For many businesses, CCTV is necessary to guarantee the security of premises and the safety of staff, visitors and customers.
Nevertheless, organizations in the EU and the European Economic Area (EEA) or organizations that process personal data of EU citizens, must understand that the use of CCTV cameras requires compliance with the General Data Protection Regulation (GDPR).
To make things easier, here is a complete guide for GDPR CCTV compliance.
What is GDPR and Why is it Relevant for CCTV?
The General Data Protection Regulation, commonly known as GDPR, is a data privacy regulation that came into effect in the EU in 2018.
The GDPR framework supersedes the Data Protection Directive 95/46/EC and requires organizations to comply with its requirements for the collection and processing of personal data.
On a basic level, the requirements exist to protect individuals from organizations that excessively collect and process their personal information without a proper lawful base.
While many people think of personal data as being information like names, addresses and contact details, it can also relate to personally identifiable images and video footage too, which is where CCTV comes in.
The Key Steps for GDPR CCTV Compliance
To ensure video surveillance complies with the GDPR, you must cover the following steps:
1.Be Transparent About Your CCTV Usage
The first step towards GDPR compliance is to be transparent about how, where and why you are using CCTV.
As transparency is at the very heart of GDPR and you are required to tell people that you are collecting personal data and this includes CCTV images. You are obligated to use signs stating that CCTV is in operation.
Beyond this, you also need to explain why you are collecting this data. Again, this can be done through a sign, which could say something along the lines of “CCTV is in operation in this area for the purpose of maintaining public safety.”
You cannot collect and process this data without explaining what you need it for.
Other information can be made available upon request or via QR code since the sign will probably be too small to address all information you are obligated to disclose.
Read more about video surveillance notification under the GDPR.
2. Operate Using Minimal Data Collection
Next, you need to think about how to operate your CCTV system, while also minimizing the amount of data you collect.
As Article 5(1)(c) of the GDPR legislation states, the personal data you collect from people should be “adequate, relevant and limited to what is necessary” for the purpose you have provided.
This means you need to obtain a sufficient amount of data to achieve what you need, but this data has to be limited only to what is necessary to achieve this goal.
There is no single answer to how much data you should collect, or how long you should keep it for, but you should review your data regularly and delete what you no longer need.
3.Limit Access to Your CCTV Images
In addition to minimizing the amount of data collected, you also need to restrict access to CCTV images to only those who need access.
It is your obligation to ensure the CCTV data you collect is kept secure and that it can only be accessed by management, security and/or those who require access to fulfil their job role.
A growing number of businesses are making use of cloud-based CCTV systems, which can assist with this.
A good service provider operating in this field will offer cloud storage for CCTV images, with this data being encrypted, on secure servers, while still ensuring the data can be easily accessed by those who have permission.
4.Data Protection Impact Assessments
Before actually setting up your CCTV cameras, you need to carry out a data protection impact assessment and you can find a template and written guidance for this on the UK government website.
This is a requirement for any processing of data considered ‘high risk’ to individual rights and that includes CCTV operation in public spaces.
The requirements listed under GDPR legislation require you to carry out an impact assessment before any new CCTV system is installed and the impact assessment must also be reviewed regularly.
An assessment should also be carried out if cameras are moved, or if your CCTV system is upgraded or modified.
5.Comply With Any Access Requests
Finally, a major focus of GDPR is based on giving individuals more rights with regards to their personal data and how it is used.
One of the ways this is achieved is by allowing individuals to make subject access requests. This then allows them to make either formal or informal requests for access to their data, which can include CCTV images.
To comply with GDPR, you have to be equipped to handle these requests. The standard response time allowed under the legislation is one month, although this can be extended for complicated requests.
You are obligated to carry out a ‘reasonable search’ for the requested data and it should be provided in a secure, accessible way.
When providing that CCTV image to the individual take all measures to protect the identity of other people on the footage and blur their image.
The Last Word
Since 2018, EU businesses operating CCTV systems have been required to comply with GDPR.
This means operating with full transparency, minimizing data collection, ensuring data is kept securely, responding to any access requests made and carrying out impact assessments before any CCTV system is installed or upgraded.
A great way to ensure data security is to work with a good cloud CCTV service provider, who will be able to ensure data is accessible by those who need it, while also keeping it on a secure server, with the right level of encryption.
Logan has over 20 years of experience in the technology sector, working with industry leaders such as Blackberry and Sony.
As Head of Product for Cloudview, a VSaaS company, he uses his extensive product management experience to drive the company forward as one of the leading names in video surveillance solutions.