As most of us are well aware by now, from 25th May 2018, every EU country will be subject to the new General Data Protection Regulations (GDPR), changing the way personal data is handled by strengthening compliance requirements and introducing strict penalties for failing to adequately protect personal data.

All UK businesses must be conscious of the new rules and make the necessary changes, since non-compliance can result in data breaches and massive fines of up to 20 million Euros, or 4% of turnover - whichever is highest.

The British Security Industry Association (BSIA) holds that there are a staggering six million active CCTV cameras currently being used in the UK. Most businesses of all types and size will be using some type of CCTV, whether it be for security purposes, health and safety or monitoring.

People’s rights and freedoms cannot be overridden, as employees at work still have a right to privacyRight to privacy

What businesses need to be aware of though, is that the images and footage of people captured by their surveillance system is classified as personal data under GDPR, which means that those who operate this type of surveillance must ensure that they are complying with the new regulations.

Under GDPR, those who operate CCTV cameras must be able to demonstrate that there is a strong, transparent, ‘fair’ reason for doing so. People’s rights and freedoms cannot be overridden, even at work – employees still have a right to privacy.

If you haven’t done so already, you should immediately conduct a full data privacy impact assessment, as recommended by the Information Commissioner’s Office (ICO) code of practice. This will help you determine if there is a legitimate reason for processing data through CCTV footage, while ensuring that you are not excessively impacting the privacy rights of the people captured.

Justifying privacy impact assessments

If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you

An example of legitimate justification would be a construction site owner introducing wireless CCTV cameras to monitor and secure their site from would-be criminals. In this case, to meet legitimate purpose, the footage must be of sufficient quality and the images captured must be readily available for police examination if such a request is made.

An illegitimate reason, on the other hand, would be the installation of CCTV purely to track the behaviour of employees, which could be viewed as an invasion of privacy. However, if you can say it is there for health and safety purposes, with evidence to back this up, you might then have a justifiable explanation.

If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you.

Maintaining transparency

Under GDPR, ‘transparency’ is important when processing data, which means data subjects, i.e. those whose images are captured by CCTV, are entitled to know that they are being filmed, which means you must inform them of the CCTV presence.

To best ensure you are upholding this rule, it is a good idea to display prominent, unambiguous signs within the CCTV area to communicate that you are capturing footage and give people a number to contact for more information.

Not only does this inform people that they could be under surveillance, but by placing prominent signage you are also helping to deter trespassers, who are less likely to enter a premises if they know might be filmed.

Images and footage of people captured by surveillance systems is classified as personal data under GDPR
Those whose images are captured by CCTV are entitled to know that they are being filmed

Data retention

One of the main aspects of GDPR is that personal data cannot be stored forever; it must only be kept for as long as its purpose requires (usually 30 days is recommended). As such, every camera your business operates will have to be assessed in order to ascertain how long footage is to be retained and why.

Each case will be subjective and there are no hard and fast rules as to the ideal retention period. It is up to you to determine an acceptable period, taking into account people’s rights when deciding what is best. The upside is most modern CCTV cameras will allow the operator to set specific data retention limits.

Individuals can request access for free under the new GDPR, making the likelihood of requests higherResponding to data requests

As it falls under personal data, people can request access to CCTV footage which relates to them and the CCTV operator is required to disclose it. However, you must ensure that the person requesting to see the footage is the person who is present in it.

By providing access to the footage, you must be wary not to disclose any personal data of other people, which may mean blurring out sections of the footage (e.g. containing number plates or images of other people) is necessary to avoid data breaches.

Moreover, once a request for data access has been made, this must be provided without delay and within one month at the latest. This can be extended by two months where the request is complex or numerous.

As such, you should ensure that there are appropriate policies in place within your working environment to ensure that employees know how to respond to individual data requests.

Under the old rules, there used to be an admin fee for such requests, but this has been scrapped and now individuals can request access for free under GDPR, making the likelihood of requests higher.

GDPR awareness among security service providers

It’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules Under GDPR, security suppliers are ‘data processors’, which means that the clients of them should have contracts in place outlining what the security supplier can do with the data.

As such, you must ensure that sub-contractors working for your business, such as security suppliers, installers or engineers, are following the rules too.

You will be opening up your business to potential data breaches if you are allowing such third parties to access, remove or distribute personal data captured by the CCTV.

This is why it’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules. If you don’t know, just ask!

Ensuring fair usage

The introduction of GDPR is certainly going to pose some interesting challenges for all businesses and how it unfolds is yet to be seen.

The tighter regulations show that it is no longer acceptable to not be aware of or not understand the rules surrounding personal data and that such breaches will be taken seriously.

However, they should certainly not discourage CCTV use, but instead operators should seek to guarantee fair usage is upheld and take steps to ensure that people know how and why they are being recorded.

Download PDF version

Author profile

In case you missed it

Six reasons security integrators should adopt cloud technology today
Six reasons security integrators should adopt cloud technology today

As technology advances, the world is becoming increasingly connected, changing the way users think about and interact with security systems, which continue to evolve across all verticals and applications. With this change comes new opportunity for security integrators; security systems are advancing, creating new needs for products and services — some of which can be met through the adoption of cloud-based service systems. Cloud technology is no longer a dreamt-up version of the future of security — it’s here. If you’re hesitant to make the move to the cloud, consider these six reasons to embrace this new technology now.Cloud technology has created an opportunity for integrators to offer managed services to their customers Increased RMR Cloud technology has created an opportunity for integrators to offer managed services to their customers, producing a new business model that generates more stable and predictable income streams. By offering managed services on a subscription basis, integrators can build a part of their business to provide recurring monthly revenue (RMR), allowing them to scale faster. This business model is especially beneficial for customers who prefer to pay a fixed monthly or yearly rate for services rather than a large upfront fee, which can help attract new business while growing revenue from current customers. Stickier customers Providing managed services fosters a more involved relationship between integrators and their customers, which can help boost customer retention. This is primarily the result of three factors. Firstly, customers who buy managed services are committed for a specified term, which helps develop an ongoing business relationship between them and the integrator. Secondly, providing managed services creates an opportunity for more customer contact — each interaction is an opportunity to build rapport and monitor customer satisfaction.While the functionalities of each system vary, their potential is evident in the cloud-based services available Third, customers who purchase managed services generally tend to do business longer than customers who purchase products or services individually; with the monthly purchase of their services on autopilot, customers get into the habit of receiving these services, which helps reduce the chance that they’ll cancel their subscription while also building customer loyalty. High gross profit margins Cloud managed services create an opportunity for a service and technology to be purchased together, helping to generate a higher gross profit margin from the beginning of the customer relationship. On an ongoing basis, cloud service platforms offer a new level of accessibility to integrators, helping to provide better insight on activity trends to identify opportunities to continuously grow their revenue through subscription-based streams. Easier to provide managed services Traditionally, serving more sites required integrators to hire more technicians to meet the needs of their growing customer base, but the cloud has helped overcome this demand. While the functionalities of each system vary, their potential is evident in the cloud-based service platforms that are available today. When a problem occurs on a site that is managed by a cloud-based system, the integrator can receive a real-time notification regarding the issue The Avigilon Blue™ platform, for example, is a powerful new cloud service platform that helps integrators address the needs of their customer sites using fewer resources by offering the ability to administer system upgrades, fixes, health checks, and camera or system settings adjustments remotely.  The Avigilon Blue platform automatically sends, and stores video analytics highlights in the cloud, which can easily be accessed from any PC browser or mobile device. This data can be used to efficiently manage customer sites and maintain the health of those sites, helping to increase speed of service and expand the capacity to have more sites up and running. Cloud service platforms have the potential to revolutionise the security industry by providing new opportunities for integrators Not only does this help integrators scale their business faster, it creates an opportunity to provide added value to the customer at a lower cost as new upgrades and services come out. Proactively fix problems before they occur In addition to automating notifications and tedious maintenance tasks, cloud service platforms help provide integrators with the information and abilities they need to keep their customer sites running smoothly. When a problem occurs on a site that is managed by a cloud-based system, the integrator can receive a real-time notification regarding the issue — possibly before the customer even notices a disruption in service. They can then identify the problem and determine whether it can be resolved remotely or requires a technician to be deployed. By having the capacity to pinpoint service needs and make certain adjustments via the cloud, integrators can streamline their customer service processes and lower their response times to provide better, more efficient service. Increased valuation of business Companies that utilise cloud technologies are experiencing as much as 53 percent higher revenue growth rates The ability of cloud service platforms to help integrators manage more sites remotely and expand their revenue through subscription-based streams offers a competitive business advantage. Security innovators have harnessed the power of the cloud to enhance integrator efficiency so that they can spare their attention, resources and effort for where it’s needed most. As a service that helps offer scalability and a high gross profit margin while requiring fewer resources to maintain customer sites, cloud service platforms have the potential to revolutionise the security industry by providing new opportunities for integrators that may ultimately increase their business valuation. According to a study by Dell, companies that utilise cloud, mobility, and security technologies are experiencing as much as 53 percent higher revenue growth rates compared to those who do not such technologies. Integrators who adopt cloud service platforms can benefit from numerous advantages — cost-saving maintenance capabilities, the potential to generate new monthly recurring revenue, and user-friendly design and data security — which make them a significant development within the industry as well as a potential lucrative new business model. The dream of cloud technology is no longer a distant idea of the future, it can become a present reality — and integrators who harness its power can reap its business benefits now.

