Ten Years of the GDPR: Privacy, Protection and Security Technology

Enforceable as of May 2018, the GDPR was introduced in recognition of the fact that the world had changed profoundly and that existing data protection laws were no longer adequate in an increasingly digital and interconnected environment. It was designed to be forward-looking, providing a framework capable of governing innovation and emerging technologies.

However, the rapid growth of Artificial Intelligence (AI)-driven applications is prompting national data protection authorities to revise guidance for systems that process personal data.

Body-worn video 

Some of this innovation was already gaining momentum before the GDPR, most notably so body-worn video, which was being tested and deployed primarily by police forces. At the same time, more advanced projects – such as live streaming – were receiving funding, while organisations across the public and private sectors moved quickly to achieve compliance ahead of the regulation’s enforcement from 2018.

Today, body-worn video is widely used by police forces in the UK, France, Germany and Italy, with adoption continuing to grow elsewhere. Uptake in commercial environments is more uneven. Some Member States apply stricter rules than others, particularly so around whether and how the technology may be used and whether it infringes the rights of workers or members of the public.

These concerns are amplified in relation to live facial recognition. In the UK (no longer an EU Member State, of course, but still aligned with the GDPR), the Government is encouraging police use of the technology and concluded a consultation on a new legal framework in February this year. While reported deployments have been positive, the technology remains somewhat controversial and continues to attract opposition from civil liberties groups.

The picture is further complicated by the fact that many facial recognition systems rely on AI. As a result, they may breach the EU AI Act, which entered into force in 2024 and largely prohibits real-time biometric identification in public spaces.

Significant expansion 

Over the past decade, the use of video across Europe has expanded significantly, encompassing surveillance systems, body-worn video, smart phone footage and video doorbells. At the same time, major advances in technology now allow security professionals to manage larger and more complex video environments, while remaining compliant with the GDPR. Modern video management systems are a clear example.

Whether on-site or working from centralised locations, Security Control Room operators can now retrieve relevant footage quickly and efficiently. This capability is critical not only for operational needs, but also for responding to data subject access requests, which require organisations to provide personal data on request within reasonable time limits, or sharing footage with law enforcement during investigations.

Masking and blurring technologies have also improved significantly, reducing the time and effort required to redact footage before it’s shared, either digitally or physically. Due to the fact that the GDPR applies to both public and private sector organisations, redaction requirements also apply when footage is shared with the police.

Shifting to the cloud

The shift from on‑premises systems to cloud-based and hybrid video environments has introduced new challenges, particularly around data residency and the risk of EU citizens’ personal data being stored outside of the GDPR’s jurisdiction. However, the economic and operational benefits of these systems have driven greater transparency and the development of stronger controls, in turn enabling organisations to adopt them with greater confidence.

The GDPR replaced the EU’s 1995 Data Protection Directive. In the 21 years between the latter and the GDPR’s adoption, the world moved decisively from analogue to digital. Ten years on, the GDPR has proven to be resilient in delivering meaningful protections for EU citizens’ personal data. While there have been several high-profile fines related to surveillance use, some of them exceeding €10 million, the security industry has adapted effectively.

Challenges, debate and controversy will undoubtedly continue as AI creates new opportunities to enhance safety and security operations. Taken together, the GDPR and the EU AI Act provide a robust legal framework that allows security professionals to innovate, while in parallel maintaining strong safeguards for privacy and data protection. 

Andreas Beerbaum is Vice-President of Global Sales and Service for Physical Security at Octave (www.octave.com)