May 25th will mark the beginning of the enforcement period for the EU General Data Protection Regulation. The large non-compliance fines have caused some concern. However, GDPR is not the end of the world.
The GDPR focuses on the collection of personal data (any information that could directly or indirectly identify a natural person) and how that is stored or otherwise handled.
Fundamentally, companies need to provide thorough protections and consumer controls when handling data like name, email address, location, social media posts, cookie data, medical information, or even a computer IP address.
One important thing to note is that the regulation will extend to companies outside of the EU if those companies collect or manage data coming from or going to the EU.
So what does that mean for live streaming?
Any personal data from the EU contained in live streams as metadata, video images or otherwise, will fall under GDPR.
In that regard, compliance will center around stream security and the protection of the data. There are two parts to this: authentication and encryption.
Authentication is the gate-keeper that restricts stream access to authorized users only. That piece is handled (in Red5 Pro at least) by implementing your own authentication scheme. Red5 Pro supports username and password parameters which can be integrated with your own web services.
A great way to get started is to use our Simple Authentication Plugin, or compile it yourself to extend it and include your own logic and integration.
Encryption is the encoding of the data itself so that even if an unauthorized user accessed the data it would not be readable without proper decoding.
If you are using WebRTC, you get encryption by default. That’s because the protocol utilizes SRTP (https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol) for media delivery. If you are leveraging other protocols, you will need to make sure you implement some form of an encryption layer on top.
How about VOD?
For those applications that saved stored videos, you will need to ensure that your user permissions are in accordance.
GDPR entails that the collection of personal data requires consent in clear language. It can no longer be crammed into the tiny print comprising your privacy agreement (legalese doesn't quite count as encryption). That data also needs to be accessible to the user and erasable if they withdraw their consent.
Of course, you can also simply stop storing videos as well, but that might not be an option for some use cases.
GDPR is poised to change how we handle personal data, but it's not an insurmountable barrier. You can find a good overview at tech republic.
Always happy to comply!