details. We have this template ready to go.

 

Privacy by design and by default

Privacy by design architecture is the core expertise of Codific, you can read more about how we do this here, here and here. Following this design architecture is imperative to follow Article 25 of the GDPR.

 

Data protection impact assessment

The organization, typically the Data Protection Officer and his team, must conduct a Data Protection Impact Assessment analysis. Codific will provide all the technical information that goes into this analysis.

 

Data protection officer

Codific collaborates closely with the data protection officer (DPO) appointed by the controller.

 

Certification

Codific is ISO27001 certified. But we put the bar much higher for ourselves using OWASP SAMM.

Codific ISO certificate

 

With the checklist above you can see how Videolab operates as a GDPR compliant video sharing platform. Nevertheless, it is important that your organization follows the correct measures when using this application to ensure GDPR compliance.

Appart from GDPR European companies now also have to comply with CRA, find out more about CRA compliance on our Codific blog. 

What else do we build with GDPR in mind?

Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.

Attendance Radar is a mobile application and web portal that provides the easiest, fastest and most reliable way to track student attendance. Used by universities across the world, Attendance Radar provides a powerful tool to track and manage all your student attendance.

SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.

SAMMY Is a Software Assurance Maturity Model management tool. It enables companies to formulate and implement a security assurance program tuned to the risks they are facing. That way other companies can help us build a simple and safe digital future. Obviously our AppSec program and SAMMY itself is built on top of it.

We believe in collaboration and open innovation, we would love to hear about your projects and see how we can contribute in developing secure software and privacy by design architecture. Contact us.

Author