As most of us are well aware by now, from 25th May 2018, every EU country will be subject to the new General Data Protection Regulations (GDPR), changing the way personal data is handled by strengthening compliance requirements and introducing strict penalties for failing to adequately protect personal data.
All UK businesses must be conscious of the new rules and make the necessary changes, since non-compliance can result in data breaches and massive fines of up to 20 million Euros, or 4% of turnover - whichever is highest.
The British Security Industry Association (BSIA) holds that there are a staggering six million active CCTV cameras currently being used in the UK. Most businesses of all types and size will be using some type of CCTV, whether it be for security purposes, health and safety or monitoring.
People’s rights and freedoms cannot be overridden, as employees at work still have a right to privacyRight to privacy
What businesses need to be aware of though, is that the images and footage of people captured by their surveillance system is classified as personal data under GDPR, which means that those who operate this type of surveillance must ensure that they are complying with the new regulations.
Under GDPR, those who operate CCTV cameras must be able to demonstrate that there is a strong, transparent, ‘fair’ reason for doing so. People’s rights and freedoms cannot be overridden, even at work – employees still have a right to privacy.
If you haven’t done so already, you should immediately conduct a full data privacy impact assessment, as recommended by the Information Commissioner’s Office (ICO) code of practice. This will help you determine if there is a legitimate reason for processing data through CCTV footage, while ensuring that you are not excessively impacting the privacy rights of the people captured.
Justifying privacy impact assessments
If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you
An example of legitimate justification would be a construction site owner introducing wireless CCTV cameras to monitor and secure their site from would-be criminals. In this case, to meet legitimate purpose, the footage must be of sufficient quality and the images captured must be readily available for police examination if such a request is made.
An illegitimate reason, on the other hand, would be the installation of CCTV purely to track the behaviour of employees, which could be viewed as an invasion of privacy. However, if you can say it is there for health and safety purposes, with evidence to back this up, you might then have a justifiable explanation.
If you are unsure of how to carry out a privacy impact assessment, there are experts out there who can help you.
Under GDPR, ‘transparency’ is important when processing data, which means data subjects, i.e. those whose images are captured by CCTV, are entitled to know that they are being filmed, which means you must inform them of the CCTV presence.
To best ensure you are upholding this rule, it is a good idea to display prominent, unambiguous signs within the CCTV area to communicate that you are capturing footage and give people a number to contact for more information.
Not only does this inform people that they could be under surveillance, but by placing prominent signage you are also helping to deter trespassers, who are less likely to enter a premises if they know might be filmed.
Those whose images are captured by CCTV are entitled to know that they are being filmed
One of the main aspects of GDPR is that personal data cannot be stored forever; it must only be kept for as long as its purpose requires (usually 30 days is recommended). As such, every camera your business operates will have to be assessed in order to ascertain how long footage is to be retained and why.
Each case will be subjective and there are no hard and fast rules as to the ideal retention period. It is up to you to determine an acceptable period, taking into account people’s rights when deciding what is best. The upside is most modern CCTV cameras will allow the operator to set specific data retention limits.
Individuals can request access for free under the new GDPR, making the likelihood of requests higherResponding to data requests
As it falls under personal data, people can request access to CCTV footage which relates to them and the CCTV operator is required to disclose it. However, you must ensure that the person requesting to see the footage is the person who is present in it.
By providing access to the footage, you must be wary not to disclose any personal data of other people, which may mean blurring out sections of the footage (e.g. containing number plates or images of other people) is necessary to avoid data breaches.
Moreover, once a request for data access has been made, this must be provided without delay and within one month at the latest. This can be extended by two months where the request is complex or numerous.
As such, you should ensure that there are appropriate policies in place within your working environment to ensure that employees know how to respond to individual data requests.
Under the old rules, there used to be an admin fee for such requests, but this has been scrapped and now individuals can request access for free under GDPR, making the likelihood of requests higher.
GDPR awareness among security service providers
It’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules Under GDPR, security suppliers are ‘data processors’, which means that the clients of them should have contracts in place outlining what the security supplier can do with the data.
As such, you must ensure that sub-contractors working for your business, such as security suppliers, installers or engineers, are following the rules too.
You will be opening up your business to potential data breaches if you are allowing such third parties to access, remove or distribute personal data captured by the CCTV.
This is why it’s always important to use a highly reputable security service provider who should be well aware of the GDPR rules. If you don’t know, just ask!
Ensuring fair usage
The introduction of GDPR is certainly going to pose some interesting challenges for all businesses and how it unfolds is yet to be seen.
The tighter regulations show that it is no longer acceptable to not be aware of or not understand the rules surrounding personal data and that such breaches will be taken seriously.
However, they should certainly not discourage CCTV use, but instead operators should seek to guarantee fair usage is upheld and take steps to ensure that people know how and why they are being recorded.