Since it involves substantial privacy risks, video surveillance is one of the data protection areas that often raises a few questions. Around the world, an estimated one billion surveillance cameras are monitoring you.
Many companies require video surveillance to ensure the security of their facilities as well as the safety of their employees, visitors, and customers.
You may be surprised to learn that CCTV footage is regulated under the GDPR (General Data Protection Regulation). The regulation applies to any information that may be used to identify someone, not only written facts such as names and addresses. As such, this includes images and videos, which is why you should use caution while using CCTV.
Nonetheless, businesses in the EU and the European Economic Area (EEA) and organizations that process EU individuals' personal data must recognize that the deployment of CCTV cameras necessitates compliance with the GDPR.
In this article, we'll cover the following:
- What is GDPR, and why is it relevant for CCTV?
- What are GDPR fines?
- Five steps to avoid a GDPR fine
What Is GDPR, and how is it relevant to CCTV?
The General Data Protection Policy (GDPR) is a data privacy regulation that went into effect in the European Union in 2018. The GDPR framework supersedes the Data Protection Directive 95/46/EC and requires all companies to comply with the GDPR framework's personal data collection and processing standards.
On a basic level, the rules exist to safeguard individuals from organizations that gather and utilize their personal information excessively and without a legitimate legal basis.
While many people associate personal data with information such as names, addresses, and contact information, it can also refer to personally identifiable photos and video recordings, which is where CCTV comes in.
Compliance with the numerous GDPR requirements is not optional, and the fines may be hefty, so you'll need to ensure that your video surveillance solutions comply with GDPR requirements.
What are the fines associated with GDPR non-compliance?
GDPR fines are divided into two categories. GDPR expressly indicates that certain infractions are more severe than others.
- Penalties for less serious infractions can range from €10 million to 2% of the preceding fiscal year's global annual sales, whichever is larger.
- The most egregious violations are in direct violation of the GDPR's core privacy principles and the right to be forgotten. Infringements of this nature might result in a fine of up to €20 million, or 4 percent of the firm's worldwide annual revenue from the previous fiscal year, whichever is greater.
Many companies outsource their data management to external parties, such as email or cloud storage services.
While this can help with GDPR compliance if the third party has the greater technological capability, it does not spare the hiring organization (i.e., the controller) the responsibility to ensure that personal data is treated in line with the GDPR.
Unless the controller can establish that it was "not in any way responsible for the occurrence giving rise to the damage," it will be held fully accountable for any infringement committed by a non-compliant third party.
As a result, it's critical to thoroughly assess any third-party services you employ to ensure a strong track record for security.
Follow these Five Steps To Avoid GDPR Fines
To ensure that your video surveillance satisfies the fundamental requirements for GDPR compliance, follow these key steps:
1. Be transparent regarding your use of video surveillance
The first step toward GDPR compliance is to be forthright about how, where, when and why you use video surveillance.
GDPR mandates that you need to inform the public of any data collection activities, including surveillance cameras. You'll need to display signage indicating that CCTV is in use.
Moreover, you must explain why you are collecting this data. Again, this may be implemented by displaying a sign that says something like, "CCTV is in operation in this location for the purpose of ensuring public safety."
You cannot gather and process this data unless you explain why you need it.
You will also need to provide the data protection officer (DPO) contact information and information about your organization (the data controller).
Other information can be provided upon request or through a QR code, as the sign will most likely be too tiny to address all of the information you are obliged to provide.
2. Collect as little data as possible
Next, consider how to manage your CCTV system while decreasing the quantity of data collected.
According to GDPR Article 5(1)(c), the personal data you gather from people should be "adequate, relevant, and limited to what is necessary" for the purpose you have specified.
This means that you may collect a significant amount of data to accomplish your objectives, but this data must be confined to only what is required to accomplish your objectives.
There is no single answer to how much data you should gather or how long you should store it, but you should examine your data regularly and remove anything you no longer require.
According to International law specialists Beale & Co,“under the fifth data protection principle of the GDPR, personal data cannot be kept for longer than you need it. However, there is no specific time limit. How long you retain data will depend on the purpose for holding the data.”
3. Data protection impact assessments
Data protection impact assessments, which may be done using a template and written instructions, are required prior to the actual installation of CCTV cameras.
This is a requirement for any data processing regarded as a "high risk" to individual rights, including CCTV operations in public settings.
GDPR requires you to do an impact assessment before installing any new CCTV system, and the impact assessment must be revisited regularly.
If cameras are relocated, or your CCTV system is enhanced or modified, an assessment should be performed.
4. Restriction of access to CCTV images
In addition to limiting the quantity of data captured, you should restrict access to CCTV images to just those who require it.
Your responsibility is to guarantee that the CCTV data you acquire is kept safe. Only management, security, and individuals who require it to accomplish their job roles have access to it.
Cloud-based CCTV systems, which can help with this, are being used by many organizations.
A reputable service provider in this industry can offer cloud storage for CCTV images. This data is encrypted and stored on secure servers while also guaranteeing that the data is easily accessible to those with authorization.
5. Comply with any access requests that are made
One of the main goals of GDPR is to give individuals more control over their personal data and how it is used.
One method for accomplishing this is to allow individuals to submit subject access requests. This enables them to make official or informal requests for access to their data, which may include CCTV images.
You must be prepared to address these demands in order to comply with GDPR. The usual response time permitted by law is one month, however, this might be extended for complex requests.
You should do a "reasonable search" for the requested data, and it must be delivered in a secure, accessible manner.
When presenting the CCTV image to the individual, take every precaution to protect other people's identities on the footage by blurring their image.
Software such as Sighthound Redactor, for example, automatically blurs individuals, faces, vehicles, and license plates in video footage and allows for manual editing of any other identifiable information.
GDPR compliance has been mandatory for EU enterprises that use CCTV systems since 2018. This entails operating with complete transparency, ensuring minimal collecting, guaranteeing data security, responding to access requests, and conducting impact assessments before installing or upgrading any CCTV system.
The GDPR's hefty fines are designed to make data security best practices prohibitively expensive to ignore. The sanctions for non-compliance with the GDPR cast a dark shadow on any firm that isn't taking the necessary steps to assure 100% GDPR compliance.