The introduction of GDPR is causing business owners across Europe headaches at the moment. As a business owner, you would be forgiven for thinking that GDPR is focused on permission-based marketing and the systems companies need to adopt to ensure customers can opt-in and opt-out of receiving promotional materteral. Therefore, GDPR is of little interest to drone operators.
But GDPR legislation goes much deeper than that. Essentially, GDPR is a set of rules which are designed to give EU citizens more control over their personal data. The aim of the legislation is to simplify the regulatory environment so that both citizens and companies within the EU can reap the rewards of the digital economy.
The rules are quite comprehensive and breaching them could be a costly exercise, with fines up to 20 million euros or 4% of turnover being imposed. With that in mind, we thought it would be a good idea to cover how the legislation affects commercial drone operations in the UK.
How are drone operations affected?
If you are using a drone in a public space, you are potentially collecting personal information which could be used to identify an individual. In such cases, you come under the jurisdiction of GDPR and you should, at the very least, be aware of what the rules are and have systems in place to ensure compliance.
What constitutes personally identifiable information?
An individual’s face is clearly visible – The rules focus on details that can be specifically used to identify an individual. People in the distance of shots or whose faces have been blurred cannot be identified, therefore this does not count as personally identifiable information.
Anything that allows an individual to be identified by other means – This includes visible address numbers, car number plates, unusual clothing… etc.
Details of an individual’s bodily characteristics – Tattoos and unusual coloured hair can all be used to identify a person.
Details of an individual’s private or professional life – This includes anything that can be used to identify a person’s profession or place of work.
Any data collected which can be used to evaluate a person – This includes data collected for security or monitoring purposes.
Any footage that targets an individual – If a person is tracked for a prolonged period of time, this increases the likelihood that they can be identified.
Develop a set of GDPR guidelines
While not all drone activity will come under GDPR, you can see from the list above that a large proportion of it will. It is therefore important that you create a set of guidelines to ensure that all your drone activities are in compliance with the regulations.
To help you develop your own guidelines, we have compiled a list of eight principles operators should abide by to ensure transparency of your data collection and management policies.
1. Draft a public privacy statement
This should document the way you gather, use, disclose and manage personally identifiable information. The document should be available on your website for members of the public to view.
2. Inform the public
Whenever you capture personally identifiable information about a person, you should endeavour to inform them about it. Let them know they have the right to remove data and refer them to your public privacy statement for clarification of your data collection policies.
During the planning stage of the drone flight, you should look to minimise the amount of personally identifiable data collected. Assess the layout of the site to identify any houses, cars or people which may need to be anonymised. If the site poses a high risk of people on the ground being identified, consider carrying out a Data Protection Impact Assessment (DPIA).
As part of your operational procedures, any identifiable data which is inadvertently collected, such as car number plates, house numbers and faces, should all be anonymised (blurred) to ensure compliance with GDPR.
5. Ensure data is publicly accessible
GDPR regulations also state than any personal data which a company holds must be publicly accessible. The public has a right to access their data, receive a copy and request changes at any time. You should facilitate this possibility and document your procedures for such requests in your public privacy statement.
6. Limit the storage of personal data
The purpose for which you have collected any personal information should be stated and you should only store such information for the minimum period required. Regular data purges should also be scheduled to ensure no data is left hanging around.
7. Ensure all personal data is secure
Access to any personal information you hold should be strictly controlled with appropriate security measures. Data must also never be shared with third parties without the explicit permission of the individual concerned. Any data you do share, that contains personally identifiable information, should be anonymised beforehand.
Document every stage of the planning process and the flight itself as part of your operational procedures. This ensures you can demonstrate that you have carried out your business to comply with both CAA and GDPR regulations. This will also help to prove your case should a complaint arise out of your drone flying activities.
The above guidelines will help keep your drone services business on the right side of the law. While it may seem like a lot of work to comply with GDPR regulations. It should be pointed out that GDPR is there to protect members of the public from malicious activities, not just from drones, but from everyone.
By following the right procedures you are proving to customers and members of the public that you are a responsible, professional company. Publishing these guidelines on your website will also give potential customers the confidence they are dealing with a professional operator. This should enable you to win more lucrative contracts with larger companies in the future.
If you would like more information about complying with GDPR or how Coptrz can help you create a set of operations procedures for your business. Contact us here, or give us a call on 0330 111 7177.