Over the last few years, the digital world has been dominated by talk of personal data and GDPR. If you're not aware of what exactly GDPR means, it stands for general data protection regulation. GDPR became law in May 2018 and has modernised the laws that protect the personal information of individuals.
But what exactly counts as 'personal information'? Is CCTV footage personal data? What do companies have to do to be compliant when it comes to video surveillance?
In this blog, we try to answer all of these questions, looking at how GDPR impacts the use of CCTV for businesses and the measures that must be taken in order to become GDPR-compliant.
CCTV and GDPR
You may be slightly surprised to learn that CCTV footage is in fact subject to GDPR and it's not just concerned with written information such as names and addresses. GDPR relates to any information that can identify an individual, which includes images and videos. For this reason, CCTV has become subject to new regulations relating to the personal information of the people it records.
So, when asked "is CCTV footage personal data?" The answer is now yes!
But what does this mean for businesses that use CCTV cameras for surveillance and security purposes? Let's take a look.
What businesses using CCTV need to do
When it comes to the businesses that utilise CCTV for security purposes, there are several things that they must comply with. We take a closer look at these below.
Ensure your customers know they are being recorded
The first and most important thing for any business that uses CCTV to do is to ensure all customers know that they are being recorded. Transparency is one of the core principles of GDPR, so this is extremely important.
You must state why you are using CCTV
Under GDPR regulations, you are required to state why you are using CCTV, it's not enough to just say that you are using it to collect personal data.
This is where the regulation's lawful bases for processing comes in, which consist of six bases. Each base may be suitable to use CCTV in different circumstances.
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interest
- If consent is given
Take control of who can access CCTV footage
One of the commonly asked questions regarding CCTV and GDPR is who can view CCTV footage? This is very important when it comes to being GDPR-compliant and something that needs to be considered by all businesses using CCTV.
If you don't control who views the CCTV footage you gather your monitoring practices could potentially do more harm than good. GDPR requires that personal information should only be accessed by those who need it to complete specific job functions, which is generally security and management personnel and not regular members of staff.
This means that you may have to keep footage in a secure location where only chosen employees can access it. Physical tapes should be locked away and digital files should be saved in folders that are subject to access controls.
When CCTV footage is no longer required, delete it
GDPR regulations state that you can only store personal information for as long as it's necessary for the purpose for which it was collected and you must outline the period of time before you start processing data.
Most businesses will have a retention period for the footage that they collect, due to the fact that storing information for an indefinite amount of time becomes impracticable. Physical space runs out as well as memory on hard drives.
Therefore, you should establish a system that deleted any outdated footage once the retention deadline has passed.
Complete a DPIA
Before installing a CCTV network, you must ensure that you have completed a data protection impact assessment (DPIA).
This assessment works to help businesses to identify and reduce the risk involved with data processing that is likely to result in a high risk to the rights and freedoms of individuals being recorded.
A DPIA helps businesses to determine solutions to potential issues and help to ensure any footage gathered is adequate for its intended use.
What happens if you're not compliant?
For businesses that do not follow GDPR regulations, substantial fines can be given.
Violations to GDPR can attract fines of up to £20 million, or 4% of an organisation's global turnover, whichever amount is greater. In recent times, British Airways and Marriott International have been subject to such fines, totalling £282 million for GDPR violations.
Fines of such may not be applicable to CCTV practices but are evidence that the protection of personal information and data is taken very seriously and does come with extreme punishment when required.
Our CCTV camera systems
Here at IDS Security Systems, we supply businesses all over the UK with high-quality CCTV cameras that help keep their premises safe and secure.
From conventional CCTV cameras to digital IP cameras, our expert installers can assess your requirements and provide the most appropriate CCTV security system for your premises.
Systems integration allows you to combine your CCTV cameras with access control, making it easier for your business to remain GDPR-compliant! Want to know more? Visit our CCTV page below.
Our CCTV Security Cameras >
For more information regarding our CCTV cameras and how IDS can help your business remain GDPR-compliant, be sure to get in touch with a member of our team today by calling us on 029 20 753 251 or emailing us at firstname.lastname@example.org.