The General Data Protection Regulation, or GDPR as it is more commonly known, is a privacy and data protection law within the European Union (EU) and the European Economic Area (EEA). Despite opting to leave the European Union, the United Kingdom (UK) also uses the UK General Data Protection Regulation, which is currently identical.
For businesses, the legislation throws up a number of potential challenges related to how data is obtained, handled, and kept secure. Companies are obligated to comply with the regulations and this can have an impact on a number of areas, but one of the most significant is with either an on-premises or cloud surveillance system.
In this article, we explore how you can stay GDPR compliant, while rolling out video surveillance.
Notifying people about CCTV
In simple terms, this means you must let people know you have a CCTV system in place
According to the Information Commissioner’s Office (ICO), one of the fundamental rights afforded to people under data protection legislation, including GDPR is that they are notified by businesses, when they are being filmed. In simple terms, this means you must let people know you have a CCTV system in place.
Crucially, this applies to people regardless of whether they are employed or not, so customers and staff require notification. In truth, compliance with this aspect of the legislation is not complicated and there are a number of ways people can be notified. However, by far the most common and the most simple is to use a sign.
Sign display stating CCTV is in operation
With this method, all you need to do is clearly display a sign explaining that CCTV is in operation, with a brief description of the purposes behind it. Some of the most common reasons given on signs of this kind include ‘for the purposes of crime prevention, detection, and prosecution of offenders’ and ‘for the purpose of public safety’.
The sign should also disclose the name and contact details of the company responsible for controlling the data. If CCTV is handled entirely in-house, this will be your business’ contact information. Yet, many companies turn to video surveillance as a service option and this requires you to prove the details of your VSaaS providers.
Responding to access requests
An aspect of the GDPR legislation that is sometimes overlooked is the requirement to respond swiftly to access requests. As the UK Government website explains, anyone is entitled to ask to see the images you have recorded of them and you will usually be required to respond to this, by providing access to the footage.
Footage that has already been deleted does not need to be recovered and provided
The footage will usually need to be provided to the person making the access request, within one month of the request being received. Additionally, access should be provided free of charge. Requests can be made verbally, or in writing. Footage that has already been deleted does not need to be recovered and provided.
In order to comply with these requirements, you need to ensure that the footage being collected by your video surveillance system is kept secure and made accessible by those who may take responsibility for responding to such requests. A modern cloud surveillance system can assist with this by providing continuous remote access.
Further compliance requirements
Aside from notifying people about CCTV being in operation and responding to subject access requests swiftly, there are a number of other requirements that businesses need to be aware of, in order to fully comply with GDPR. It is worth noting that most good VSaaS providers will be able to assist you in this area too.
Although video surveillance is increasingly blending with technology, like artificial intelligence (AI), so that businesses can use the footage for analytics purposes, this does throw up some potential difficulties. For instance, an IT Pro Portal article on CCTV and GDPR outlines the fact that companies need to be collecting and processing anonymized visual data. There are also requirements to provide access to footage to law enforcement agencies, upon request.
Need for a clear policy on the data collected
Data controllers should have a clear policy on what data they are collecting, why it is being collected, how it will be used, and how long images and/or footage will be stored.
The legislation states that data should only be kept for as long as it is needed, and this time frame should be determined and justified in advance.
Regularly scheduled audits to ensure full GDPR compliance
Regularly scheduled audits should be carried out to ensure your company is fully GDPR compliant
Access to the data should be restricted to only those who actually need access to it, in order to carry out their jobs.
Regularly scheduled audits should be carried out to ensure your company is fully GDPR compliant and you should also carry out a Data Protection Impact Assessment, which is essentially a GDPR-focused risk assessment, required under the legislation, any time you begin a project that may involve a high risk to personal data.
Final thoughts
Complying with GDPR is essential for businesses operating CCTV in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), and the penalties for failing to comply fully can be severe. While it can be beneficial to discuss the matter with VSaaS providers and other experts in the field, compliance can be managed in-house too.
Some of the main things to be aware of in this area include clearly displaying a sign informing people that CCTV is in operation, responding to subject access requests, and ensuring data is stored for no longer than is necessary. Audits and risk assessments have a key role to play and customers have the right to request the deletion of the personal data you hold of them too, as long as this request is reasonable and possible to achieve.