The adoption of drones for commercial work has grown rapidly over the last few years.
Inspections—both internal and external—are one of the applications that has grown the quickest, but the use of drones has also grown rapidly in several other sectors, ranging from work like surveillance, to agriculture, to delivery, and beyond.
With the rapid growth in adoption have come privacy concerns. And, as in any business, it’s important to be aware of privacy laws if you’re using drones for work.
The GDPR is a strict data privacy law that applies to all businesses in the European Union. While these regulations may vary based on your location, it’s important to understand how GDPR affects your business and how to ensure GDPR compliance.
Important GDPR Principles to Follow When Using Drones
Here are four principles to keep in mind for using drones in your business to help ensure compliance with GDPR requirements.
1. Understand personal data and data rights
The most important GDPR compliance measure is understanding the meaning of personal data. According to GDPR, private or personal data refers to information about an identifiable individual. This includes photos, video, and audio that can be used to identify data subjects captured by your drone.
It’s also important to understand the rights that individuals have over their data. For instance, individuals have a right to access photos and videos of them captured by another organization’s drones, and they can request the erasure of any personal data in a company’s possession.
2. Minimize data collection and storage
To achieve GDPR compliance, companies should try to minimize or anonymize data collection and storage.
Ideally, businesses should collect private data only where necessary or required by business operations. Unfortunately, it can be hard to get passersby to consent to collection and use of their data when conducting a drone operation, so at a minimum it is best to minimize or anonymize data collection wherever possible.
You can achieve data minimization by following the Federal Aviation Administration flying rules.
Here are a few useful rules of thumb for minimizing the collection of data when operating a drone:
- Avoid flying over groups of people
- Adopt data anonymization practices, such as blurring license plates, faces
- Generally try to avoid collecting identifying information, as possible
3. Implement data protection processes
Photos, videos, and audio with identifying information should be stored securely and made inaccessible to unauthorized persons or third parties. Key data protection processes include data encryption, the use of strong passwords and/or two-factor authentication, and a solid backup plan.
Your policy should outline the type of data captured by your drones and how it is used, stored, and shared. It should also include the rights of data subjects and how individuals can reach you if they have questions or concerns about their private data.
Is GDPR Compliance Just about Obeying the Law?
Not at all.
Complying with GDPR can benefit your business in several ways—not just by helping you avoid legal trouble, but also by cultivating trust with your customers and the public in general.
Here are three of the main benefits GDPR compliance can provide to businesses.
1. Improves customer confidence
GDPR compliance proves to your customers that your business can store and protect their private data safely. GDPR legislation requires businesses to appoint a data protection officer to oversee data protection processes and conduct regular audits of processing activities. Ensuring that your business achieves GDPR compliance will certainly improve your reputation.
2. Reduce maintenance costs
GDPR compliance can also reduce operating costs in many ways.
For starters, your business will retire legacy applications and data inventories irrelevant to the business. Similarly, by adhering to GDPR laws of maintaining an updated data inventory, you can significantly reduce the cost of data storage by consolidating your data storage efforts. Your business will benefit from reduced data maintenance costs, which can be found both in the form of infrastructure maintenance and in the form of labor-hours.
GDPR compliance also reduces business costs by enabling businesses to engage with interested customers.
As per GDPR provisions, businesses should have an opt-in policy, where data subjects (i.e., people interacting with your business) consent to submit their personal data. Communication with customers who opt-in becomes personalized due to the granularity of data collected, saving the business the cost of trailing uninterested customers. It can also increase ROI for your sales efforts, as you will be dealing with relevant leads who have expressly asked to engage with your company.
3. Alignment with evolving technology
Another aspect of GDPR compliance is the requirement that organizations improve their network and application security.
Adopting the latest technologies, such as The Internet of Things, cloud computing, and virtualization, allows your business to manage growing quantities of data and offer customers better service overall.
Integrating third-party management tools can also allow your business to remain vigilant for potential data breaches, which are growing increasingly more common and more sophisticated. These tools keep track of log data and data transferred outside your network. They also monitor the integrity of your endpoint devices, applications, and the entire network, including the cloud, and send alerts where an anomaly is detected.
How to Maintain GDPR Compliance in Oil & Gas—and Beyond
The General Data Protection Regulations (GDPR) came to action on 25th May 2018, replacing the preceding Data Protection Act of 1998 as a response to a surge in worldwide data breaches and the advent of the daily use of the internet.
Before the introduction of GDPR, personal data was exposed to hackers and malicious individuals due to poor security measures. Following its approval, all organizations that store, transmit, and process the personal data of EU residents had to comply with the new, more robust data protection regulations.
But becoming GDPR compliant is not an easy task.
GDPR is one of the strictest data privacy laws in the world, and achieving compliance requires companies to dive deeply into their processing activities, third-party communication, customer access, and personal data protection. And the process doesn’t end once you’ve become compliant.
To provide some helpful guidelines, here are some tips that players in the oil and gas industry—and elsewhere, by extension—can follow to maintain GDPR compliance.
1. Conduct audits continually
You should conduct ongoing audits on your data processing activities to maintain GDPR compliance.
A critical aspect of conducting regular audits is to do a data protection impact assessment. These assessments can help organizations determine how designated employees handle and process sensitive information, such as data about customer behavior, location, health, and even religion.
2. Appoint a data protection officer
Oil and gas companies should appoint a dedicated data protection officer to achieve and maintain compliance. According to Article 37 of GDPR, businesses and organizations should appoint a data protection officer (DPO) who oversees their entire data protection strategy.
Organizations should appoint a DPO if they process data by public authority, collect it through systemic monitoring, and process it on a large scale. Unfortunately, GDPR doesn’t give exact definitions of “large-scale” data. Therefore, most organizations should consider appointing a DPO to be on the safe side.
- Continually advise controllers and processes about GDPR compliance practices and updates in data regulations
- Monitor data handling to ensure GDPR compliance
- Provide accurate data protection impact assessments
- Regulate data processing inquiries
- Act as an intermediary between GDPR regulators and the company
- Evaluate all potential risks associated with different data processing activities
3. Provide comprehensive and continuous staff training
Ongoing staff training is another way oil and gas industries can maintain GDPR compliance.
Unfortunately, 88% of data breaches—a huge majority—result from employee errors, whether intentional or unintentional. Therefore, you should keep your employees abreast of data safety best practices by:
- Educating employees on key data privacy and GDPR concepts and their importance
- Explaining how daily tasks can lead to data breaches
- Ensuring employees don’t use personal devices for work-related activities
- Conducting data privacy and security training for new employees (and consider doing refreshers for existing employees)
4. Instantly report data breaches
Immediate reporting of data breaches is mandatory under GDPR.
GDPR, particularly Article 33, requires data controllers and processors to report incidents of data breaches within 72 hours. Reporting of data breaches should be hierarchical as follows:
- Processors should report data breach incidents to controllers
- Controllers should report to a supervisory authority
Supervisory authorities or data protection associations are responsible for enforcing and monitoring compliance. They are also the primary point of contact for GDPR inquiries in an organization. Supervisory authorities, which are in EU states and can impose fines on controllers and processors for non-compliance.
5. Verify the age of users consenting to personal data processing
GDPR allows organizations to collect and process data for individuals above 16 years of age. To collect personal data legally from young people, you should seek consent from the guardian or individuals charged with the child’s parental responsibility. If EU citizens below 16 years will interact with your site, you should include an age verification option to verify their age before collecting personal data.
6. Regularly assess third-party risks
Under GDPR, you are responsible for how third-party companies collect, keep, and share personal information for your organization. As such, you should ensure that third-party companies maintain GDPR compliance in all their data collection practices. If necessary, you should update contracts to feature compliance measures.