C2RO BLOG | A Global Health Crisis Does Not Justify the Violation of Data Privacy Laws
The demand for an effective, large-scale screening solution to flag at-risk individuals, ensure safety measures, and prevent the possibility of a second wave of COVID-19, has led to a rapid response from technology providers to develop fever detection or individual tracking solutions. The introduction of such solutions has brought widespread distrust among the public, as regulators bring into question the accuracy of these technologies and their compliance with data privacy laws. When incorporating any video analytics solution, whether visual or thermal, in public and private facilities, there are two levels of data privacy compliance that are required, known as system compliance and application compliance, to ensure that all regulations and best practices are met even during a global health crisis.
For a technology to be in full compliance with data privacy laws, and in turn receive an official compliance certification by a recognized institution, a well-established roadmap must be in place to ensure alignment across the entire organization on technology and business objectives that need to be achieved. This roadmap can be broken down into three critical steps:
1. Embed “Privacy by Design” from the start Understand what aspects of your solution’s architecture and technology are at risk of violating individuals’ privacy rights. Appoint a Data Protection Officer (DPO) to help align and supervise your technology development and operations decisions with data privacy standards and best practices.
2. Audit of the technology and organization via a Privacy Impact Assessment (PIA) questionnaire Answer critical questions related to the company’s organizational (e.g., business processes), technical (e.g., solution’s technology and architecture) and physical safety measures (e.g., solution deployment procedures) via a PIA questionnaire. Has it been thoroughly audited, revised, and approved through close collaboration among your CEO, CTO, and DPO, to ensure compliance to data privacy laws prior to any customer deployment and use of your solution?
3. PIA submission for GDPR certification Using the approved PIA questionnaire, develop a PIA and analyze the risk level of your technology. Upon receiving approval of your PIA by the DPO with a reasonably low data privacy risk, submit it to a recognized institution to receive an official certification recognizing your compliance to data privacy laws, such as CNIL, the official Data Protection authority in France, for EU’s GDPR certification.
To achieve application compliance, the technology provider’s DPO must have a PIA report available for the customer’s legal team or DPO to review. Moreover, a data protection agreement should be developed between both parties, to cover any critical processes required to ensure that the deployment and the use of the solution in their physical facility comply with the data privacy laws of the region of deployment.
Concerning COVID-19, application compliance is especially critical when deploying a thermal screening solution as an individual’s body temperature is categorized as sensitive personalized information. Stringent guidelines on who has access to individuals’ personalized data, whether the system can keep a record of this data, and the procedures in place for when an at-risk individual is detected, should be defined prior to the deployment and shared with the entire organization including the HR department to ensure alignment and compliance.
C2RO PERCEIVE™: Ensuring Safety of Workplaces while Respecting Data Privacy
Since starting its GDPR compliance process in early 2019, C2RO has deployed its AI video analytics solution, C2RO PERCEIVE™, at various tier-1 customer and partner sites in Europe. The company’s organizational, technical and physical safety measures were thoroughly audited, revised, and approved by their Data Protection Officer (DPO), Dr. Gerard Haas, ensuring compliance to data privacy laws before the deployment and use of their product at each customer site. The company recently achieved a critical milestone in its GDPR compliance process, which will be announced soon. C2RO’s recent milestone will set a new standard for the market on what it means to be compliant with data privacy laws, while having innovative and high-quality services, as a technology provider.
Using the same trusted and reliable privacy-aware AI video analytics solution favored by Tier 1 enterprise customers in commercial real estate, smart city and transportation, and public safety industries, C2RO has built a long-term solution that answers both current and future requirements for automatic and passive safety screening. C2RO PERCEIVE™ with added allows for large-scale analysis of crowd density, levels of proximity, and body temperature in large, indoor public and private spaces.
The solution currently has two modes of application. For enterprise use to screen employees entering their facility with live status updates of the workplace’s risk, density, and proximity indexes as depicted in the picture using existing surveillance cameras along with an added thermal camera at the entrance. For large-scale private or public facility monitoring, allowing key government and health authorities, to monitor public behavior and key risk indicators as a preventive tool, identify any abnormal data patterns and proactively implement critical safety measures.