GDPR was implemented across the UK and the EU on the 25th May 2018. Is your organisation now fully compliant?
A recent study found that 56% of respondents said that their organisations are not yet fully compliant with GDPR. The respondents rated the regulations of GDPR by difficulty. According to respondent ranking, the most difficult aspects of GDPR to implement were; the right to be forgotten, fulfilling data subject access requests, and getting explicit consent from users.
In this blog post, we will focus on all things GDPR and video surveillance. We’ll also provide solutions for compliance, as compiled by Televigil, a leading security and compliance consultant.
Last year, on the 25th of May, the GDPR came into force. GDPR regulates how organisations handle and process personal data. In the context of video surveillance, examples of personal data include images captured by automatic number plate recognition systems (ANPR), body worn cameras (BWC) and unmanned aerial vehicles (UAV) or drones.
The ICO is the enforcement body in the UK, and have the power to fine businesses in the event of a breach of GDPR. Fines can be up to £17 million or 4% of global annual turnover, so it’s crucial that businesses put in place solutions for regulatory requirements.
The impact of GDPR has been felt across industries as increasing fines are being imposed by the ICO. Any organisation or individual operating a video surveillance system is classified as a Data Controller or Data Processor and as such have a legal responsibility. As a Data Controller, your business must be able to justify the collection and use of personal data via a video surveillance system.
It is important for your business to review your use of existing video surveillance systems. When compliance planning, Televigil advise that the fundamental premise should be “accountability through transparency.”
Is Video Surveillance justified?
Before purchasing a video surveillance system, your business should complete a Security Risk Assessment to determine if this is justified and the best solution. Your business should also complete a Data Privacy Impact Assessment. If you’re a commercial or public organisation, you should complete a Data Protection Impact Assessment.
Under GDPR, the location of video surveillance cameras is important. For instance, it would be justifiable to place cameras around the perimeter of your site for the purpose of detecting intruders. In retail stores for instance, placing cameras in the store for the purpose of detecting crime can be justified under a security risk assessment.
An example of where justification is needed for video surveillance is in a scenario in which you might be capturing images where someone would expect privacy. A detailed Operational Requirement (OR) is an essential document for both new and existing video surveillance systems as it provides details that are a benchmark to enable the business to monitor the system’s performance and provide justification for continued operation.
A security and compliance consultant can help you carry out a security risk assessment of individual camera locations, intended view areas, purpose and justification for the camera(s), a privacy impact assessment, and an audit of an existing video surveillance system.
Transparency and Knowledge Sharing
It’s important to be transparent and inform the public about what you / your business is doing and why. For example, a detail operational policy outlining the use of video surveillance and providing information on procedures for the system operator to employees. Signage is required that inform the public that a video surveillance system is in use. Now a legal requirement under GDPR, this signage must have the purpose and contact number for the business so that anyone wishing to make an enquiry can do so.
A security and compliance consultant can carry out an inspection of your new or existing site and assist with appropriate signage design and location. It’s advisable to have a video surveillance system policy document that complies with BS 7958:2015 CCTV Management and operations code of practice.
Data Controllers must show justification for storing, retaining, and processing data in a secure manner
If your business feels it is justified to retain video surveillance data for longer than 30 days, then you must state the reasons in a risk assessment. Many businesses find it necessary to store surveillance data in the cloud for an unlimited period of time to defend against fraudulent injury/insurance claims.
Respond to Data Subject Access Requests (DSAR)
Per Article 15 of the GDPR; “Any person whose image is recorded on a Video Surveillance System has a right to seek and be supplied with a copy of their own personal data from the footage.” This means that any person who is captured by your surveillance system and can be seen has the right to request that footage as it is their personal data. This is known as a Data Subject Access Request (DSAR) and must be responded to within 30 days. If any other individuals are visible in the footage, they must be obscured or redacted in order to protect their identity. This also includes vehicle number plates and any sensitive documents/information visible in the footage.
A redaction service, like Ocucon Pixelate will enable you to redact video to comply with DSARs. To learn more about Pixelate, click here
Provide the Police with access to relevant video surveillance images
An occasion might arise where the police will request footage from you. You can supply this, but you must ensure that the request is made in written format on appropriate police letterhead with the correct forms. A request from the police to view footage on your business premises should not raise any concern regarding data protection as long as the correct procedures are followed.
A security and compliance consultant can provide your business with log books, viewing documentation, and evidential download documentation.
Ensure compliance with GDPR and other legislation
If using a security service provider, it is possible they will be classified as a Data Processor under GDPR. As a video surveillance operator (Data Controller), your business must have in place a contract that details what the Data Processor may do with the data, security standards that should be in place and any verification procedures. This contract is important as it sets out both parties responsibilities and liabilities pertaining to GDPR and data protection.
When choosing a security service provider, ensure that they comply with GDPR. This must include regular review of video surveillance system performance, policy and procedures. They must notify you, the Data Controller, immediately of any potential issues or non-compliance. It’s advisable to have in place a Video Surveillance System Operational Policy and Procedures document, which would form part of the contract between the Data Controller and the Data Processor.
In conclusion, a security and compliance consultancy have a solid understanding of the security industry, DPA, and GDPR. It’s important to choose a consultancy that is up to date with the evolving guidance provided by the ICO and other relevant authorities.
As it has been one year since GDPR came into force, it’s imperative that all organisations evaluate their security programme and ensure that there’s no likely breaches of regulations. Complacency or oversight of GDPR could result in serious financial penalty and damage to your business reputation.
The latest information and guidance is available on the ICO website.