The General Data Protection Regulation, or GDPR, changed the game for many industries — including the drone industry — when it was rolled out in the EU.
It affects the way that pilots are able to capture data with their UAVs, in addition to regular drone laws in the UK and the rest of Europe.
What is GDPR?
The GDPR is the General Data Protection Regulation, a European Parliament legislation that came into force in Spring of 2018. It replaced the older, then outdated Data Protection Directive 95/46/ec.
The GDPR serves as the foremost legislation regulating how businesses and organizations handle and protect the personal data of EU citizens. It also gives EU citizens more control over their personal data.
Businesses and organizations that fail to comply with these regulations stand the risk of very stiff fines and penalties.
Now, the GDPR is made up of 11 chapters and 91 articles, but here are some key data and privacy requirements that are included in the law:
- Demanding the consent of subjects before data processing
- Anonymizing data collected to protect privacy of subjects
- Making available notifications of data breach
- Carefully carrying out the transfer of data across national boundaries
- Demanding certain businesses and organizations to create a role solely dedicated to overseeing GDPR compliance
Ultimately, GDPR is a set of rules that establishes a set of minimum privacy expectations from anyone who deals with EU citizens. In this way, they hope to better safeguard the personal data of those under the jurisdiction of the EU.
Who Does GDPR Apply To?
GDPR imposes a uniform data protection law on all member states of the EU, to prevent every member from having to go to the trouble of having to produce and enforce its own data and privacy protection laws.
Not only does this ensure consistency, it bolsters the authority and eases implementation and follow up.
In addition to EU members, the GDPR is binding on all those who do business with EU citizens.
If your goods or services reach citizens of the EU, then regardless of your location, the business is subject to the requirements and demands of the privacy regulation.
Websites that do not comply with these rules will not be allowed to even be accessible to EU states. Prominent websites that came under the hammer in this way after the law came into force include The LA Times and The Chicago Tribune.
Thus, you can say the reach of this data protection law goes worldwide.
By complying and aligning with GDPR requirements, improving data protection and trust, organizations and businesses will avoid having to pay steep penalties and fines.
What Does GDPR Have to Do with Operating Your Drone?
It is easy to see how the implementation of GDPR could cause panic and head scratching among business owners and organizational heads.
And you would be forgiven for thinking that mainly permission based marketing practices and systems need worry about complying with the complex, new set of rules.
But what about drone pilots and enthusiasts?
The GDPR rules go much deeper than you realize, and essentially involve all forms of personal data — including those you intentionally or unintentionally collect with your drone.
Breaching these comprehensive set of rules as a drone operator could result in fines that mount up to 20 million euros or 4% of your business’s turnover.
You want to be very aware of where the lines are concerning your drone and privacy in the EU.
What Constitutes Personally Identifiable Data?
A recording or whatever information you obtain with your drone is considered to contain personal data if any of the following holds true:
An Individual’s Face Can Be Clearly Seen
Details that can specifically be used to identify a person are of particular concern. So faces that are in clear resolution in the footage gathered by your drone are considered as personal data. However, people in the distance who appear in shots or whose faces appear blurred and cannot be identified do not count as personally identifiable information.
Contains Anything that Makes an Individual Identifiable
This covers sensitive information like visible car number plates, visible address numbers, unusual clothing or uniforms, and so on.
Contains Details of a Person’s Bodily Characteristics or Features
This covers information which can be traced back to an individual, stuff like unusual colored hair and body tattoos.
Contains Details of an Individual’s Professional or Private Life
This includes information that can be used by others to pinpoint an individual’s home or place of work.
Contains Information Which Can Be Used to Evaluate an Individual
This covers information that is collected for the purpose of security or for purposes of monitoring.
Contains Footage that Targets an Individual
When footage follows or tracks an individual for a lengthy period of time, it increases the probability that they can be identified.
As a drone user, it is important that you imbibe these understandings so that you don’t fly afoul of the law while operating your drone.
5 Ways In Which GDPR Affect Drone Operations
Because GDPR is so far reaching and comprehensive, there are a few ways in which it changes the way drone pilots and operators fly their drones and interact with bystanders.
Wider Meaning of Personal Data
Rest assured that the GDPR will apply whenever you access personal data with your drone. And the definition of personal data in this case will cover anything that relates to an identifiable or identified individual.
This includes images, videos, sounds, biometric data (facial recognition markers, for instance), traffic data, location markers, telecommunication data, or any combination of data already mentioned.
In short, if it makes it possible to identify the individual concerned then consider it as personal data under the protection of the GDPR.
As a drone operator, you can probably think of several ways in which you can gather and compile information that can be considered sensitive.
To keep safe, treat any recording you capture as personal data. Anonymize such data by implementing techniques such as blurring or people, their faces, clothing, and other identifiable information.
Same Rules, New Penalties
The right to privacy is a fundamental right, and privacy concerns have always been a hot button issue whenever drones are concerned. Drone pilots should act like they are aware of this, and avoid needless risks and agitation.
This is even more important to consider with the new, very steep sanctions put in place by the EU legislation.
