Your CCTV cameras might be breaching GDPR — here’s everything you need to know

April 12 14:00 2019 Print This Article

For small business owners, a burglary can have a substantial financial (as well as emotional) impact. SMEs must be vigilant not only in arming their premises, but also in the way in which they handle the security process.

The words General Data Protection Regulation (GDPR) are ingrained on the minds of businesses and consumers alike. After four years of EU-led negotiation, May 2018 saw an international rollout to bring European data regulation into line with the new ways in which data is used, introducing tougher penalties for those that breach these regulations.

But how much is known about GDPR’s impact on more physical security practices, such as the way that CCTV footage is captured and handled?

Your obligations to employees
GDPR-compliant products currently do not exist, which makes human awareness of legislation even more important.

The UK is often cited as being one of the most surveilled nations globally, with up to 5.9 million CCTV cameras in operation in 2015. Businesses from small convenience stores to large office buildings have surveillance systems in place, whether it be for security, monitoring or health and safety purposes. While the use of cameras on business premises naturally deters burglars, owners and senior personnel must remain vigilant as even employees have a right to privacy.

Recent legislation means that business owners are not only obliged to disclose that cameras are in use, they also now need a valid reason to install CCTV systems in the first place – this could be to protect assets, to gain a clearer understanding about employee wellbeing, or to capture footage of potential incidents.

Businesses using closed-circuit surveillance must appropriately communicate to employees the legal basis for using it, and camera positioning must be both reasonable and proportionate. Employees themselves are able to protest against use of CCTV in a certain area.

Clearly displayed signs (usually with a contact number) on your business’ premises should be present to inform people they are being recorded.

Your obligations to members of the public
GDPR also creates an obligation from businesses to members of the public, who are able to request that images of themselves captured on a firm’s CCTV system are shared with them. Businesses must provide this footage to those who ask for it within 30 days.

Should there be a significant number of requests, fulfilling these would be manual and a significant drain on resources, as other people’s identities must be blurred out (something that would usually have to be done on a frame by frame basis). However, there are firms that are developing software that automatically does this for a business, which is something that those with CCTV systems should consider.

Storing footage the right way
Retention of video captured by CCTV cannot be indefinite. Thirty days is not uncommon, but if footage needs to be kept longer, GDPR legislation states that a risk assessment must be carried out to document the reasons why. For instance, a retailer would have no reason to keep CCTV footage for six months, as any crimes would have been reported and footage reviewed in that time.

The original article was posted here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment