The following post was written by Kylie Anderson for DroneBase.
The EU’s General Data Protection Regulations (GDPR) went into effect May 2018, altering data collection and storage processes for businesses in every industry. Commercial drone use is driven by the utility of rapid data accumulation, but with the benefit of this data comes the responsibility of managing and securing it. If you have clients or perform work within the EU and are capturing personal information with your aerial photography, here’s how GDPR could affect drone use within your business.
This guide is intended as directional. If you have specific questions about GDPR and your business, visit: https://www.eugdpr.org/.
GDPR law requires commercial drone users to limit the data they capture to include only information specifically related to their business. Whether you’re surveying landscapes, performing site inspections, or taking photos to share with clients, it’s important to ensure you’re not unintentionally capturing any personally identifiable information. Drones can be equipped with a number of different technologies for collecting information, so even if you’re not recording faces, make sure your GPS, radio frequency, thermal imaging and other drone tools aren’t compromising your business through unintentional recognition.
In the event that identifiable data is captured, the person it was captured from must grant consent before the information can be used, and holds the ultimate right to prevent processing. If capturing facial imagery or other personal data is unavoidable in your drone use, consider using a lower resolution, still images instead of video, or observing live streams instead of recordings.
Under GDPR individuals have the right to information about the personal data you collect and store, as well as how you plan to use that data. Businesses are required to comply with individual requests for copies of data captured.
As aerial photography can often record information without being noticed, it is the responsibility of the business capturing data to make their drone use known to those who might be affected. If your business has a flight planned, notify the community of flight paths, dates, and times, as well as what type of information is being captured, so affected individuals may plan accordingly. This can be achieved through media campaigns or clearly displayed signage.
Once data is collected, GDPR dictates how to safely store and protect it. Data captured for commercial use is not to be retained by the business for longer than is necessary, a time period determined by the original objective of collection. Personally identifiable information can either be deleted after this time or anonymised to protect individuals. It is possible for anonymised data to hold the potential for re-identification if it is combined with other data, so make sure all identifiable information is maintained as separate and secure at all times.
Aerial data obtained on behalf of a client cannot be recorded by the business before it is delivered, and drone pilots must be careful not to ‘eavesdrop’ as they collect privileged information.
All data captured must be maintain in an environment that is secured against breach. Safeguards include limited access, appropriate monitoring, encryption, and other controls to ensure protection.
Maintaining transparency and security in commercial drone use is key to maximizing the benefits of aerial photography without risking issues of noncompliance. Failing to recognize regulations can result in fines and restrictions, and compromise business operations.