How Will GDPR Affect CCTV Users?
In the past couple of weeks you no doubt have noticed the avalanche of emails from companies asking you to confirm that you still want to receive marketing materials from them. This is because of the impending onset – on May 25th – of GDPR. For those living in blissful, blissful ignorance, GDPR (or the General Data Protection Regulation) is a landmark new piece of EU legislation, that dictates how companies can use your personal data. This has massive implications for industries such as email marketing, which now requires companies to ensure that customers have actively opted in to receive communications…hence the emails.
What is getting less attention, however, is that GDPR also has massive implications for any company that uses CCTV. Whilst it can be tempting for smaller businesses to try and think that they can fly under the radar, the potentially massive size of the fines should make all business owners sit up and pay attention – up to 40% of revenue, or €20,000,000, whichever is bigger! The good news is that most of the legislation that concerns CCTV basically just reinforces the existing best practice, as recommended in the Information Commissioner Office’s code of practice. The most important changes concern how CCTV user’s roles are defined, but it also potentially makes it easier for an employee or customer to object to being recorded if they feel that there is no reasonable justification for a camera to be set up.
So, just how will GDPR affect CCTV? We’ve put together a list of a few things to consider when assessing whether your system is GDPR compliant. This is most definitely not an exhaustive legal checklist for compliance, but should help CCTV users navigate some of the common pitfalls. As you will see, so much of the new legislation is about ensuring that you have documented procedures and guidelines for whoever has access to the cameras, and that users have clear instructions as to what they are – and are not – allowed to do with images.
Justifying a CCTV system
The government’s existing code of practice for CCTV users already recommends that companies carry out a Privacy Impact Assessment, however with GDPR coming into force this is now more important than ever. The key is to make sure it’s documented that you have an Operational Requirement that justifies using cameras. Frequently, this will be in order to deter intruders or theft, however this can also be things like monitoring for health and safety where heavy equipment is in use. The impact assessment should also take into consideration whether any measures can be put into place that would solve the issue without needing to install cameras – for example installing additional signs.
Controlling the footage
With GDPR’s new enforcement powers, it’s vital for businesses to have clearly defined guidelines for who is allowed to handle data – in this case CCTV recordings. Under the legislation, these employees are classed as data processors, and they share responsibility should any data be handled inappropriately. Once captured, footage should be retained for no longer than 30 days, however this can be extended in certain situations, such as if the police request videos of an incident. In these situations, then a dedicated risk assessment should be carried out explaining the reason. Most security companies recommend asking police for a written request, and that they review the footage on your property in order to prevent unnecessary copies being made and distributed.
All of the above also applies if you are using a third party security company to monitor your cameras. You should have written agreements laid out with such companies, clarifying what they’re entitled to do in their role as data processors. It’s also important to consider how the footage is being stored. If it’s on a hard drive, is it physically secure, or backed up in case of failure? If using cloud storage, does your provider have suitable security measures such as encryption?
Disclosure
Another existing requirement from the 1998 Data Protection Act that the new legislation enforces, is for companies to notify members of the public when they are capturing their data. Specifically, this means that businesses should have clear notices in any area where cameras will record people. This doesn’t, however, mean that the exact number and position of cameras needs to be signposted. So, for example, it would still be acceptable to have discreet cameras monitoring the tills in a shop, provided there were signs visible nearby. CCTV notice signs should also provide information on who is responsible for monitoring the cameras, such as the tracking codes on our own CCTV warning signs.
Handling public requests
Your company should also have a process in place for when you receive a Subject Access Request – that is, when a member of the public or an employee asks in writing to see all of their personal data that you currently hold. In the case of CCTV, subjects should write to you providing a date and time that they were on your property, along with a personal description and proof of ID. This is another requirement that was already in existing data protection legislation, however there are some important ways that GDPR changes things:
- Previously, companies were allowed to demand a reason to justify an access request. This was to prevent employees from conducting unnecessary “fishing expeditions” for evidence in disciplinary proceedings and so on. This is now no longer the case, and companies have to comply with access requests regardless of the reason
- The ICO had permitted a £10 for carrying out an access request. This is no longer the case, however companies can still charge reasonably fees for “manifestly excessive” requests
- The timescale for responding to a request has shortened from 40 to 30 days
- As detailed above, the potential fines for not complying with the regulation are now much, much higher
As with other aspects of the legislation, it’s important to have clearly defined point of contact for who should respond to SARs, and this should be clearly documented in your privacy policy or impact assessment