The relationship between CCTV and GDPR

November 30, 2017

From the 25th May 2018, new legislation called the General Data Protection Regulation will be introduced by the European Union. With this new legislation, the way we capture and handle CCTV footage will change to fit with the new guidelines presented by the EU.

Once it has been implemented, businesses must learn to adapt to the new regulations and understand the penalties they may face if they don’t.

Businesses can face a 4 percent global annual turnover penalty if they neglect the new regulation. In this article, we discuss how you can make sure that your business is working within the framework of the GDPR rules once they’re introduced.

What to know before GDPR is introduced

Many businesses have CCTV within their premises whether this is to protect assets or to protect their staff – but now you must have a strong reasoning for its placement. An example of this would be to help protect employees when it comes to health and safety or to capture footage of any incidents that occur within the company.

Video surveillance that allows employers to spy on their staff is against the rules of this new regulation – although if you feel to have CCTV in areas that they are operating, you must compile an operation requirement (OR).

CCTV in public spaces can be tricky as people who expect privacy in certain areas can make an objection. This can range from places such as canteens, break areas and public spaces. If you are able to highlight a security risk that could be minimised through using CCTV, it is more likely that the CCTV will be accepted in these places, again think of the OR.

If you have CCTV, you’re instantly collecting personal data from everything being captured on camera. To inform people who operate in and around your business, you should have a disclosure to tell them that CCTV is in use and that they could be captured on any footage that is obtained. A common method is to have signs that are clear and feature a number for those who want to contact the CCTV operators if they have any queries.

Once you’ve captured the data, it can be normally retained for 30 days. If you need to keep it for a longer time period, you need to carry out a risk assessment that explains the reasons why. Images and videos that you acquire through your CCTV system might be requested by the police, 2020 Vision, who provide access control systems recommend that you make sure they have a written request. Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.

With the new regulation coming into play, it is important to understand that your security supplier will become your data processor – make sure to have a contract in place that specifies what they can and can’t do with any date collected. Data breaches are a possibility when sharing data with a third party, so you need to be extra careful when it comes to handling.

Article Categories: