You’ve probably heard of the General Data Protection Regulation (GDPR) by now, and are thinking do you still need to make your business compliant, especially around the use of CCTV across your premises. The deadline was 25th of May 2018 to make the appropriate changes to avoid the possible 4% turnover penalties which could be very detrimental to your business.

GDPR is a piece of legislation implemented by the European Parliament to help strengthen data protection across the continent. Although the UK is set to leave the European Union, we will adopt this legislation to ensure that no organisations suffer as a consequence of the EU departure, and to support businesses within the UK that have European consumers.

The Information Commission Office (ICO) regulates and enforces GDPR in the UK and it is law that all businesses register with them if they are processing data. One area that is often overlooked is CCTV and the processes and documentation to be compliant can be complicated. 

 We can help your business make informative decisions regarding the use of CCTV in relation to GDPR, and allow you to comply with the changes and understand the brutal consequences if you do not.

If you think that your business could be prone to a penalty, or just want to make sure that the changes you have already made align with the framework continue reading and contact our team of experts today.

Although CCTV has been a popular security option for businesses to help deter crime, your organisation will need to have a strong reason for its placement and ensure to the correct authorities that it is serving a specific purpose regarding the protection of your business. An example of this would be using CCTV to monitor the health and safety of your employees and to capture footage of any incidents that could occur within the business.

However, it must be noted that you will not be able to ‘spy’ on your employees and CCTV placement should be justified by compiling an operational requirement . GDPR makes it easier for workers to object to video surveillance in specific areas where they might expect privacy as they instantly become data subjects along with suppliers, customers and other visitors on the premises. 

With this news, more businesses are taking a ‘privacy by design’ approach which has become a focus regarding GDPR. Although privacy by design is not specifically about data protection, it’s designed so that data does not need protection. GDPR states that data controllers must put technical and organisational measures in place to minimise the amount of data processing. Data controllers should only process data when it’s necessary.

With privacy by design becoming a hot topic in the security industry, businesses are recommended to take Data Privacy Impact Assessments (DPIAs) which can help identify and reduce potential privacy risks that could harm personal information. A Privacy policy for the operation of your business should be available at all times and now your business must be registered with the Information Commissioners Office (ICO)

You will be able to get around this by highlighting a security risk that could be minimised through having CCTV in those areas where placement is likely to get the go-ahead.

Depending on CCTV placement, video surveillance begins capturing data which is by law personal data. From this information, it is vital that you have CCTV signage which will act as a disclosure to those who could potentially be within the frame of your camera and collected on the end of the footage. We recommend that your signs include contact information for your business and or your security provider to give passers-by the option of calling if they have any queries.

The data that you capture on your CCTV can be retained for 30 days in total, however, this can be kept longer if needed (a risk assessment will be required explaining the reasons why).

Images and videos that you acquire through your CCTV system may be requested by the police, make sure that they have a written request, this becomes a justifiable reason for keeping footage longer than the recommended 30-day period. Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.

As GDPR makes it easier for people to prosecute a business for inappropriate handling of data, which could be a data breach, your security supplier will become your data processor under GDPR. If you use a security company for your CCTV, you must have a contract in place which outlines what they can and can’t do with the footage they collect from your premises.

As data breaches are a risk, especially when sharing data with another organisation, it’s important that it is properly secured or encrypted where possible and never shared on social media without the consent of the data subjects involved. 

If you would like more advice on how to deal with your CCTV to remain compliant under GDPR contact us today.

We can audit your current CCTV system and highlight any areas of exposure to GDPR. We are independent from the System Suppliers, we can clarify a lot of the “myths” around what you can and can’t do when protecting your Premises without potential additional unnecessary hardware upgrades.

Our team of qualified experts can tailor your DPIA and Privacy Policy to meet both the requirements under GDPR whilst maintaining the level of practical security for your business. We can guide you through the complicated ICO registration process to ensure you are fully compliant.