Last Updated on 6 March 2023.
General Data Protection Regulation (GDPR) has drastically changed how we approach and process personal data, which includes the capturing and handling of CCTV footage, believe it or not!
It is important for businesses of all sizes to understand their regulatory requirements to avoid breaches which could lead to fines and reputational damage.
Before we get into it, let’s first get ourselves acquainted with GDPR and what it actually is…
So, what is GDPR?
GDPR came into force on 25th May 2018 and replaced the EU Data Protection Directive 1995. Whilst the UK left the European Union (EU) following this, EU GDPR still applies to the processing of EU residents’ personal data.
Other than this, UK GDPR is enforced via the Data Protection Act 2018, which applies to the processing of UK residents’ personal data.
Both regulations are very similar, so complying with one is likely to mean you are complying with the other. There are some differences, which you can read more about here.
The main premise of both is protecting people’s…
- Right to be informed
- Right to restrict processing
- Right to object
- Right to erasure
Amongst other rights in relation to automated decision-making, profiling, and overall data retention.
The fundamental purpose of GDPR is to ensure that organisations have a clear purpose for collecting personal information, whilst giving individuals the power and control to mediate, amend or remove their data from the companies who store it.
The secondary purpose of GDPR is to ensure companies storing personal data implement the appropriate security measures to prevent breaches or misuse of that data. In the event that any data has been compromised, this must be disclosed.
The maximum fine for a GDPR breach is £17.5m or 4% of annual global turnover – whichever happens to be greater.
Not all breaches or infringements do lead to fines; some lead to warnings, reprimands or temporary bans, as well as the rectification of the breach itself. However, this is largely discretionary and based on the severity of the breach and the frequency of infringements that have been left unrectified.
Businesses have a responsibility to understand GDPR, its purpose and its functions, which includes reviewing the use of CCTV (and factoring it in if you’re having CCTV newly installed).
Your experts at WFP can give you advice on this!
Don’t despair if you’re not completely up-to-speed with all of the information on GDPR and CCTV. A survey conducted by Hiscox found that 39% of SME business owners don’t know who GDPR affects.
At WFP, we’re all about encouraging best practice through education. So, this article isn’t designed to point fingers and tell you where you’re going wrong, but to help equip you with the knowledge you need to implement a compliant system fit for your needs.
Here are 6 steps and process to comply with GDPR:
1. Reason: Is your CCTV system justified?
Up until GDPR came into force, anyone and everyone could install a CCTV system without really thinking about the consequence of this action.
Once someone is collecting recognisable images from your CCTV system, then that is considered as managing personal data.
The reality of that means they’re technically acting as a Data Controller, which comes with responsibilities. A Data Controller, must first and foremost, be able to justify obtaining the use of personal data by means of a CCTV system.
If you are placing cameras around the perimeter of your site to detect intruders, it should be quite easy to justify this from a protection point of view.
If you have installed a camera to monitor employees, this isn’t as straight-forward. This can be seen as an invasion of privacy. Therefore, you’d need to prove that the cameras are there for a legitimate reason, such as a health & safety provision due to past incidences, whereby CCTV would be used to monitor, evidence and train staff as a mechanism for future mitigation.
When you are capturing images where someone would expect privacy, then justification of the need is even more important. For example, in rest areas or a public walkway – if there has been an obvious level of security incidences, then this must be proven to allow for these cameras.
It is important to carry out a risk assessment (Data Protection Impact Assessment, or DPIA) or operational requirements questionnaire to itemise each camera, the intended viewing area and the reason for the camera.
2. Inform: You must inform people of the CCTV’s presence.
As the purpose and justification of the CCTV has been identified, it’s important next to let people know (through the use of signs with a contact number for anyone wishing to ask questions) they are being captured on CCTV.
This should also include the purpose of the CCTV, as well as the contact details of the Data Controller/Data Protection Officer.
If you are installing CCTV within your workplace then it is important to tell your employees, both to comply with the law but also to ensure you’re not impinging trust amongst your workforce. If you choose not to inform them then (depending on the location of cameras), you could be violating their privacy under the Human Rights Act 1998.
There are some exceptions to this, for example, you are trying to prove a staff member is committing a crime at work, which would be hard to do if they were aware of the surveillance. This is only acceptable in certain circumstances and the recording should cease/be discarded once the investigation has been concluded.
When it comes to CCTV audio recording, the law states that conversations between members of the public are not allowed to be recorded; exceptions being where there are panic buttons or in areas within police custody.
Again, it is only acceptable to introduce audio recording at your workplace if the purpose is justifiable, and everyone being recorded will need to be made aware that both sound and video are being captured by the CCTV cameras.
3. Retain: A Data Controller needs to justify reasons for storing and retaining data.
It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits on a per-camera basis.
It’s also important for any company retaining data to collect and retain as minimal data as required; thereby deleting unnecessary footage as common practice.
Similarly, a business can take further precautions by limiting how many individuals can access surveillance footage, e.g., restricting it to only relevant roles, such as security personnel or management, and only where it is required in helping them fulfil their duties. Securing the access via secure storage with passwords/encryption is also a savvy way to enhance GDPR protection.
4. Permit: Access requests for personal data.
GDPR law states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage’.
This is referred to as “reasonable access requests”.
So, anyone who is captured by your CCTV cameras has the right to request that footage, as it’s seen as their personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible within that footage, there would need to be some form of footage redaction, e.g., blurring out the faces of the other individuals shown in the picture.
5. Assist: Supply of CCTV images to the Police.
The Police may request footage from you if it would support a case they are investigating. Police will often just want to view the footage on the premises of the Data Controller, and this action wouldn’t raise any data protection concerns due to its nature and purpose.
6. Ensure: Responsibilities of security companies.
Security companies, like us here at WFP, can act as a Data Processor under GDPR. The company employing the security company should have a contract in place which details the extent of what the security company can do with that data, what standards are in place, as well as the verification procedures.
Businesses will be open to data breaches if a third party can distribute or remove personal data in the form of CCTV images where there is the absence of the above protocols.
A reputable security service provider will automatically adhere to all GDPR regulations.
Taking the above into consideration, businesses and commercial premises need to look at their security arrangements and ensure there are no existing or probably breaches of regulations.
An innocent oversight could result in a hefty penalty for your business. It is not acceptable to plead ignorance of the laws associated with CCTV, and GDPR generally.
Whilst it is quick and easy to purchase and install your own passive CCTV system, without the input of a professional security service provider, you can leave yourself open to prosecution/fines.
Want to learn more about CCTV?
WFP is third-party accredited by SSAIB for CCTV Systems.
Contact our team today for a free consultation to discuss your CCTV upgrade or new installation for your business or commercial premises.
This article has been co-written by WFP’s CCTV brainiac, Scott Wright, and your favourite safety spokesperson, Verity Stone.