As most of us are well aware by now, from 25th May 2018, every EU country will be subject to the new General Data Protection Regulations (GDPR), changing the way personal data is handled by strengthening compliance requirements and introducing strict penalties for failing to adequately protect personal data.

All UK businesses must be conscious of the new rules and make the necessary changes, since non-compliance can result in data breaches and massive fines of up to 20 million Euros, or 4% of turnover - whichever is highest.

The British Security Industry Association (BSIA) holds that there are a staggering six million active CCTV cameras currently being used in the UK. Most businesses of all types and size will be using some type of CCTV, whether it be for security purposes, health and safety or monitoring.

People’s rights and freedoms cannot be overridden, as employees at work still have a right to privacyRight to privacy

What businesses need to be aware of though, is that the images and footage of people captured by their surveillance system is classified as personal data under GDPR, which means that those who operate this type of surveillance must ensure that they are complying with the new regulations.

Under GDPR, those who operate CCTV cameras must be able to demonstrate that there is a strong, transparent, ‘fair’ reason for doing so. People’s rights and freedoms cannot be overridden, even at work – employees still have a right to privacy.

If you haven’t done so already, you should immediately conduct a full data privacy impact assessment, as recommended by the Information Commissioner’s Office (ICO) code of practice. This will help you determine if there is a legitimate reason for processing data through CCTV footage, while ensuring that you are not excessively impacting the privacy rights of the people captured.

Justifying privacy impact assessments

If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you

An example of legitimate justification would be a construction site owner introducing wireless CCTV cameras to monitor and secure their site from would-be criminals. In this case, to meet legitimate purpose, the footage must be of sufficient quality and the images captured must be readily available for police examination if such a request is made.

An illegitimate reason, on the other hand, would be the installation of CCTV purely to track the behaviour of employees, which could be viewed as an invasion of privacy. However, if you can say it is there for health and safety purposes, with evidence to back this up, you might then have a justifiable explanation.

If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you.

Maintaining transparency

Under GDPR, ‘transparency’ is important when processing data, which means data subjects, i.e. those whose images are captured by CCTV, are entitled to know that they are being filmed, which means you must inform them of the CCTV presence.

To best ensure you are upholding this rule, it is a good idea to display prominent, unambiguous signs within the CCTV area to communicate that you are capturing footage and give people a number to contact for more information.

Not only does this inform people that they could be under surveillance, but by placing prominent signage you are also helping to deter trespassers, who are less likely to enter a premises if they know might be filmed.

Images and footage of people captured by surveillance systems is classified as personal data under GDPR
Those whose images are captured by CCTV are entitled to know that they are being filmed

Data retention

One of the main aspects of GDPR is that personal data cannot be stored forever; it must only be kept for as long as its purpose requires (usually 30 days is recommended). As such, every camera your business operates will have to be assessed in order to ascertain how long footage is to be retained and why.

Each case will be subjective and there are no hard and fast rules as to the ideal retention period. It is up to you to determine an acceptable period, taking into account people’s rights when deciding what is best. The upside is most modern CCTV cameras will allow the operator to set specific data retention limits.

Individuals can request access for free under the new GDPR, making the likelihood of requests higherResponding to data requests

As it falls under personal data, people can request access to CCTV footage which relates to them and the CCTV operator is required to disclose it. However, you must ensure that the person requesting to see the footage is the person who is present in it.

By providing access to the footage, you must be wary not to disclose any personal data of other people, which may mean blurring out sections of the footage (e.g. containing number plates or images of other people) is necessary to avoid data breaches.

Moreover, once a request for data access has been made, this must be provided without delay and within one month at the latest. This can be extended by two months where the request is complex or numerous.

As such, you should ensure that there are appropriate policies in place within your working environment to ensure that employees know how to respond to individual data requests.

Under the old rules, there used to be an admin fee for such requests, but this has been scrapped and now individuals can request access for free under GDPR, making the likelihood of requests higher.

GDPR awareness among security service providers

It’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules Under GDPR, security suppliers are ‘data processors’, which means that the clients of them should have contracts in place outlining what the security supplier can do with the data.

As such, you must ensure that sub-contractors working for your business, such as security suppliers, installers or engineers, are following the rules too.

