It’s been one year since GDPR (General Data Protection Regulations) was introduced. Companies spent months working hard to ensure that their processes were compliant and how they handled client data was correct.
When it was introduced on May 25, 2018, it updated the 1995 directives and meant that Europe had the strongest data protection laws in the world.
Yet, 12 months on, it’s important to remind businesses that their CCTV systems must be compliant. Video cameras are vital for many businesses – installing them is a visual deterrent that helps to reduce vandalism, thefts and burglary, it contributes towards staff safety and it also makes customers feel more secure.
However, there are strict rules around the use of the data gathered in CCTV footage because of the right to privacy.
Any business that installs a security camera must:
- Have a valid reason for its installation (this could be to protect assets and staff)
- Disclose to staff and customers that cameras are in use and the legal reasons for doing so
- Position the cameras appropriately
- Display clear signs on the premises to inform everyone that they are being recorded
- Consider carefully where any CCTV footage and images can be seen
- Control who has access to the CCTV images, to minimise the risk of data breach
- Ensure that the devices on which the data is stored is secured – in a locked cabinet/room or, if monitored remotely, the signals must be encrypted to prevent any interception
- Pay the relevant data protection feeto the Information Commissioner’s Office (ICO) – or face a fine of up to £4,000.
It is also a good idea to have a ‘Data Protection Code of Practice for Surveillance, Cameras & Personal Information’ document, which will cover all of the above points, and reviewed annually.
Anyone who is recorded on CCTV is considered to be a “data subject” and with that comes a raft of rights, because the right to privacy remains. They can request to know where the data is stored and for how long. They also have the right to access the data free of charge and within 30 days, unless the request is, according to the regulations, “manifestly excessive and unfounded”. Then an administration fee can be charged. Any request must be made in writing.
Another thing to consider is that if you have to provide footage, you are obliged to remove other people’s identity, so as not to breach the third party’s privacy.
The ICO hasa checklist, where you can ensure you are compliant. Don’t leave it to chance – make sure all your procedures are up to date and correct.