People Counting: GDPR and your Privacy

It's almost 2020, and facial recognition technology is everywhere. Our mobile devices, the self-service immigration checkpoints at airports and social media platforms all use facial-recognition software to make our lives easier and seemingly safer. But, our facial features are a form of personal data, and as such, laws are in place to protect how and when businesses and governmental bodies are authorised to collect, use and process this information. 

Recent reports reveal that the Met Police have been trialling live facial recognition (LFR) technology that processes the biometric data of general members of the public who may unknowingly be screened while going about their daily activities. While crime prevention and detection are the legitimate aims of such endeavours, it remains the concern of the Information Commissions Office as to whether such technologies violate the individual's right to privacy. 

LFR isn't simply a patented technology for justice enforcement; it is also available for commercial use. However, businesses are at risk of noncompliance and GDPR breaches which are punishable by law. 

There is a clear distinction between Close Circuit Television (CCTV) and LFR. CCTV has been around for a long time, its purpose being to enhance security and monitor environments in order to protect businesses and occupants. Face recognising technology, however, takes things much further as it collects layers of data, which, if used with malicious intent, could enable organisations to manipulate and exploit members of the public. 

Understanding GDPR 

The General Data Protection Regulation (GDPR) was introduced into the European Union to protect the rights of individuals in its member states. Under this law, governments and businesses must have a specific purpose for collecting and processing personal data; this purpose must, of course, be legal and transparent. 

Personal data relates to all personally identifiable information, such as:

• Economic factors
• Cultural and ethnic identifiers
• Mental and physical health
• Geographic location

Individuals also have "the right to be forgotten", meaning they can request a company to delete any data they hold on the person permanently. Understandably, this creates a unique challenge where LFR technology is concerned due to the nature of the technology, which, in reality, is still very much in its beta phase in regards to how deep and wide-reaching its data capturing and processing capabilities are.

Is your people counter GDPR compliant?

There are countless benefits to utilising a people counter for your commercial property or business. Understanding how many people visit your store, your building occupancy and how people move throughout your premises can help you to optimise your operations and anticipate the needs of your customers. It is, however, crucial to ensure that your device is GDPR compliant. Firstly, because the legal implications and fines for privacy breaches can have substantial financial consequences for your business. Secondly, disrespecting your clients, occupants and employees rights to privacy and autonomy over the personal data they wish to impart, could snowball into a highly negative public relations issue for your entire organisation. 

Basic checks:

1. Does your people counting device capture data that is personally identifiable, for example a person's facial features?
2. Is this personal data processed and stored, either locally or remotely in the cloud? 
3. Are people notified and made aware that you are making use of facial recognition people counting technology?
4. Does your people counter serve any purpose other than to analyse footfall or occupancy?
5. Is the people counter data you collect anonymous or are you able to personally identify occupants by reviewing the information?

Storing and using data about your visitor's facial features will most likely be considered a GDPR issue unless you have a valid and transparent reason for conducting such surveys. 

What to request from your people counting service provider

Accuracy is critical when selecting the right people counter for your business. You want precise data to help you make sound business decisions. The trick is in finding a product that is not only highly accurate but also adheres to privacy laws. Luckily, there are a number of sophisticated technologies available on the market that track occupancy and footfall in non-invasive ways. For example, Irisys's Vector 4D uses Time of Flight infrared sensors to generate data without capturing any personally identifiable characteristics of the individuals it screens. 

If you're on the market for a people counter or are considering upgrading an existing one, you may wish to enquire whether the supplier actively researches and stays on top of data protection laws. Reputable sellers will take a vested interest in ensuring that their products always operate in accordance with the regulations of the country they trade in. 

As per GDPR laws, a subject is within their rights to request access to the data you hold on them. A tell-tale indicator of a non-compliant people counter is the nature of the data it captures. Is absolutely necessary? How would you justify the details you hold on individuals, how long you retain them for, and what the purpose of this storage is? If you keep any information on your customers or occupants that they have not been forewarned about or agreed to impart with, your people counter is likely to be compromising your integrity. 

Examples of metrics that are safe to collect:

• Dwell time
• Footfall/Visitor volumes
• Distinction between adult and child
• Path pattern

Your people counter must enable pseudonymisation, meaning any data collected must be processed in a way that makes personal identification impossible. Remember, if you are collecting anything other than de-personalised data relating to movement throughout your building, you cannot do so without the consent of your visitors and occupants. Furthermore, you must be able to prove the legitimate legal base you have for collecting personal data of any nature. 

Irisys has over 500,000 people counting devices installed worldwide, many of them in countries that abide by GDPR laws. If you are purchasing a people counter, check that the seller has experience in servicing the country you will be using your device in as you don't want to be caught out mishandling a device which is designed to capture multi-layered personal data. People counters can help you optimise the experience your customer has by enabling you to be highly responsive. It is essential, however, to diligently protect the privacy of that customer to ensure that you remain a trustworthy and reliable organisation.  

The inability to distinguish between your clients and staff, however, can disrupt the accuracy of the data you collect – an understandable business concern. The Vector 4D, however, is able to distinguish between employees and customers or visitors. It is important to note here that employee privacy is still maintained as individual employees are not personally identifiable. The sensor only knows when a member of staff is present, not which member of staff it is. Despite this, it is advised that this form of monitoring is stated in your company policy and staff are aware of how you use your people counter data.

If you'd like to find out more about Irisys's wide range of GDPR compliant people counters and how we can help you lawfully, accurately and efficiently collect crucial business data, get in touch with us today.