You will be opening up your business to potential data breaches if you are allowing such third parties to access, remove or distribute personal data captured by the CCTV.

This is why it’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules. If you don’t know, just ask!

Ensuring fair usage

The introduction of GDPR is certainly going to pose some interesting challenges for all businesses and how it unfolds is yet to be seen.

The tighter regulations show that it is no longer acceptable to not be aware of or not understand the rules surrounding personal data and that such breaches will be taken seriously.

However, they should certainly not discourage CCTV use, but instead operators should seek to guarantee fair usage is upheld and take steps to ensure that people know how and why they are being recorded.

Download PDF version

Author profile

In case you missed it

2019 to see a rise in cyber and cloud security solutions
2019 to see a rise in cyber and cloud security solutions

2018 was a good year for integrators and manufacturers across the board. The economy has been strong which manifested itself in many ways but in particular construction was booming. This was very good for the security industry, especially those integrators and manufacturers who provide services and products in the commercial space. Two of the most unexpected things that impacted the market, and will continue to impact it into 2019, are the trade war and the rapid rise of interest rates. I have been monitoring both very closely and didn’t expect the trade ‘skirmish’ to escalate into the trade war it has become. Similarly, interest rates have started to rise which was a bit of a surprise and one that will definitely impact the nation’s economy and by extension our market. Upcoming cloud-based trends Cyber has definitely taken a strong foothold in the industry and with the continued expansion of cloud-based services I see three main trends coming in 2019. The first is the rise of cloud-based products and service offerings that security integrators will have access to. While we have had a few key players already offering cloud-based solutions for a couple of years on the video side in particular, I see this really picking up steam across all other security and life safety solutions. This really leads into the second trend which is integrators adjusting their business models to leverage these cloud-based solutions into recurring revenue models as managed security service providers (MSSP). The ability for integrators to develop their own managed service portfolio will be key; PSA is already working with several partners to help bring a portfolio offering to our membership which is really exciting. I anticipate that we will see about 10% of security integrators take hold of this new model in 2019 and then expect that number to increase by around 10% each year until the majority of the security business is cloud-based and integrators accept the new model of being an MSSP. Finally, of course is cybersecurity. Cyber has definitely taken a strong foothold in the industry and with the continued expansion of these cloud-based services, it will be more important than ever to integrators, manufacturers and end users alike. MSSP portfolio offering The more progressive security professionals will see cyber as an opportunity, a part of the MSSP portfolio offering, rather than just a threat that we have been talking about for going on five years. The winners in this market will be the integrators and manufacturers who can adapt to all these changes, leverage new technologies we are seeing with AI and cloud-based solutions, and those who stick to commodity-based solutions will be left behind. There are some remarkable things happening with AI technology, analytics, biometrics PSA’s growth has been remarkable. We have exceeded our own growth plans year over year and have also exceed the market projected growth marks as well. We continue to add more offerings to our membership to help them stay ahead of the curve, which in turn helps us to do the same. Right now, we are investing in programs that provide data to our integrators to help inform their business decisions. Data is key for any business and PSA has spent a lot of time working with developers and our integrators to understand what the most meaningful data is they need and how we can best deliver that to them by way of dashboards and reporting tools. Future technology advancements The biggest challenge we face is really tied to the higher interest rates that we have seen so far this year and what lies ahead. We help future fund projects for our integrators so when we see higher interest rates, we must closely monitor that and make business adjustments along the way as well to flex along with those rate hikes. I have been in this industry a long time so clearly my enthusiasm for what the industry is doing doesn’t fade. But what makes it really exciting right now is really related to technology advances. There are some remarkable things happening with AI technology, analytics, biometrics – you name it. It is a very tech heavy industry that people can feel good about being a part of and is an industry that will continue to grow so the opportunities are endless.

