GDPR (General Data Protection Regulation)
From 25 May 2018, the General Data Protection Regulation (GDPR) will come into force across the EU with implications for how we capture and handle personal data including CCTV footage.
How will GDPR effect your CCTV / Security System?
On May 25th 2018, the General Data Protection Regulation (GDPR) will come into force which will dramatically change the way organisations need to approach data and the capture and handling of CCTV footage. It is important for businesses of all sizes to understand the regulatory requirements, and know what actions are needed to be prepared. The regulations apply to all companies worldwide that process personal data of European Union citizens.
Businesses need to be aware of the affect the new GDPR regulations will have on them, and this includes reviewing the use of CCTV.
Preparing for the GDPR – 12 Steps (ICO)
Platinum Guide – How will GDPR effect you
Subject Access Request (SAR) Form
What’s covered by the legislation:
- ANPR (Number Plate Recognition)
- Facial / Biometric Recognition
- Body Worn Cameras
- Surveillance Drones
- Photo ID Badges
- Electronic Access Control
- Voice Recording
The GDPR requires essentially that personal data is:
- Processed lawfully and fairly
- Collected for specific and legitimate purposes
- Not excessive for the purpose for which it is being collected
- Accurate and not kept for longer than is reasonable
- Secure, and not sued for unauthorised processing
If you have outlined why you are collecting CCTV and justified it and it’s reasonable and put in procedures to make sure the above principle are upheld, you will be compliant with the new regulations.
If you are recording CCTV footage within your own business then you are both a “controller” and “processor” of data under the GDPR and both entail responsibilities. Someone within the organisation should be elected as responsible for the CCTV images and you should have clear procedures as to who can access the system, and when information should be disclosed.
CCTV regulations to date
Up until now anyone and everyone would install a CCTV system without really thinking about the consequence of this action. Once someone is collecting recognisable images from your CCTV system, you are then managing ‘personal data’. So, the reality is they are now acting as a Data Controller, and with this comes responsibility. A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV system.
The regulation will now mean that any personal data processed must be processed in a lawful and transparent fashion and with CCTV acting as a means of collecting and observing personal data, it is not exempt. In situations where protecting data subjects or acting in the interests of the public are both important, local authorities may deem that processing personal data without notifying a subject is vital, but this will only be in a select few cases.
In all other circumstances, data subjects now have an explicit right to know if their personal data is being stored or processed, including images of their faces.
GDPR does not just legislate Security Systems
The GDPR legislates much more than just security systems. The information provided within our webpage is for reference only and we recommend that you refer to the ICO website for full guidance.