GDPR compliance and Milestone XProtect VMS

On May 25th, 2018, the European General Data Protection Regulation (GDPR) came into effect. The objective of this regulation is to give individuals more control over how their personal data is collected, processed, and shared.

GDPR provides a structure for businesses that clarifies their roles and responsibilities and gives individuals the opportunity to control how their personal data is used.

This document gives you an overview of the requirements, and how you can work with GDPR compliance when using the XProtect video management system (VMS).

See Appendix: The Milestone XProtect VMS system and GDPR for specific information on how a Milestone XProtect VMS system can best be made compliant with GDPR.

Disclaimer: The information in this document and any recommendations are provided as-is. Following this document does not implicitly mean that your system will be GDPR compliant.

The Milestone XProtect VMS requires configuration. Any configuration or modification of settings must comply with EU data protection law. While the Appendix: The Milestone XProtect VMS system and GDPR and Additional safeguards provide information on how to start a compliant setup, you must adhere to EU data protection laws when further configuring the system.

What is GDPR?

The General Data Protection Regulation (GDPR) is a set of rules that govern all forms of personal data that are held by an organization. GDPR gives every individual ownership of their personal data, and, on the organization’s side, introduces accountability at all stages of data processing and storage. GDPR achieves this by providing a number of rights to individuals and putting corresponding obligations on the organizations that process personal data.

GDPR harmonizes data privacy laws across the EU, and it complements existing national CCTV and video surveillance regulations.

Although GDPR is an EU regulation, it affects many other parts of the world.
It applies to the processing of personal data by a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not.
It applies to the processing of personal data by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to data subjects in the European Union; or the monitoring of their behavior as far as their behavior takes place within the European Union.
Furthermore, many other parts of the world are applying similar privacy protection regulations, based on the core principles of GDPR.

GDPR is enforced through domestic authorities.

There are hefty fines in case of violation:

  • Up to 4% of the company's worldwide annual revenue
  • Up to €20 million per incident

Who is responsible for making sure a running XProtect Video Management System complies with GDPR?

The VMS owner is responsible for complying with the GDPR regulation, including:

  • Actual installations and the applied usage
  • Organizational processes and matureness
  • Data breach notification and reporting to authorities

GDPR does not apply to any specific products, but the combination of the product, the data it processes, and the usage of the product and data all affect GDPR compliance.

GDPR has direct implications for installers, system integrators, and users of video surveillance technology.

The VMS owner is the data controller (see Data controller).

The data controller might outsource parts or the entire VMS operations to a data processor, for example a security company. If this is the case, the data controller and the data processor must have a Data Processor Agreement in place. The Data Processor Agreement states what data is processed, how it is protected, and how long the data is kept (see Data processor and Appendix: Data Processor Agreement).

Are all video surveillance installations required to comply with GDPR?

GDPR applies to controllers and processors within the European Union, regardless of where the video is processed.

Furthermore, GDPR protects the privacy of any resident of the geographical area of the EU, covers all forms of video surveillance within the EU, and protects citizens of all countries who reside within the EU (Article 3, GDPR).

For more information about GDPR, particularly as related to video surveillance, see Appendix: GDPR compliance.