The General Data Protection Regulation (GDPR) is set to be implemented on the 25th May 2018. With this new legislation, the way we capture and handle CCTV footage will change to fit with the new guidelines presented by the European Union.
Although the changes are undoubtedly happening, businesses around Europe need to comply with the changes and understand the consequences if they don’t.
Here at 2020 Vision, providers of access control systems, we want to help your business avoid the 4% global annual turnover penalty. In this article, we discuss how you can make sure that your business is working within the framework of the GDPR rules once they’re introduced.
Considerations once GDPR is introduced
You need to have a strong reason for having your CCTV around your business perimeter. An example of this would be to help protect employees when it comes to health and safety or to capture footage of any incidents that occur within the company.
You can’t use CCTV cameras to spy on your employees, so make sure that you are able to justify your reasons for installing CCTV by compiling an operational requirement.
People can object to video surveillance in places where the individual expects privacy. This can range from places such as canteens, break areas and public spaces. If you are able to highlight a security risk that could be minimised through using CCTV, it is more likely that the CCTV will be accepted in these places, again think of the OR.
Once you’re using CCTV, you’re collecting data – personal data. To inform people who operate in and around your business, you should have a disclosure to tell them that CCTV is in use and that they could be captured on any footage that is obtained. A common method is to have signs that are clear and feature a number for those who want to contact the CCTV operators if they have any queries.
Once you’ve captured the data, it can be normally retained for 30 days. If you need to keep it for a longer time period, you need to carry out a risk assessment that explains the reasons why. Images and videos that you acquire through your CCTV system might be requested by the police, but make sure that they have a written request. Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.
Your security supplier will be your data processor under the GDPR law and this means that those who are using security companies should put an abiding contract in place that states what the security company can do with the footage that is collected from your premises. Data breaches are a possibility when sharing data with a third party, so you need to be extra careful when it comes to handling.
Following the above guidance can help you avoid any problems that could occur once this new regulation is introduced. Read our previous blog post on safeguarding your business so you’re ahead of the game.