General Data Protection Regulation (GDPR)
Are you prepared for GDPR which comes into effect as of 25th May 2018?
Data protection legislation and CCTV are not new concepts under the GPDR. It was indeed included under the Data Protection Act. Everyone has the right to protect their property and they can install an alarm system and/or CCTV system. Remember, any CCTV system installation should operate with respect to privacy of others.
This summary of GDPR has been prepared by CEA Systems Ltd to help CCTV Installation companies to put a process in place. For the official guide, refer to “Guide to the General Data Protection Regulation (GDPR), Act 2018” as prepared by Information Commissioners Office. A copy of this guide is available on our website.
The main purpose of GDPR is to enforce individuals and companies to process personal data (including audio & video) with privacy and consent in mind. GDPR requires companies to have procedures in place on how data will be collected and processed. To make it effective, all GDPR processes will need to be documented including when and how consent was obtained.
Key Facts of GDPR
Everyone in the company including installer(s), administration and manager(s) have responsibility for GDPR. GDPR applies to all personal data, whether it is used on quotations, orders, contracts, invoicing or maintenance etc. All data must be protected from unauthorised and unlawful use.
Document how the company will obtain and keep personal data. That includes company employees who will be responsible too. GDPR also applies employee data.
Customer consent is very important; consent requires a positive opt-in. Do not assume you have consent by method of wording and pre-ticked box. Keep consent separate from T&Cs. Advice on how the customer can withdraw consent. If personal data will be used for anything other than processing the order, then make sure you have consent for that activity.
The GDPR provides certain rights for individuals; like being informed, right to access, right to erase,
allowing subject to request data etc.
Keeping records and documentation is very important part of GDPR.
While not an expressive right, data subjects are entitled to understand when their personal data is being processed, covering the transparency aspect of processing. It is recommended that the use of CCTV is communicated via signage, which indicates the areas covered and instructions for further information.
For commercial properties, signage should be clearly visible and readable. It needs to show contact details of the company / organisation operating the system.
Signage should be visible outside the business where cameras capture images of passing traffic and people.
CCTV Video Footage Requests
As with personal data, data subjects have a right to request video footage for valid reasons. The CCTV operator will need to ensure that the requester is present in the footage and that the footage they disclose does not impact privacy of others.
This may involve blurring parts of the footage such as faces or number plates. In addition, the CCTV operator can no longer charge for this under the GDPR.
Security Measures for Video Footage
Storage of video footage is considered as processing of data and it is vital that the CCTV operator maintains confidentiality and integrity of the footage. Live and recorded footage should only be viewed by authorised individuals and not by members of the public who may see the monitor(s). Footage should be secured in both electronic format and in physical format; be locked away and tracked via a signing process
CCTV surveillance is used for security, protection and monitoring among other reasons. Data subjects (people) view this with an air of suspicion due to an invasion of their privacy. In either case, the GDPR does not discourage the use of CCTV but instead encourages a balance for all parties regarding its usage.
In simple terms, as an installer:
– Let customers know that you will keep a record of their details (tick box for their consent) and how you will use these details (mailing list, maintenance etc)
– Keep record of individuals and companies (name and address) in a safe place – Ask why the customer wants to install CCTV and preferably document this!
– Advice on privacy of others and preferably document this!
– Use suitable CCTV warning signage
– Advise companies to register with Data Protection.
If your CCTV system captures images of people outside the boundary of your private domestic property – for example, from neighbours’ homes or gardens, shared spaces, or from public areas – then the GDPR and DPA will apply to you. You will need to ensure your use of CCTV complies with these laws. If you do not comply with your data protection obligations you may be subject to appropriate regulatory action by the ICO, as well as potential legal action by affected individuals.
The ICO has published a guidance on the use of domestic CCTV and a checklist, which will help you to better understand and meet your obligations under data protection law. It is important that you read this guidance as well as the checklist, as this is a fuller explanation of your obligations to data protection law. The ICO has also published.