Much of the debate around GDPR has focused on securely storing and processing more traditional data – such as a list of names and email addresses stored in a spreadsheet or database. There’s been much less focus on the moving image, but it’s an area that organisations need to be equally aware of.
One hotly discussed area is the usage of CCTV (Close Circuit Television) to capture images of data subjects, whether that be for security or health & safety purposes. Identifiable imagery is considered as personal data under the GDPR and therefore, at a data protection level, requires the same level of thought and care that is being paid to other areas of the business. The use of CCTV is widely spread and the UK is often cited as being one of the most surveillanced societies globally – in fact, most businesses from small convenience stores to large office buildings will have a surveillance system in place, whether it be for security, monitoring or health and safety purposes.
So what does this now mean with the impending regulation coming into force?
- All organisations are obligated to explain why a video camera is in a particular place, what is being filmed and why. In the case of video surveillance, appropriate signage in and around the area where video surveillance is being used should be used to provide information about this.
- One of the key features of the new regulation is that those who are being monitored need to be fully informed about what data is being held on them and how it’s being used.
- The regulation also sets out some clear ground rules about encryption and how data should be protected. The fact that data is in the form of video doesn’t alter this requirement.
- Companies storing video, have clear responsibilities when it comes to storing personal data and must put into place robust measures to prevent unauthorised access. This means that it’s important to set out, in writing, who will have access to the cameras and recordings.
- Organisations should also have a procedure in place for when an individual chooses to exercise their right of access to personal data or request its deletion. This is so that they can stay within the prescribed month-long window within which they must comply with these requests under GDPR. When making such a request, it is reasonable to expect the enquirer to provide adequate information in order to locate this data – for example, an approximate timeframe, and the location where the footage was captured.
- Companies should use strong measures to prevent unauthorised access to the personal data that they are storing. The tactics used by each company will be unique to the challenges they face, however, in all instances companies must employ robust security controls, stay up-to-date with cybersecurity best practices, and ensure that they are working with trusted partners who provide secure hardware, software and thorough aftercare.
- It is ultimately the user of surveillance equipment, surveillance solutions and surveillance services that is responsible for GDPR compliance and the safeguarding of the rights of the individuals whose personal data the user processes.
- As a user of surveillance equipment, surveillance solutions and surveillance services, it is therefore important to partner with suppliers and vendors that are committed to respecting and safeguarding individuals’ privacy and protecting personal data. As a user of surveillance equipment, surveillance solutions and surveillance services, you should also be able to rely on the support and technical aid from your suppliers and vendors to facilitate your GDPR compliance.
CCTV and surveillance are often emotive issues. On one hand, business owners and leaders use CCTV for protection and monitoring among other reasons. On the other hand, data subjects view this with an air of suspicion due to an invasion of their privacy.
In either case, the GDPR does not discourage the use of CCTV but instead encourages a balance and an air of clarity for all parties regarding its usage.