Preventing workplace violence: considering the instigator's perspective
Preventing workplace violence: considering the instigator's perspective

A complex set of biological, psychological, sociological, contextual and environmental factors are involved when a perpetrator decides to commit an act of workplace violence. In many cases, the perpetrator doesn’t really want to become violent; rather, they are seeking to achieve an outcome and mistakenly believe violence is their only option. An underused approach to preventing workplace violence is to consider the issue from the perspective of the instigator, to seek to understand their grievances, and to suggest alternative solutions, says James Cawood, President of Factor One Inc. “It’s helpful to consider their perspective at a point of time, and how do I use that information in a way that explores the issues and influences them to seek other means of achieving their goals without violence?” suggests Cawood. Preventing workplace violence An underused approach to preventing workplace violence is to consider the issue from the perspective of the instigator Factor One specialises in violence risk management, threat assessment, behavioural analysis, security consulting and investigations. Cawood will present his insights into preventing workplace violence in a session titled “Workplace Violence Interventions: The Instigator’s Perception Matters” during GSX 2018 in Las Vegas, 23 September. Intervening and seeking to understand the instigator’s viewpoint can direct them away from violence. Often, diffusing a situation can prevent tragedy. Delaying a violent act is a means of prevention, given that the instigator might not reach the same level of stress again. Cawood says several recent examples of workplace violence illustrate the importance of identifying behavioural precursors and intervening. It is difficult to quantify the benefits of such an approach, since no one is keeping statistics on incident that were successfully diverted, he says. Reaching a mutually agreeable solution “Accommodation and appeasement often won’t serve the problem,” says Cawood. “Instead of projecting our needs on what would be effective for us, we must really understand what matters to them and what we are able to do to solve the problem. “It’s about listening and reflecting back to reach a mutual agreement of their perspective of what matters,” he says. “Now we can talk about what’s possible or not. Is there something concrete I can do that is within the rules? Just being heard in depth is a de-escalator of violence.” It’s the same methodology used by hostage negotiators: Listen, reflect back, and come to a mutually agreeable solution. Giving a troubled employee a severance package – money – might not address their underlying complaints For example, giving a troubled employee a severance package – money – might not address their underlying complaints. “We may not have solved the underlying problem as they perceive it,” says Cawood. “They may feel disrespected or picked on. There may be an underlying mental condition, such as paranoia, or a grandiose sense of self-worth, underlying filters that have nothing to do with money.” GSX networking and education GSX is the new branding for ASIS International’s trade show, attended by more than 22,000 worldwide security professionals  Global Security Exchange (GSX) is the new branding for ASIS International’s annual conference and trade show, attended by more than 22,000 security professionals from 100-plus countries. Cawood’s session will be 24 September from 2:15 to 3:30 p.m. “My purpose is to hone in on an area of workplace violence that is often ignored,” says Cawood. Cawood started out in law enforcement in the 1970s and transitioned to security in the 1980s. His credentials are typical of the high level of speakers presenting at GSX 2018: He holds a Master’s Degree in Forensic Psychology, and a Doctorate in Psychology, is a Certified Threat Manager (CTM), and has successfully assessed and managed more than 5,000 violence-related cases. He is the former Association President of the Association of Threat Assessment Professionals (ATAP) and currently the Vice-Chair of the Certified Threat Manager program for ATAP. Cawood has written extensively on the topic of violence risk assessment, and co-authored a book, Violence Assessment and Intervention: The Practitioner's Handbook. Cawood has been active in ASIS International since the 1980s and sees value in attending GSX 2018. “People from all over the world are coming and being exposed to a common set of topics to use as jump-off points for additional conversations. People from all types of experiences and exposures will be providing information through those lenses.” Knowledge gained from GSX provides a “real chance to drink from a fire hose” and get a deeper understanding of a range of topics. The relationships and networking are another benefit: “Nothing is more powerful than knowing someone face-to-face,” he adds.

