Drones: One Year on from the Introduction of GDPR

It seems fitting to review the implications of GDPR one year on from the date it came into force. GDPR – General Data Protection Regulation – made firms of all shapes and sizes think about the data they use, and rightly so.

 

So much of what we do now is online, whether in terms of our interactions on Social Media, or creating an account to do our online food shopping, that it was only a matter of time that a piece of legislation would be created to protect our data selves.

 

In the 9 months following the introduction of GDPR, over 206,000 cases of GDPR breach across the 31 EU nations have been filed with fines of €56million, most of that being Google’s €50million fine in France. Stephen Eckersley from  the UK Information Commissioner’s Office expects the numbers of data breaches in the UK to double from 18,000 breaches last year to 36,000. Many of these have been self-reported breaches on a ‘Just in case’ basis.

 

Mr Eckersley has also reported the UK ICO that it was working with the data protection agencies in the Netherlands and Norway to establish a “matrix” for calculating fines. This won’t be public-facing, he said, but will instead be a “toolkit” for watchdogs.

 

How do drones fit into GDPR then?

If a drone has a camera, it can potentially collect personal information, which could be used to identify an individual. The personal information involved are the details that can be specifically used to identify an individual: details such as face, body features eg tattoos or hair, location, face, profession, vehicle. Blurry people in the background of a photograph don’t count.

 

For Recreational Drone Operators:

If you are seen to be following the Code, people are more likely to respect you for flying safely.

If you know what your camera is capable of, you will be able to handle its results more appropriately. Plus knowing the capabilities of your camera will help you to reduce the risk of privacy intrusion.

Think about where you’re taking off from, flying, and landing. Batteries for drones don’t last long, so if you understand these parameters, you can also plan to minimise any potential privacy invasion.  Planning also includes considering your surroundings and being considerate. Your flight may be fun to you, but be respectful and not intrusive into other people’s property and lives.

Once you’ve decided what to save, do so carefully and securely. If you are going to share your footage on Social Media, be considerate. Remember, images can have harmful and unintended consequences. Use your common sense.

 

For Professional Drone Operators:

You will need to do more than the above, although it’s a good starting point.

This should document the way you gather, use, disclose and manage personally identifiable information. The document should be available on your website for anyone to view.

If you do gather personally identifiable data, attempt to contact and inform the person. Refer them to your Public Privacy Policy so they know what rights to remove data that they have.

You will need to decide early on whether you need to carry out a Data Protection  Impact Assessment (DPIA).  This will depend on the amount of personally identifiable data that may be potentially captured at the site and whether it can be anonymised sufficiently.

Your operational procedures should include the anonymising of any personally identifiable data to ensure GDPR compliance, eg faces, house numbers, street names, car number plates can be pixelated or blurred.

The Pubic has a right to access its data, receive a copy and request changes or deletions at any time. Your Public Privacy Policy will need to accommodate any such requests.

You will need to record why you have collected any personal information. Only store such data for the minimum amount of time. To help, schedule regular data purges.

Store such data securely and do not share it with third parties without explicit permission of the individuals involved. Any data shared, should be anonymised.

You will need to record every step of the process, including the flight, as part of your operational procedures. That way, should you ever receive a complaint, you will be able to prove your case and your compliance with both the CAA and GDPR. It may be that with the level of work you do that you need to consider appointing someone internally as Data Protection Officer.

If there are breaches in your security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. You will need to assess the risk to people and potentially self-refer to the ICO (Information Commissioner’s Office).

 

Useful Links:

Data Protection Impact Assessment

Drone Code

HMRC Guide to GDPR

Information Commissioner’s Office