We have entered the new year and the implementation date for the General Data Protection Regulation (GDPR) is getting closer. With this new legislation, the way CCTV footage is captured and handled will change to fit with the new guidelines presented by the European Union that will come into effect on 25 May.

Even though the UK is set to leave the European Union, it is likely that it will adopt the same legislation — meaning that companies in the UK must comply with the changes that will replace the Data Protection Act (DPA) or face tough penalties. 4% of global annual turnover has been highlighted as one of the possible penalties being introduced.

This article discusses how you can make sure that your business is working within the framework of the GDPR rules once they’re introduced.


What you need to think about once GDPR arrives

From May 25th, you need to have a valid reason for the installation and placement of your CCTV system. An example of this would be to help protect employees when it comes to health and safety or to capture footage of any incidents that occur within the company.

CCTV cannot be used to watch your employees throughout their shifts, so ensuring that you able to defend the reason for your camera placement is vital for it to remain in that position.

Where privacy is expected, people can object to CCTV cameras being there. Anyone who is in the view of your CCTV cameras can object to the area it has been located.

This can range from places such as canteens, break areas and public spaces. If you are able to highlight a security risk that could be minimised through using CCTV, it is more likely that the CCTV will be accepted in these places, again think of the OR.

When CCTV cameras record footage, they instantly become collectors of personal data. To inform people who operate in and around your business, you should have a disclosure to tell them that CCTV is in use and that they could be captured on any footage that is obtained.

A common method is to have signs that are clear and feature a number for those who want to contact the CCTV operators if they have any queries.

After the footage has been recorded, it can be kept for around 30 days — so keeping on top of the data you collect is vital to ensure you stay within the proposed legislation rules.

If you need to keep it for a longer time period, you need to carry out a risk assessment that explains the reasons why.

Images and videos that you acquire through your CCTV system might be requested by the police, but make sure that they have a written request.

Police will usually view the CCTV footage on your premises and this would not warrant any concerns for the leak of the data.

2020 Vision, who are specialists in CCTV systems and provide access control systems say that under the General Data Protection Regulation legislation, your business’ security supplier will become your data processor — if this applies to your business, you need to ensure that you have a contract in place which highlights what they can and can’t do with the data they have received from the footage.

Data breaches are a possibility when sharing data with a third party, so you need to be extra careful when it comes to handling.