Implications of GDPR on CCTV

29 September 2017

Why will GDPR affect CCTV?

It’s likely you’ve heard that GDPR will be introduced in May 2018. You may also have heard that it’s essentially an updated and stricter version of the Data Protection Act and if you breach regulations, you could be subject to some pretty hefty penalties. But, are you aware of the impacts the introduction of GDPR will have on CCTV?

The new GDPR regulations place more importance on the individual’s rights regarding their personal data and focus on protected personal data from commercial abuse. Businesses must be able to justify their need for personal data, gain explicit consent from the individual, ensure the security of data at all stages and keep detailed records of the entire process.

So, why will this affect CCTV?

CCTV captures data by recording images of people. Seems pretty obvious now, right?  

What you need to do

If you comply with the current regulations under the Data Protection Act, then there shouldn’t be too many changes you need to make for GDPR. There does, however, need to be open communication from all sides and records of everything.

Justify your need for CCTV

Businesses maintain the right to use CCTV on their premises in the appropriate places. However, they now need to justify their CCTV requirements and assert legal grounds for their implementation. IT Governance advises that, ‘the most appropriate grounds will probably be legitimate interests or legal obligations’.  Businesses want to keep their grounds safe and secure, an understandable and justifiable ‘legitimate interest’. Or, they may have ‘legal obligations’ to keep their employees and customers safe.

Justification of CCTV surveillance also dictates that businesses must be able to clearly show how they are using the data they record and that they are using it for its original purpose only. Their CCTV footage must meet the requirements that allow them to successfully enforce the activity they used as justification for their CCTV implementation.

‘For instance, if the purpose of holding data is to identify individuals engaged in criminal activity, the footage should be of sufficient quality to do so and be available to the police should they request to view it’. IT Governance

Making the proper preparations and using the correct CCTV equipment for the intended purpose will act as evidence that cements their justification.

Clarity of consent

Much of the GDPR regulations focus on gaining explicit consent from individuals that permits you to keep records of their personal data. Obviously, CCTV is a little different to an email address or a phone number.

Businesses are entitled to monitor their employees in the working environment but, because companies must be able to readily justify their lawful basis for CCTV monitoring under the new GDPR regulations, they must also ensure that they communicate the presence of, and reasoning for, surveillance explicitly to anyone being captured by the cameras.

An employee should absolutely be aware that CCTV is in action before they sign any job contract. Equally, any customers should be aware of the presence of CCTV on any premises. As Net Watch System reports: ‘the purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health and safety, this needs to be highlighted to persons being captured by the cameras’. This does not mean you have to go around informing every single customer about the CCTV and asking their permission to keep your cameras on – obviously any objections would defeat the point of implementing surveillance for security purposes. Instead, there must be clearly labelled, unambiguous signs that convey CCTV usage. Customers and visitors therefore have the choice to leave the premises if they do not want to be recorded.

Ensure data security and access meets requirements

As the new GDPR regulations aim to better protect personal data, they will force businesses to harden their security measures for the data they retain. GDPR Report states: ‘CCTV systems are inherently vulnerable to cyber-attacks when connected to the Internet and the security and privacy of the data they hold is best ensured by physically restricting access to them’. You may have never considered the security of your CCTV cameras themselves but will have to under the new GDPR regulations.

Furthermore, almost any security system nowadays is connected to the cloud. Those that are not connected to the cloud run the risk of violating the forthcoming regulations. For those that are, it is absolutely essential that businesses ensure their security provider is up to date with the new legislation or they may incur a penalty. We advise that you oversee your entire data protection process so that you’re not caught out. Because of the strictness of the forthcoming GDPR legislation, it is best to employ or consult a security agency such as KM Security.

And finally: keep detailed records of the whole process

GDPR will help enforce transparency of data accumulation. Keeping detailed records of your reasoning, consent and storage processes will protect your business, your employees and your customers. 

If you’re unsure whether your current security practices will meet the new GDPR regulations, speak to one of our security specialists here or phone us on 0800 468 1900.

Back to News