You’ve probably heard of the General Data Protection Regulation (GDPR) by now, and are flustering about how you can make your business compliant — especially around the use of CCTV across your premises. With the 25th of May looming closer, you haven’t got much time to start making the appropriate changes to avoid the 2-4% turnover penalties which could be detrimental to your business.
For those of you who may be unaware of what GDPR is, it is a piece of legislation being implemented by the European Parliament to help strengthen data protection across the continent. Although the UK is set to leave the European Union, it is likely that we will adopt this legislation to ensure that no organisations suffer as a consequence of the EU departure, and to support businesses within the UK that have European consumers.
Here at 2020 Vision, we want to help your business make informative decisions regarding the use of CCTV systems, as well as cloud CCTV storage in relation to GDPR, and allow you to comply with the changes in time and understand the brutal consequences if you do not.
If you think that your business could be prone to a penalty, or just want to make sure that the changes you have already made align with the framework — continue reading and contact 2020’s team of experts today.
What your business must consider regarding GDPR
Although CCTV has been a popular security option for businesses to help deter crime, your organisation will need to have a strong reason for its placement and ensure to the correct authorities that it is serving a specific purpose regarding the protection of your business. An example of this would be using CCTV to monitor the health and safety of your employees and to capture footage of any incidents that could occur within the business.
However, it must be noted that you will not be able to ‘spy’ on your employees and CCTV placement should be justified by compiling an operational requirement (OR). GDPR makes it easier for workers to object to video surveillance in specific areas where they might expect privacy as they instantly become data subjects — along with suppliers, customers and other visitors on the premises. With this news, more businesses are taking a ‘privacy by design’ approach which has become a focus regarding GDPR. Although privacy by design is not specifically about data protection, it’s designed so that data does not need protection. GDPR states that data controllers must put technical and organisational measures in place to minimise the amount of data processing. However, data controllers should only process data when it’s necessary.
With privacy by design becoming a hot topic in the security industry, businesses are recommended to take Privacy Impact Assessments (PIAs) which can help identify and reduce potential privacy risks that could harm personal information.
You will be able to get around this by highlighting a security risk that could be minimised through having CCTV in those areas where placement is likely to get the go-ahead (remember the OR).
Depending on CCTV placement, video surveillance begins capturing data — personal data. From this information, it is vital that you invest in some CCTV signage which will act as a disclosure to those who could potentially be within the frame of your camera and collected on the end of the footage. We recommend that your signs include contact information for your business and security provider to give passers-by the option of calling if they have any queries.
The data that you capture on your CCTV can be retained for 30 days in total, however, this can be kept longer if needed (a risk assessment will be required explaining the reasons why).
Images and videos that you acquire through your CCTV system might be requested by the police, but make sure that they have a written request — this becomes a justifiable reason for keeping footage longer than the recommended 30-day period. Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.
As GDPR makes it easier for people to prosecute a business for inappropriate handling of data, which could be a data breach, your security supplier will become your data processor under GDPR. If you use a security company for your CCTV, you must have a contract in place which outlines what they can and can’t do with the footage they collect from your premises.
As data breaches are a risk, especially when sharing data with another organisation, it’s important that it is properly secured and encrypted where possible. If you would like more advice on how to deal with your CCTV to remain compliant under GDPR, which will be replacing the Data Protection Act, contact 2020 Vision today.