Drones have many practical uses, from recreational photography to security surveillance and crop management. As popular as drones have become in recent years, however, it also poses an increasing threat to people’s privacy. From the rise of coronavirus surveillance drones that enforce stay-at-home orders to garden-variety nosey neighbours, the line between personal freedom and public safety has become blurred.
If you run a drone-based business, there are a number of privacy laws you’ll need to be mindful of, such as the General Data Protection Regulation (GDPR). While the regulation may vary based on where your business is based, here are some key privacy considerations and best practices to maintain GDPR compliance.
1. Understanding personal data and data rights
According to the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’)”.
This means that any photos, audio, and video footage captured by drones that can be used to personally identify someone are considered personal data and are subject to certain conditions for processing – including the rights of each individual over their data. For example, data subjects have the right to access any photos and videos of them in your possession, as well as the right to request the erasure of this data.
2. Minimise data collection and storage (and anonymise it wherever possible)
A key principle of the GDPR is data minimisation. Essentially, organisations must ensure that they only collect personal data where absolutely necessary or relevant to their operations, thereby minimising the amount of data that is processed. Given how difficult it is to get a passerby’s consent to use their data at the point of collection with drones, and the risk of penalisation for failing to process this data in a lawful way, you can see why this is a good preventative measure to maintain compliance.
Data minimisation can achieved by following the basic flying rules set out by the Federal Aviation Administration, which include directions to not fly over groups of people or within a certain radius. Additionally, you should implement data anonymisation techniques such as blurring people’s faces, licence plate numbers, and other personally-identifying information in your photos and recordings.
3. Ensure you have adequate data protection processes in place
Any photos and videos that contain personally-identifying information must be stored securely, and should not be accessible to or processed by any unauthorised third parties. Some key data security measures include encrypting your photo and video files; if storing them online or on a computer device, having strong passwords and two-factor authentication processes; and having a data back-up plan in place in case files are corrupted or accidentally erased.
Check out our article that breaks down some of the most common data protection and security practices recommended by the GDPR.
Your policy should explain the types of data your drone captures; how this data is used, stored, shared, and kept safe; how data subjects can exercise their rights around any personal data captured by your business; and how they can contact you for any concerns or enquiries they may have.
While it can be challenging trying to apply privacy legislation that is vague or lacking in specific direction, the GDPR offers some general guidelines for how drones can be used in a privacy-preserving way. As a business owner, it’s wise to invest the time and money now in good privacy practices to avoid any future fines or complaints against your business.