Presentation with Antoinette King of Axis Communications, sponsored by the Security Industry Association and Security System News on the misunderstood and symbiotic relationship between privacy and security and video surveillance in particular.

1. Privacy and video surveillance: Advanced
technology and best practices protecting
people, property and personal data
Presented by:
Antoinette King - Key Account Manager, Axis Communications
Salvatore D’Agostino - CEO IDmachines, Co-Founder OpenConsent
IN PARTNERSHIP WITH
PRESENTS

2. Presenters
Sal D’Agostino
CEO IDmachines, Co-
Founder OpenConsent
Antoinette King, PSP
Key Account Manager
Axis Communications

3. Agenda
Evolving Landscape
Regulatory
Technology
Risk
Use Cases
Education
City Surveillance
Best Practices
Q&A
Agenda

4. An evolving symbiotic relationship

5. An evolving symbiotic relationship

6. Domain of
Privacy 2.0
Domain of
Privacy 1.0
Data
control
Data
transparency
Data protection
Terms and
conditions
Privacy
notices
Notification
& breaches
Most encryption techniques
Identity
Openness,Usability,Relevance

7. Data
collection is
everywhere

8. Lack of
Control

9. •FEAR
•UNCERTAINTY
•DOUBT

11. Evolving landscape
> Domestic and global changes
in Regulations
> Technology keeps evolving
> Risk Landscape

12. Legislation pertaining to biometric data privacy
> State of Illinois – requires private
entities to get written permission to
collect biometric data and full usage
disclosure.
> State of Washington – places a
heavy burden on the controller of the
data to properly obtain consent,
disclose usage, and protect the data
> State of Texas – prohibits capture of
biometric data without written,
informed consent, and prohibits the
sale or disclosure of biometric
identifiers.

13. Regulatory
changes
> CCPA vs. GDPR
> NY SHIELD Act
> Accountability

14. GDPR Landscape
> In the first 9 months that
GDPR was in effect, there
were over 205,000 cases
reported to various EU
Supervisory Authorities.
> 65,000 breaches involving
things such as email
misconduct, network hacks,
improper tracking of
consumers and illegal video
surveillance data logging

15. GDPR Fines
UNITED
KINGDOM
Information
Commissioner
(ICO)
2019-
07-08
204,600,000 Major Airline Art. 32 GDPR Insufficient technical
and organisational
measures to ensure
information security
link
UNITED
KINGDOM
Information
Commissioner
(ICO)
2019-
07-09
110,390,200 Hotel Chain Art. 32 GDPR Insufficient technical
and organisational
measures to ensure
information security
link
FRANCE
French Data
Protection
Authority (CNIL)
2019-
01-21
50,000,000 Digital Technology
Company
Art. 13 GDPR, Art.
14 GDPR, Art. 6
GDPR, Art. 5 GDPR
Insufficient legal basis
for data processing
link
ITALY
Italian Data
Protection
Authority
(Garante)
2020-
01-15
27,800,000 Telecommunications
Operator
Art. 5 GDPR, Art. 6
GDPR, Art. 17
GDPR, Art. 21
GDPR, Art. 32
GDPR
Insufficient legal basis
for data processing
link
AUSTRIA
Austrian Data
Protection
Authority (dsb)
2019-
10-23
18,000,000 Postal Services
Company
Art. 5 (1) a) GDPR,
Art. 6 GDPR
Insufficient legal basis
for data processing
link

16. GERMANY
Data Protection Authority of
Berlin
2019-
10-30
14,500,00
0
Property
Company
Art. 5 GDPR,
Art. 25 GDPR
Non-compliance with
general data processing
principles
link
GERMANY
The Federal Commissioner
for Data Protection and
Freedom of Information
(BfDI)
2019-
12-09
9,550,000 Telecoms
provider
Art. 32 GDPR Insufficient technical
and organisational
measures to ensure
information security
link
ITALY
Italian Data Protection
Authority (Garante)
2019-
12-11
8,500,000 Gas &
Energy
Company
Art. 5 GDPR,
Art. 6 GDPR,
Art. 17 GDPR,
Art. 21 GDPR
Insufficient legal basis
for data processing
link
SWEDEN
Data Protection Authority of
Sweden
2020-
03-11
7,000,000 Digital
Technology
Company
Art. 5 GDPR,
Art. 6 GDPR,
Art. 17 GDPR
Insufficient fulfilment of
data subjects rights
link
ITALY
Italian Data Protection
Authority (Garante)
2019-
12-11
3,000,000 Gas &
Energy
Company
Art. 5 GDPR,
Art. 6 GDPR
Insufficient legal basis
for data processing
link
GDPR Fines

17. Does it
apply
to me?
https://www.lexology.com/library/detail.aspx?g=20fce77c-feaf-4cda-851a-5542b48b63f4

18. When can surveillance
be used?
> Purpose must be explicit and documented
> Must be a legitimate interest to override
subjects’ privacy rights
> Prove that less intrusive means would not
suffice
> Appropriate safeguards must be taken
when storing video data
> Warning signs must be clearly posted with
an icon to easily identify video
surveillance in progress
> Warning sign must include the purpose of
surveillance and the data subject’s rights

19. Differential
Privacy

20. Mitigating Privacy concernsMitigating Privacy concerns

21. Evolving Technology
> Moore’s Law
˗ Computing and Sensing
> Big Data
> Cloud
> AI/ML
> IoT

22. Evolving Risk Landscape and Risk Management
> Surveillance Economics and Data Sharing
> Consumerization of Technology
> Asymmetry - Attackers and Target
> Siloed Systems, Communications and Development
> Skill Gaps
> Algorithm Bias
> Alchemy vs. Science/Engineering

23. School surveillance
> Biometric Data/Facial
Recognition
> 3rd Party Operators
> Consent
> Cloud solutions

24. City surveillance

25. > What kind of data is
being collected?
> How is my data being
used?
> Am I being tracked?
> Biases in software
code
Public resistance

26. Surveillance “Fashion”

27. Best practices - summary
1. Notice and Consent
a. “I Agree”
b. Use of (Consent) Receipts
c. “Signs”
2. Legal requirements
a. Privacy - GDPR, CCPA, Washington State
b. Children - COPPA,
3. Frameworks
a. ISO, NIST, IDESG, Pan-Canadian Trust Framework
4. Industry Code of Conduct and Practice
a. Proactive approach, based on best practices

28. Cybersecurity-
related privacy
events
PROTECT-P
DETECT
RESPOND
RECOVER
Cybersecurity
risks
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER
Privacy
risks
IDENTIFY-P
GOVERN-P
CONTROL-P
COMMUNICATE-P

30. Privacy checklist

31. Thank you.