GDPR legislation contains strict data protection rules. If you use drones for work in the EU, below we have some considerations to help you comply with this law.
Because the fact is: the use of drones for commercial purposes has increased exponentially in recent years. Inspection – both internal and external – are one of the applications that have grown the fastest. But the use of drones has also increased in several other industries such as surveillance, agriculture, delivery and more.
With this, however, privacy concerns have arisen. And as in any business, it is important to be aware of privacy laws, even when using drones for your professional purposes. It is therefore important to understand how GDPR affects your business and how to ensure compliance.
Key GDPR principles to follow when using drones
To ensure compliance with GDPR legislation, there are no less than four principles to keep in mind when deploying drones for your business.
1. Understand personal data and data rights
In GDPR terms, private or personal data refers to information about an identifiable individual. This can include photos, videos and audio that allow you to identify data subjects captured by your drone.
Here, it is important to know what rights individuals have over this data. For example, they have the right to access photos and videos of them captured by any organization. And they can request that all personal data held by you as a company be deleted.
2. Minimize data collection and storage
Do you want to comply with this legislation as much as possible? Then you should minimize or even anonymize data collection and storage.
Ideally, companies should only collect private data when necessary for business operations. But if you are running a drone operation, it is rather difficult to get passers-by to consent to the collection and use of their data. Still, the Federal Aviation Administration has some flight rules that can help you minimize data collection.
- Avoid flying over groups of people.
- Blur license plates and faces.
- In general, try to avoid collecting identifying information as much as possible.
3. Implement data protection processes
Photos, videos, and audio containing identifying information should be stored securely and made inaccessible to unauthorized persons or third parties. The main ways you can do this include data encryption, using strong passwords and/or two-factor authentication. Don’t forget a solid backup plan here!
4. Have an official privacy policy
Having an official privacy policy in which you document all these processes is another crucial element in GDPR compliance. Publish it on your website and other relevant locations. It can protect your business should a dispute over personal data arise.
In that policy, state what type of data your drones capture and how it is used, stored, and shared. Also describe what rights data subjects have and how they can contact you if they have questions or concerns about their private data.
Is GDPR compliance just about complying with the law?
Not at all! GDPR compliance can benefit your business in several ways. There are no less than three benefits that GDPR compliance can bring you.
1. Increased customer trust
By complying with this legislation, you prove to your customers that your company can safely store and protect their private data. The legislation requires companies to appoint a data protection officer to oversee data protection processes and conduct regular audits of processing activities.
2. Reduce maintenance costs
By pursuing GDPR compliance, you can reduce your operating costs in many ways. First, you will consolidate your data storage. This means that your data inventory will be continuously updated. Thus, you will have to spend less money on maintaining it, both in terms of infrastructure, maintenance, and labor hours.
However, GDPR also allows you to engage only with interested customers. Thanks to the mandatory opt-in policy, whereby data subjects give permission to provide their personal data, you only communicate with relevant leads who have explicitly asked to engage with your company.
3. Alignment with evolving technology
Another aspect of GDPR compliance is the requirement for organizations to improve their network and application security.
By using the latest technologies, such as IoT, cloud computing and virtualization, your company can manage growing amounts of data even better and consequently offer customers an even better service. It will also help you stay vigilant to potential data breaches, which are becoming more frequent and sophisticated. This is because these tools track log data and data transferred outside your network. They also monitor the integrity of your endpoint devices, applications, and the entire network, including the cloud, and send alerts when they detect an anomaly.
How to maintain GDPR compliance in the oil and gas industry – and beyond
The General Data Protection Regulation (GDPR) came into force on 25 May 2018, replacing the previous Data Protection Act of 1998 in response to an increase in the number of global data breaches and the advent of everyday use of the internet.
Following its adoption, all organization storing, transferring, and processing personal data of EU residents had to comply with the new, stricter data protection regulations.
But becoming GDPR-compliant is no easy task. GDPR is one of the strictest privacy laws in the world, and to be compliant, companies need to go deep into their processing activities, third-party communications, customer access and personal data protection. And the process does not stop once you are compliant. Therefore, some interesting tips.
1. Perform continuous audits
You need to conduct ongoing audits of your data processing activities to maintain GDPR compliance.
A crucial aspect of conducting regular audits is conducting a data protection impact assessment. These assessments can help organizations determine how designated employees handle and process sensitive information, such as data on customer behavior, location, health and even religion.
2. Appoint a data protection officer
Article 37 of the GDPR requires companies and organizations to appoint a data protection officer (DPO) to oversee their entire data protection strategy. This is especially the case if you process data on the authority of the government, collect it through systematic surveillance and process it on a large scale. Unfortunately, the GDPR does not give an exact definition of ‘large-scale’ data. Want to play it safe? Then appointing a DPO is a must. That person will:
- Continuously advise controllers and processes on GDPR compliance practices and data regulation updates.
- Oversee data processing to ensure GDPR compliance.
- Ensure accurate data shielding impact assessments.
- Handle data processing queries.
- Act as an intermediary between GDPR regulators and the company.
- Evaluate all potential risks associated with various data processing activities.
3. Provide comprehensive and ongoing staff training
Ongoing staff training is another way you can maintain GDPR compliance.
Unfortunately, 88% of data breaches – a huge majority – are the result of employee mistakes, intentional or otherwise. Therefore, you need to keep your employees up to date with data security best practices by:
- Briefing employees on key data privacy and GDPR concepts and their importance.
- Explaining how daily tasks can lead to data breaches.
- Ensuring that employees do not use personal devices for work-related activities.
- Conduct data privacy and security training on new employees (and consider refresher training for existing employees).
4. Report data breaches immediately
Immediate reporting of data breaches is mandatory under GDPR. Article 33 requires data controllers and processors to report data breach incidents within 72 hours. Data breach reporting must be done hierarchically as follows:
- Processors must report data breaches to data controllers.
- Controllers report it to a supervisory authority or data protection association. They are responsible for enforcement and monitoring. They are also the first point of contact for GDPR questions in an organization. Are they located in an EU state? If so, they can impose fines on data controllers and processors for non-compliance with the law.
5. Check the age of users consenting to personal data processing
GDPR allows organizations to collect and process data for individuals over the age of 16. To legally collect personal data from young people, you must seek consent from the child’s parents, guardian or persons charged with parental responsibility. If EU citizens under 16 will interact with your site, you should include an age verification option to verify their age before collecting personal data.
6. Regularly assess third-party risks
Under GDPR, you are responsible for how third-party companies collect, store, and share personal data for your company. As such, you should ensure that third-party companies maintain GDPR compliance in all their data collection practices. If necessary, you should update contracts to provide compliance measures.
7. Update your privacy policy
The GDPR requires organizations to have a detailed and easily accessible privacy policy on their website. Similarly, you should notify your customers via email whenever an update is made. Ideally, the privacy policy should describe how private data is collected, stored, and used. You should seek legal advice when drafting a privacy policy.