How to choose the right storage card for video surveillance systems
How to choose the right storage card for video surveillance systems

With increased demands being placed on safety and security globally, and supported by advancements in IP cameras and 360-degree camera technology, the video surveillance industry is growing steadily. Market research indicates that this worldwide industry is expected to reach an estimated $39.3 billion in revenue by 2023, driven by a CAGR of 9.3 percent from 2018 to 2023. Video surveillance is not just about capturing footage (to review an event or incident when it occurs), but also about data analysis delivering actionable insights that can improve operational efficiencies, better understand customer buying behaviours, or simply just provide added value and intelligence. Growth of Ultra-HD surveillance To ensure that the quality of the data is good enough to extract the details required to drive these insights, surveillance cameras are technologically evolving as well, not only with expanded capabilities surrounding optical zoom and motion range,4K Ultra HD-compliant networked cameras are expected to grow from 0.4 percent shipped in 2017, to 28 percent in 2021 but also relating to improvements in signal-to-noise (S2N) ratios, light sensitivities (and the minimum illumination needed to produce usable images), wide dynamic ranges (WDR) for varying foreground and background illumination requirements, and of course, higher quality resolutions. As such, 4K Ultra HD-compliant networked cameras are expected to grow from 0.4 percent shipped in 2017, to 28 percent in 2021, representing an astonishing 170 percent growth per year, and will require three to six times the storage space of 1080p video dependent on the compression technology used. Surveillance cameras are typically connected to a networked video recorder (NVR) that acts as a gateway or local server, collecting data from the cameras and running video management software (VMS), as well as analytics. Capturing this data is dependent on the communications path between individual cameras and the NVR. If this connection is lost, whether intentional, unintentional, or a simple malfunction, surveillance video will no longer be captured and the system will cease operations. Therefore, it has become common to use microSD cards in surveillance cameras as a failsafe mechanism. Despite lost connectivity to the NVR, the camera can still record and capture raw footage locally until the network is restored, which in itself, could take a long time depending on maintenance staff or equipment availability, weather conditions, or other unplanned issues. Since microSD cards play a critical role as a failsafe mechanism to ensure service availability, it is important to choose the right card for capturing video footage.  It has become common to use microSD cards in surveillance cameras as a failsafe mechanism if an NVR breaks Key characteristics of microSDs There are many different microSD cards to choose from for video capture at the network’s edge, and they range from industrial grade capabilities to commercial or retail grade, and everything in-between. To help make some of these uncertainties a little more certain, here are the key microSD card characteristics for video camera capture. Designed for surveillance As the market enjoys steady growth, storage vendors want to participate and have done so with a number of repurposed, repackaged, remarketed microSD cards targeted for video surveillance but with not much robustness, performance or capabilities specific to the application. Adding the absence of mean-time between failure (MTBF) specifications to the equation, microSD card reliability is typically a perceived measurement -- measured in hours of operation and relatively vague and hidden under metrics associated with the camera’s resolution and compression ratio. Therefore, when selecting a microSD card for surveillance cams at the edge, the choice should include a vendor that is trusted, has experience and a proven storage portfolio in video surveillance, and in