The stakes are now higher; those who don’t comply run the risk of facing monetary sanctions of up to 20 million euros or 4% of annual worldwide turnover
There are some steps you can take to mitigate risks like:
- Limit the amount of data you collect and store as much as you can
- Restrict yourself to using the data collected only for the purpose for which it was collected
- Securely and permanently delete any unnecessary data
- Ensure top security to protect data assets and infrastructure
Data Protection By Default and By Design
The GDPR lays out the principle of data protection by default and by design.
What this principle emphasizes for those in the drone industry is that UAV manufacturers, pilots, and operators ought to consider how to incorporate principles of data protection into the functioning of their business and their products if they involve the processing of personal data through operational or technical means.
For instance, if you were a drone operator or pilot, you could minimize the collection of unnecessary data. You could also take much care in choosing the right drone for the right task, taking into consideration data and privacy protection issues when planning your flight path and post-handling procedures.
You should also ensure you always have the express permission of anyone that you may be filming or taking photos of.
Rights of the Individual
The GDPR affords individuals a set of rights which they can exercise whenever their personal data is concerned.
Most of these laws will not be new to anybody who has been operating drones for an appreciable amount of time. But they are enforced even harder than before.
Before you go out to fly your drone, make sure you refresh your memory on what these rules are, and also ensure there are efficient procedures for seeing them through.
You should also make sure to remind people of these rights, some of which are:
- The Right to Withdraw Consent. People have every right to agree to their data being recorded, and they also have the right to later on change their minds.
- The Right of Access. If people inquire about the data you are collecting, they have a right to know if you are processing any data related to them, where, and for whatever purpose. They also have a right to receive a copy of said data.
- The Right to Be Forgotten. People have the right to ask that their personal data be deleted. For example, if your operations are not complying with the provisions of GDPR, if people never consented to having their data captured, or if they did but later on had a change of heart and you have no other basis to keep that data.
Under the new privacy regulations, you — the drone operator — are now accountable for the drone activities involving personal data.
It is up to you to ensure that you are compliant with the demands of GDPR and to demonstrate this compliance to all who are concerned and may enquire.
The GDPR also puts in place some administrative requirements on businesses and organizations which can help you better understand what demonstrating GDPR compliance means.
For example, depending on how large your business is, you could be required to keep a record of your data processing operations, data flows, GDPR compliance guarantees, and, depending on the risks involved with your activities, you might be required to carry out a mandatory data protection impact assessment (DPIA).
A data processing impact assessment could mean having to hire a designated data protection officer for the role of data protection.
Steps like these can help you assure concerned parties about your compliance with GDPR in a scenario where an audit is carried out or an external request is made from a national data protection authority.
Also worth noting is the fact that you will be held liable under the new GDPR regime from the moment you capture, collect and keep personal data until you anonymize or destroy securely and permanently.
Guidelines to Help Drone Operators Comply With GDPR
Here are a few guidelines you can adhere to in order to comply with GDPR.
Draft a Public Privacy Statement
This is a sure way to supercharge your efforts to duly inform bystanders of how their data will be handled should your drone collect it. A proper public privacy statement should document the way you gather, use, disclose, and of course manage any personally identifiable data your drone collects.
This document should be available on your website for members of the public to view and learn.
Inform the Public Concerned
Should you realize at any time while using your drone that you have gathered personally identifiable data about an individual, do not hesitate to inform them about it.
This is important.
You should also inform and educate them about their rights to have the data removed and also refer them to your public privacy statement for any clarification they might need about your data collection and handling policies.
Assess Your Operational Risk
While planning your drone flight, make sure to assess any situation which may lead to the risk of gathering too much personally identifiable data. You want to limit instances like this from occurring as much as possible.
Assess your chosen flight path and see if there are any cars, houses, people, or other features that will need to be anonymized due to their sensitivity.
If you realize that there is a high risk of too many people on the ground being affected, you may want to carry out a Data Protection Impact Assessment (DPIA).
Make anonymizing data a critical part of your drone operations. As part of your operational procedure, blur out any data that was mistakenly collected in order to stay in compliance with the demands of the GDPR. This includes number plates, house numbers, faces, and anything else.
Limit the Storage of Personally Identifiable Data
Clearly state the purposes for which you are collecting any personal data, and store said data for the minimum amount of time required.
Make it a part of your operations to carry out data purges just to make sure no stray data is hanging around and making you liable to come under the hammer.
Make Sure All Personal Data is Adequately Protected
Access to any personally identifiable information should be strictly monitored and controlled, with appropriate security measures taken.
Data must never be shared with third parties without the expressed consent of the individual concerned.
In the case where you have to share data that contains personal information, ensure that you anonymize every sensitive piece of info beforehand.
Make sure you document every stage of the drone operation from the planning stage to post-flight and data handling. This ensures that you will be able to demonstrate to interested parties how compliant you are with GDPR requirements.
This would also help you should anyone file a complaint about your drone flying operations.
It may seem like a lot of work to comply with the requirements of GDPR, but remember that these regulations are in place to protect the public from unscrupulous individuals.
And sometimes, you never know when you might be the one grateful for having your privacy protected by the law.
A lot of these procedures will become second nature to you with practice, anyway. Just follow the steps and guidelines outlined and you should have nothing to worry about as far as GDPR regulations are concerned.