The General Data Protection Regulations (GDPR) came into force in May of 2018. These regulations apply to most businesses and organisations operating within the EU and UK. Each country has its own enforcing body, in the UK it is the Information Commissioner's Office.
The GDPR contains 7 key principles that should be central in a business's approach to processing personal data. These key principles are; Lawfulness, fairness and transparency, Purpose limitation, Accuray, Data minimisation, Storage limitation, Accountability, and Integrity and confidentiality (security).
In addition to the 7 principles, GDPR lays out the following 8 rights for individuals; The right to be informed, The right of access, The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object, Rights in relation to automated decision making and profiling.
The right of access gives individuals the right to access and receive a copy of their personal data, and/or other supplementary information. The act of accessing this data is commonly referred to as a subject access request or ‘SAR.’ Data falls under many categories and includes but is not limited to; contact information, license plate numbers, images and video footage. For the purpose of this case study, we will focus on SARs in relation to CCTV video footage.
On occasion, an individual will submit a SAR to a business for video footage. There are an infinite number of circumstances for why this might occur. For example, an individual might submit a SAR with the intent to view CCTV video footage of themselves in order to prove an incident took place in a certain location such as a car park.
In order to comply with GDPR, the Data Processor, or the business to which the SAR was submitted, must gather the appropriate video footage and provide it to the individual who made the request. Businesses must have a process in place to ensure that SARs are dealt with in a timely manner, and within one month of receipt, or in the circumstance of a complicated case, this timeline can be extended slightly.
The business, as the Data Processor, must also ensure that sensitive data that is not of the applicant’s personal data, is blurred, or redacted, from the video clip. This is to ensure compliance with GDPR and is explicitly recommended by the ICO.
Wm Morrison Supermarkets Plc (‘Morrisons’) approached Ocucon in 2018 inquiring about Pixelate, our video redaction software. Their GDPR team was starting to receive SARs for CCTV video footage, and they required a secure solution to be able to redact footage.
Morrisons identified Pixelate by Ocucon as a suitable solution for redacting video footage. As we learned more about Morrisons requirements, we made the offer of a managed service, whereby video files would be securely transferred to us, and our team would get to work with redacting each video case that came through.
Morrisons receives an average of 12 subject access requests for video footage each month. Each case is on average, 4 minutes in length and our team is able to consistently turn cases around well within timescales. This is crucial so that Morrisons can fulfil the request within the statutory ICO deadline for SARs.
Carrying out a managed Pixelate service resulted in the following for Morrisons; improved operational efficiencies plus a reliable and cost-effective solution to handling video redaction. Ellie from Morrisons remarked: "We get a lot of Subject Access Requests for CCTV and Body Cam footage and Pixelate enables us to quickly and easily respond to these requests. I would recommend it to any retailer looking for an effective and efficient GDPR compliance solution. The process from start to finish is professional and the Ocucon staff are extremely helpful, offering full support when required."
If you think your organisation could benefit from such a solution, please get in touch and we’d be happy to discuss our range of video redaction packages.