microSD card technologies. Endurance, as it relates to microSD cards, represents the number of rewrites possible before the card can no longer store data correctly  High endurance Endurance, as it relates to microSD cards, represents the number of rewrites (program/erase cycles) that are possible before the card can no longer store data correctly. The rewrite operation is cyclical whereby a new stream of footage replaces older content by writing over it until the card is full, and the cycle repeats. The higher the endurance, the longer the card will perform before it needs to be replaced. Endurance is also referred to in terabytes written (TBW) or by the number of hours that the card can record continuously (while overwriting data) before a failure will occur. Health monitoring Health monitoring is a desired capability that not many microSD cards currently support and enables the host system to check when the endurance levels of a card are low and needs to be replaced. Having a card that supports this capability enables system integrators and operators with the ability to perform preemptive maintenance that will help to reduce system failures, as well as associated maintenance costs. Performance To capture continuous streams of raw footage, microSD cards within surveillance cams perform write operations about seventy to ninety percent of the time, whereas reading captured footage is performed about ten to thirty percent. The difference in read/write performance is dependent on whether the card is used in an artificial intelligent (AI) capable camera, or a standard one.   microSD cards deployed within surveillance cameras should support temperature ranges from -25 degrees Celsius to 85 degrees Celsius Finding a card that is write-friendly, and can provide enough bandwidth to properly capture streamed data, and is cost-effective, requires one that falls between fast industrial card capabilities and slower commercial ones. Bandwidth in the range of 50 MB/sec for writes and 80 MB/sec for reads are typical and sufficient for microSD cards deployed within surveillance cameras. Temperature ranges Lower capacity support of 32GB can provide room to attract the smaller or entry-level video surveillance deployments As microSD cards must be designed for continuous operation in extreme weather conditions and a variety of climates, whether located indoors or out, support for various temperature ranges are another consideration. Given the wide spectrum of temperatures required by the camera makers, microSD cards deployed within surveillance cameras should support temperature ranges from -25 degrees Celsius to 85 degrees Celsius, or in extreme cases, as low as -40 degrees Celsius. Capacity Selecting the right-sized capacity is also very important as there needs to be a minimum level to ensure that there is enough room to hold footage for a number of days or weeks before it is overwritten or the connectivity to the NVR is restored. Though 64GB is considered the capacity sweet spot for microSD cards deployed within surveillance cameras today, lower capacity support of 32GB can provide room to attract the smaller or entry-level video surveillance deployments. In the future, even higher capacities will be important for specific use cases and will potentially become standard capacities as the market evolves. When choosing the right storage microSD card to implement into your video surveillance system, make sure the card is designed specifically for the application – does it include the right levels of endurance and performance to capture continuous streams – can it withstand environmental challenges and wide temperature extremes – will it enable preventative and preemptive maintenance to provide years of service? It is critical for the surveillance system to be able to collect video footage whether the camera is connected to an NVR or is a standalone camera as collecting footage at the base of the surveillance system is the most crucial point of failure. As such, failsafe mechanisms are required to keep the camera recording until the network is restored.