The new General Data Protection Regulation (GDPR), set to come into effect in May 2018, will have widespread consequences for all businesses, enterprises, and organizations that deal with personal data in some form or another.
Usually, when thinking of personal data, most people will tend to think along the lines of names and contact details, financial and health records and other information they themselves might input online.However, there is also the personal information collected by video surveillance systems and devices to consider and, in this article, we’ll be discussing GDPR CCTV Compliance and how the incoming GDPR regulations will affect companies that utilize video surveillance.
So, here’s the deal…
To briefly summarize, the General Data Protection Regulation (GDPR) is an incoming EU regulation that broadens the scope of data protection and gives more rights to individuals to control the way their personal data is collected and managed and also makes businesses and organizations much more accountable for data protection by holding them to a host of new obligations.
As previously mentioned, the new regulations take affect from May 2018 and companies will need to be able to demonstrate compliance by taking a risk-based approach to the protection of data while also ensuring that appropriate steps are taken to deal with transparency, the rights of individuals, and accountability.
What Is Personal Data in Video Surveillance?
Personal data can come in various different forms and, while many products and services actively require personal data in order to provide the optimal experience, there can be vast differences in the kind of personal data used.
Personal data within video surveillance is defined as any information that could identify an individual.
Now, all video surveillance systems, be they CCTV or IP video cameras, are capable of capturing and collecting identifiable information in the form of video footage, and so organizations deploying video surveillance systems are obliged to become GDPR compliant by May 2018 or risk significant penalties and fines.
What Are the Issues Regarding Video Surveillance?
There are several big data protection issues that should be looked into when addressing GDPR compliance for video surveillance.
The EU outlines these issues as; Data quality and minimization, retention periods, and the personal rights of individuals. So, let’s take a look at them separately.
Data Quality and Minimization
Data quality means that any personal data collected should be processed in a fair and lawful way and collected for specific and specified purposes.
Data minimisation involves using video surveillance cameras intelligently and in a way that minimises the collection of useless or irrelevant data.
The purpose of data quality and minimisation is to ensure that, due to their ability to collect personal data, video surveillance systems are used in explicit and targeted ways so as to reduce intrusions of privacy and enable more intelligent and efficient use of video surveillance resources.
Retention periods are the period of time for which a business or organisations must keep personal data for a specific purpose or requirement.
Where personal data is concerned, “as long as required, as short as possible,” is usually considered a good rule of thumb, according to the European Data Protection Supervisor.
Alternatively, there are situations in which other compliance or legal reasons mean it is required for information to be stored for explicitly specified periods of time.
Which means that…
By limiting retention periods for personal or sensitive data, businesses and enterprises reduce the risk of their customer’s or client’s personal data being abused or falling into the wrong hands.
Under the new GDPR regulations, all persons will have the right to know, not only how their data is processed, but for what purposes. This right is seen as essential as it can inform people of how their data is being used, which in turn could influence the way in which they exercise their rights.
The right to information pertains to a person’s right to be provided with information collected about or including them, regardless of whether that data was obtained from the subject or not.
However, the right to information can be limited in some situations. Public safety considerations and the investigation and prosecution of criminal offences are but two scenarios in which the right to information could be limited.
As well as information regarding the gathering and storing of personal data, the Information Commissioner’s Office (ICO) has also outlined several points to be considered if businesses or enterprises wish to monitor their employees using video surveillance.
- Using and keeping data only for its original purpose. For example, if CCTV is used to monitor employee activity in specific areas, it should not then be kept for the sake of potential re purposing later.
- CCTV, IP video, and other logs should be stored safely and kept secure using the most appropriate encryption technologies.
- Individuals that are recorded have a right to request a copy of any video footage in which they are either in focus or clearly identifiable. If requested by the data subject, companies have 30 days with which to comply, should the request be valid and permissible.
As data collection through smart and Internet of Things (IoT) devices continues to increase, both employers and employees will need to become familiar with their rights and obligations regarding personal data collection and storage.
It is recommended that any organisation utilizing video surveillance do an in-depth analysis of their systems and ask themselves whether they can be justified under the new GDPR regulations.