It has been a decade since the European Union enacted the General Data Protection Regulation (GDPR), fundamentally reshaping global data privacy and protection. Today, GDPR isn’t just a legal text; it’s an intrinsic part of daily operations for organizations engaging with or within EU member states.
The genesis of GDPR stemmed from a stark reality: the world had transformed dramatically, and existing data protection laws were simply inadequate for an increasingly digital and interconnected era. Designed to be forward-looking, GDPR aimed to provide a robust framework capable of governing innovation and emerging technologies. However, the relentless acceleration of AI-driven applications is now compelling national data protection authorities to update their guidance for systems that process personal data.
Some of this technological evolution was already underway even before GDPR’s arrival. Body-worn video, for instance, was being piloted and deployed, primarily by law enforcement agencies. Concurrently, advanced projects like live streaming were securing funding, while organizations across both public and private sectors swiftly moved to achieve compliance in anticipation of the regulation’s full implementation in 2018.
Today, body-worn video is commonplace among police forces in the U.K., France, Germany, and Italy, with its adoption steadily expanding elsewhere. Its uptake in commercial environments, however, presents a more varied picture. Certain member states impose stricter regulations, particularly concerning the permissible uses of such technology and whether it encroaches upon the rights of workers or the general public.
These privacy concerns are amplified significantly when it comes to live facial recognition. In the U.K., no longer an EU member state but still largely aligned with GDPR principles, the government actively promotes police use of this technology, having concluded a consultation on a new legal framework in February 2026. While reported deployments have shown positive outcomes, the technology remains highly contentious, consistently attracting vocal opposition from civil liberties groups.
The landscape is further complicated by the fact that many facial recognition systems are powered by AI. Consequently, they risk infringing upon the EU AI Act, which came into force in 2024 and largely prohibits real-time biometric identification in public spaces.
Over the past ten years, video surveillance has exploded across Europe, encompassing traditional CCTV, body-worn cameras, smartphone footage, and even video doorbells. Crucially, significant technological advancements now empower security professionals to manage larger, more complex video environments while meticulously adhering to GDPR mandates. Modern Video Management Systems (VMS) stand as a prime example of this evolution.
Security control room operators, whether stationed on-site or working from centralized hubs, can now retrieve pertinent footage with remarkable speed and efficiency. This capability is indispensable not only for day-to-day operational demands but also for addressing data subject access requests (DSARs), which require organizations to furnish personal data upon request within reasonable limits, or for sharing vital footage with law enforcement during ongoing investigations.
Masking and blurring technologies have also seen substantial improvements, drastically reducing the time and effort required to redact sensitive footage before it is shared, whether digitally or physically. Given that GDPR applies to both public and private sector organizations, these redaction requirements are equally applicable when footage is provided to the police.
The migration from traditional on-premises systems to cloud-based and hybrid video environments has introduced new complexities, particularly regarding data residency and the potential risk of EU citizens’ personal data being stored outside GDPR jurisdiction. Nevertheless, the compelling economic and operational advantages of these systems have spurred greater transparency and the development of more robust controls, enabling organizations to adopt them with increased confidence.
GDPR superseded the EU’s 1995 Data Protection Directive. In the 21 years between that directive and GDPR’s adoption, the world undeniably shifted from analogue to digital. A decade on, the regulation has proven remarkably resilient in delivering meaningful protections for EU citizens’ personal data. While there have been several high-profile fines related to CCTV use, some exceeding €10 million, the security industry has demonstrated remarkable adaptability.
Challenges, debates, and controversies are bound to persist as AI continues to unlock new opportunities for enhancing safety and security operations. Yet, taken together, GDPR and the EU AI Act provide a robust legal framework, empowering security professionals to innovate while upholding stringent safeguards for privacy and data protection.
*Andreas Beerbaum is vice president of global sales and service, physical security, for Octave.*