Assessing what GDPR means for commercial drone hardware and software vendors, service providers, and enterprise users.
By Colin Snow and Charlotte Ziems
Have you noticed an increase in the number of emails lately that say “we have updated our privacy policies and terms of service”? It’s not just the big players like Amazon, Apple, Google, and YouTube, it’s just about everyone – and for good reason. They’re all preparing for May 25, 2018, when new regulations go into effect that apply to personally identifiable data they collect on citizens of the European Union.
Disclaimer: Nothing in this post should be interpreted as legal advice—you alone are responsible for GDPR compliance and should consult legal counsel to do so. We’ll assess only the basic GDPR concepts you should know, and at a high level. So let’s start with the basics.
What is GDPR?
On May 25, 2018, the new General Data Protection Regulation (GDPR) will go into effect to protect the rights of Europeans to access and control their personal data. This means any brand that collects and processes the personal data of individuals in the European Union, regardless of that brand’s location, needs to comply with GDPR requirements by the May deadline.
Note that the laws are still being interpreted and definitions changing, so you’ll want to pay attention.
What are the important GDPR requirements?
- The right to be informed, or being transparent about what you collect and how you use it (Article 12, 13, and Article 14 number 11)
- The right of access, or allowing individuals to see what personal data you’re processing and storing (Article 15)
- The right to rectification, or allowing individuals to have their personal data corrected (Article 16)
- The right to erasure, also known as the right to be forgotten (Article 17)
- The right to restrict processing, or allowing individuals to stop you from performing operations (collecting, processing, storing, etc.) on personal data (Article 18)
- The right to data portability, or giving individuals the personal data you have about them (Article 20)
- The right to object, or prevent you from processing their personal data (Article 21)
Why should you care?
Depending on the nature of the infringement, fines for noncompliance can range from between €10 million and €20 million, or between 2% and 4% of your worldwide annual revenue of the prior financial year, whichever is higher.
Do those in the commercial drone industry need to be GDPR compliant?
That depends. If you have any clients, or have contacts, or perform work in the EU, then yes. The regulation applies when you collect, store, and process data or images that constitutes someone’s “personal data” (such as names, email addresses, phone numbers, etc.), or “personal identifiable information” (such as aerial images of and georeferences to persons).
Who in the commercial drone market might it apply to?
- Agriculture – probably not those collecting agricultural data, since that type of data rarely attaches personally identifiable information (or personal data) of an individual.
- Film / Photo / Video – it definitely applies to drone wedding photographers, real estate photographers, film companies, and any other commercial service. GPDR states that pictures containing peoples that can be identified are to be considered personal information and must be handled with care. Unless you are using the pictures for news or art, you must have a consent from the person giving you permission to publish the picture.
- Inspecting and monitoring – probably not those collecting data on structures (such as towers, transmission lines, or oil rigs), since it rarely attaches personally identifiable information (or personal data) to an individual, but definitely yes to those performing site monitoring where individuals can be tagged or identified.
- GIS (mapping and surveying) – it depends on the downstream use of the data you collect. You are in the chain of custody and custodians may need to generalize or filter identifiable features or patterns of people from geospatial information.
- Cloud-based data services – same as GIS. You are in the chain of custody and may need to filter information; otherwise, your risk is high.
Where can you go to find out more information?
GDPR:
Agriculture:
Photographers:
- https://togsinbusiness.com/gdpr-photographers/
- https://konsento.io/how-does-gdpr-affect-you-as-a-photographer.html
- https://www.tomrobak.com/edu/gdpr-for-photographers/
GIS (Mapping and Survey):
- https://www.gis-professional.com/content/article/why-geospatial-needs-to-listen-to-gdpr
- http://www.geninfo.com/2018/04/a-qa-on-the-gdpr/
GIS and cloud data services:
- https://doc.arcgis.com/en/trust/privacy/privacy-tab-intro.htm
- https://en.blog.businessdecision.com/bigdata-en/2017/03/gdpr-1-minute-to-understand/
- https://en.blog.businessdecision.com/bigdata-en/2017/12/the-basics-of-data-mapping-in-the-age-of-the-gdpr/
Image credit: Shutterstock and Skylogic Research