Balancing the scales: how Open Options acquisition complements new owner ACRE
Balancing the scales: how Open Options acquisition complements new owner ACRE

Open Options, based in Addison, Texas, provides a truly open access control architecture that will strengthen the ACRE portfolio and increase the breadth of solutions offered by the global provider of security systems. The acquisition of Open Options is also an opportunity for ACRE to focus on growth opportunities in North America and “balance the scales a bit,” says Joe Grillo, CEO of ACRE, which significantly grew its reach in Europe, the Middle East and Africa with the acquisition of Siemens Security Products in 2015. “Open Options is also a company that's growing, is profitable and fits seamlessly into our vision for the access control space in which we operate,” says Grillo. Independent operations The strength of Open Options in the Southwest provides significant additional coverage for ACRE in that region of the United States The Open Options brand will continue to operate independently under the ACRE umbrella. Open Options CEO and Founder Steve Fisher will continue in his role as leader of the company, says Grillo. “There is a strong and competent management team in place that will continue to provide leadership going forward.” Open Options’ open-architecture access control solutions will add value to the solutions ACRE already offers under the Vanderbilt brand. In a market that has traditionally been proprietary, the open-platform solution offered by Open Options helps deliver more opportunity to offer customers a full-scale solution based on their needs, says Grillo. In addition, due to its origin as a Texas-based company, the strength of Open Options in the Southwest provides significant additional coverage for ACRE in that region of the United States. Technical and financial resources On the other hand, ACRE provides a greater level of technical and financial resources that Open Options can utilise to help them grow even faster. These resources were not as available to the company if it remained independent, Grillo notes. ACRE’s divestiture of Mercury Security in 2017 facilitated this investment. As discussions began earlier this year, ACRE realised the potential of adding to its access control portfolio in the North American market, says Grillo. Open Options and Mercury have been "partners" for 20 years; Mercury provides hardware panels for Open Options systems. Each company will manage and make decisions about their reseller channels independently “The Mercury brand continues to be a strong one, so we're interested in continuing to nurture that relationship, and in fact we have become a larger and stronger partner to Mercury as ACRE,” says Grillo. “After owning Mercury for a number of years, we had the understanding of the company, the product portfolio and the partner relationships that defined it, so we were confident that the deal would be a positive one for the ACRE brand.” Meeting customer needs “Open Options and Vanderbilt share some customers already and we can leverage that by gaining more share of their business while providing them with a portfolio that will meet a broader set of customer needs,” says Grillo. “Where possible, we can look for synergies in channel partners that are not currently shared to provide access to both brands. This will be a benefit to Open Options, Vanderbilt and our customer base. However, importantly, each company will manage and make decisions about their reseller channels independently.” Are there more acquisitions on the horizon for ACRE? “We're always looking for opportunities that fit into the nature of our business,” says Grillo. “Companies that have growth potential and share similar go-to-market strategies and visions for the future are of particular interest to ACRE. "We're still operating in a highly fragmented market, so we're going to see continued consolidation in both access control and beyond, which means ACRE will be looking for the right opportunities to follow along that path.”

Access Control as a Service (ACaaS) solutions growth with mobile access in 2019
Access Control as a Service (ACaaS) solutions growth with mobile access in 2019

IHS Markit projects that the market for physical electronic access control solutions has grown to over $5.2 billion in 2018. The market has experienced stable and predictable growth rates that have hovered around 6 percent over the past several years. Electronic locks remain both the largest and the fastest growing product type in access control, representing nearly 40% of the global market size for all access control equipment. Impact of technological developments While market growth rates have been consistent, technological developments have dramatically impacted the market in 2018. The most prominent trend involves mobile credentials, which are poised to revolutionise the longstanding business model for access control system sales. The mobile credentials market was still in its infancy in 2018, but many end-users are already anticipating a transition to these credentials by installing compatible readers in their systems. By 2020, over 10 percent of all new readers sold in the market will be compatible with mobile credentials. Access Control as a Service Other trends to watch in 2019 and beyond include Access Control as a Service (ACaaS), which allow end-users to avoid the need to invest in costly on-site IT infrastructures to support their access control equipment. ACaaS solutions will be particularly popular to support small and mid-sized projects that service less than fifty doors. In addition, Bluetooth Low Energy (BLE) beacons will support geopositioning in an increasing number of the world’s most advanced access control systems. Through geopositioning, the exact location of specific personnel can be identified at any site in real-time. The top fifteen access control vendors represent more than half of the total size of the global access control market, but there are pockets of opportunity for new vendors, particularly to accommodate small and mid-sized projects. The mobile credential and ACaaS markets will also be highly competitive in 2019 and should attract an influx of new market entrants.