Video analytics and compliance software business Facit has reportedly seen a 200% increase in companies looking to implement a system that would optimise their Data Subject Access Request (DSAR) compliance.
We are all familiar with GDPR by now. Article 15 of the GDPR, entitled the ‘Right of access by the data Subject’, states, “Any person whose image is recorded on a Video Surveillance System has a right to seek and be supplied with a copy of their own personal data from the footage.”
Video footage is personal data, so anyone captured in a video has the right to request a copy of the footage. The request is called a DSAR and must be responded to by the organisation that holds the footage within 30 days.
In line with GDPR, the identities of any other individuals visible in the footage must be obscured or redacted. A vehicle number plate and any sensitive documents or information that may help identify certain individuals must also be excluded.
It is the Data Controller’s responsibility to justify how information that contains private data is stored, retained and kept secure.
Video surveillance data must be retained for no longer than 30 days unless the business feels it is justified in a risk assessment. Should they need to defend against fraudulent injury/insurance claims, many businesses unlimitedly keep surveillance data in the cloud.
But is the cloud a safe solution for sensitive data? Why should companies care about this today?
We spoke to Waqas Hasan, CEO of Facit, to find out more.
Facit started life in 2018, funnily enough, the same year GDPR became law (May 2018). CCTV in city centres and within buildings is prevailing nowadays, but the technology, particularly IP cameras and data processing, is relatively new.
Benchmark Magazine: Why are DSAR requests on the up?
Waqas Hasan: People are much more aware of their rights. For example, a well-known retailer we are dealing with has had 11,500 DSARs this year. Not all of them were video requests (some were for documentation), but a significant proportion was.
The request for a DSAR can be made for practical reasons, such as finding a lost wallet, checking who might have scratched a car, or forming some evidence for an incident to help a legal investigation. A prime example is when you are in a supermarket; many cameras will capture your image – people are more aware of this now and want access to this footage.
There has also been a culture shift, where businesses previously thought they could avoid having these resources in place. They now understand the increase in demand and that if they get a few DSAR’s a month, their workload will increase exponentially. Recently we performed a demonstration where a company had a two-minute video which needed to be redacted. The process would have taken them half a day; with Facit, it was complete in a minute.
This is the ROI. If you have around five to eight requests in a month, the software starts paying for it itself very quickly. In most cases, you cannot charge a fee for a DSAR. However, depending on the situation, you can charge a fee for the administrative costs of complying with a request.
DSARs will only increase – anyone with a public-facing CCTV will have to redact footage in the next three years. People that are already using redaction will see their numbers go up too. Our software is intuitive and generates reliable, accurate and actionable data. And importantly, it lives within the premises, not in the cloud.
BM: Why would a cloud solution not be adequate?
WH: Any time any video footage leaves your premises, there is a risk of leakage. Individuals, objects and/or documents that require to be redacted and are not at the time they are uploaded into a cloud solution could be unveiling data that should have been masked.
With Facit’s software, everything is held locally. All you need is a Windows PC terminal. Plus, businesses can try our software before purchasing a licence so they can see how easy it is by downloading a 30-day free trial from our website.
BM: What expertise is needed to use Facit’s software?
WH: No expertise is needed. We understand this is not the controller’s day job, so we designed our software to be as easy as possible.
We cater to all vertical markets, from retail, banking, the public sector and other high-footfall venues, which are the ones seeing an increase in requests, and also NHS Trusts and councils.
BM: What steps must be taken once an organisation receives a request?
WH: Once a request has been submitted, the organisation identifies where that footage is. The video will have to be uploaded onto a system they will have in the head office. A protection officer, the security manager or the head of security will check the recording to find the footage. Before releasing it, they will have two options: either they will need to ask everyone that appears in the clip for permission to release their data (which, in a public space situation, can be very difficult), or they can redact the faces, masking out everyone that is not the particular individual.
This is where our software comes in. It is all kept in-house, so the business has less risk of leakage.
Whenever you send any videos out, you make a third party your data processor. For this to work well, you need to have the correct paperwork in place to provide them with suitable material appropriately.
At Facit, we don’t see the footage. Instead, the software stays within the organisation. It is installed and deployed within a secure environment, and their video never leaves their watch.
Facit software processes the clip and allows the team to control what they’re doing with it fully and when and how to release it.
BM: Do companies need a dedicated server to process the video files?
WH: Most of the time a dedicated server will only be required when a company needs to process a large quantity of video. However, our solution, which can be used on any desktop with a Windows operating system, is more than adequate for most clients. For example, Facit has a retail customer who has had to use the software 296 times in the past six weeks. A dedicated server to process the information is better for that usage level.
Facit can process any digital video file. Even for systems that are not digital, such as analogue CCTV, which has its own proprietary viewing device, Facit has a video screen capture that makes it possible to convert the footage into a digital file and then redact it.
BM: Can the redaction be reversed once it’s done?
WH: No, any information redacted from the video provided to a third party is forever obscured, and this process cannot be undone. This is what makes it compliant.
BM: What is the cost of a data breach for companies
WH: The cost of data breaching for companies can be 4% of their revenue or E20 million.
Every quarter, there is a report from ICO that reports on all compliance fines. In addition, there is a section that talks about the failure to redact. In the past three quarters, there has been an increase in fines issued because of failure to redact.
For some companies, it is not just about the fine but also about the damage to their reputation, which can be a worry.
BM: Will compliance have a significant role in the future for CCTV?
WH: Yes, I think so. More requests will be made as more people know the law and their rights.
When we started in 2018, nobody took what we did very seriously because they thought they could avoid it, but now companies are realising they need the systems in place.