What is GDPR and how does it affect my CCTV systems?

GDPR and the CCTV. What will change?

At a time when technology, including smart cameras, allows companies to collect much more sensitive information about individuals, more stringent supervision of the protection of personal data is certainly needed. A video recording of an identifiable person naturally forms part of an individuals personal data. The General Data Protection Regulation (GDPR) which came into effect throughout the European Union on May 25th 2018, affects all CCTV operators. 

The new regulations drastically change the way businesses need to approach how they capture, store, transfer and handle personal data from CCTV systems. It is important for businesses of all sizes to understand their regulatory requirements, and know what actions are needed to be compliant. The penalties facing businesses for non-compliance are fines of up to €20 million or 4% of global annual turnover (Whichever is greater!). The regulations apply to all companies worldwide that process personal data of European Union citizens.

Path to Compliance

In general there are 6 administrative steps your business can take to make sure you are CCTV compliant which are: 

  1. Reasons for CCTV system

  2. Informing people of its presence and use

  3. Retention policies regards recorded footage and images

  4. Permissions

  5. Assisting the Gardai and other law agencies regarding the access of personal data

  6. Verification of use

Usee.ie can help you to become compliant with our CCTV Toolkit and can offer tailored CCTV compliance 

 

Are you about to invest in a CCTV surveillance system?

With the introduction of the GDPR on May 25th 2018 - Your CCTV system could leave you vulnerable to fines and damage to your brand. 

We provide your business with everything it needs to comply. Consultancy has never been easier or more affordable. It is important to choose the right provider for your CCTV installation to protect your brand and reputation.

At Usee.ie our in house consultancy team will prepare all the documents required for a robust, resilient system to ensure your evidence can be used in a court of law.

Processes include the following 

CCTV Policy

If you have a CCTV system, you must have a CCTV policy document. This outlines how the system will be used, evidence shared and your retention policies. We can provide you with an easy to use template or carry out an audit and draw up your policy.

CCTV Location Risk Assessment

How is your system used, where are the cameras located, what type of cameras have been used. What is their intended use and how long will the footage be held. If you own a CCTV system you need a CCTV location risk assessment. We have an easy to use template available for our members.

 
Community CCTV ongar.PNG

Subject Access Requests & Evidence Handling

Do you have a process to handle requests from the general public or even the Gardai for CCTV footage of your systems? Are you protecting yourself against your footage or data ending up in the wrong place like Youtube or shared on social media.Its important that you have a proven policy regards who controls the data on your CCTV systems and how evidence is shared and retained. This is covered in all our membership plans. 

Data Control

At Redactus we can offer a full on bespoke data control service. This removes your staff from being in the evidence investigation, retrieval and distribution process. It safeguards your business against potential claims and data breaches. 

 

Signage

If you have a CCTV system you must have signage. This signage should warn the general public or employees that there is a CCTV in operation. It should also contain information regards why the CCTV system is in operation/ its use and the contact details for the persons/company controlling the data. Our members can avail of our advice, sign templates. We even offer a full on sign manufacturing service.

CCTV Redaction Service

If the CCTV footage includes images of other people, their images may be pixilated or otherwise blanked out. Access Requests under the Acts entitle individuals to access their own data; images of other people would be considered third-party data. If everyone who appears in the video or photographs agrees to it, the images can be provided without restriction. We provide redaction services to our members only at a reduced rate.

Data Protection Impact Assessments

Under GDPR, DPIA’s are mandatory for any new high risk processing projects. The DPIA process will allow you to make informed decisions about the acceptability of data protection risks, and communicate effectively with the individuals affected. It is important to highlight that not all risks will be eliminated but a DPIA can allow you to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks and assess the viability of a project at an early stage. Good record keeping during the DPIA process can allow you to demonstrate compliance with GDPR and minimise risk of a new project creating legal difficulties.

Defamation & Image Rights

Maintaining the integrity of your public image is an inseparable part of your business, whether you’re a creative individual or a small company. Protecting your privacy and your public image from slander and libel is only one side of the coin; Ensure that your processes are robust regards how your CCTV systems are used and utilised. 

 

GDPR COMPLIANCE

Make sure your business is compliant with the new legislation regards data protection & cctv systems.

At Usee we can provide a comprehensive service to ensure your business complies with the new GDPR rules. 

Our Services include the following and can be curated to suit your individual business needs.

 

Annual CCTV Audit & Risk Assessment

Annual audit is carried out on your CCTV systems to ensure compliance with the GDPR. All cameras are itemised, categorized , intended viewing areas and the purpose of the surveillance.

Password Policy

Six monthly change of all CCTV passwords/ online passwords. Best practice password use controlled by Usee.

Cyber Security & Firmware/Software updates

Full site asset list with all sites monitored and updated to latest firmware and security patches as required and recommended by the manufacturers of your systems. 

CCTV Footage Retrieval - Data Controller

Usee controls all video evidence requests and becomes the Data controller for your business. All footage requests are dealt with and approved by usee, including law enforcement requests. Full audit trail of evidence retrieval, Cloud storage & full locked down off site backup - All footage is stored in the jurisdiction.  

Reports

Full report to comply with your data policy at year end on all footage retained, shared and provided to the Gardai or other government agencies.

 

Contact us for more information on 01-8400300 or by email to info@usee.ie

OUR  GDPR CCTV GUIDE
Quick View
OUR GDPR CCTV GUIDE
0.00

Here is our guide to making sure your CCTV system is GDPR compliant. A very simple explanation and breakdown of the CCTV element of the new GDPR that comes into force in May.

Add To Cart
MCS_Landing_Cabecera2.jpg

There are six steps required in order for a CCTV system to comply with the GDPR.

 

1. Reason for the CCTV system.

 

2.  Informing people of its presence and use.

 

3.  Retention policies regards recorded footage and images.

 

4.  Permissions.

 

5.  Assisting the Gardai.

 

6.  Verification of Use.

 

1. REASON FOR THE CCTV SYSTEM

 

Is your CCTV system justified?

If you are placing cameras in your store to deter or detect shoplifting, then this is easy to justify. If you have installed a camera to monitor employees, then it is not as straightforward as it can be seen as an invasion of privacy.  If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past, that may be acceptable. Maybe there is a safe in the staff room that needs to be monitored?

What images will be captured and why?

When you are capturing images where someone would expect privacy, then you must justify the need.  For example, in a bathroom or on a public path. If there has been an obvious level of security incidents, then this must be proven to allow for the presence of the cameras.

You need to carry out a risk assessment itemising each camera, the intended viewing area, and the reason for the camera.  Resolution and intended recording time should also be indexed on the assessment.
 

2. INFORM

You must inform people of CCTV presence

The purpose in data being collected should be clear. This is especially important if the purpose is not as obvious or straight forward, such as employee monitoring or Health & Safety reasons.  The reason needs to be highlighted to any person being captured by the cameras.  A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient.  It is also good practice to state in employment contracts and your data protection policy that cameras are used and footage may be recorded.

Redactus can assist clients with signage design and templates.

3. RETENTION POLICY

A Data Controller needs to justify reasons for storing and retaining data.

A standard cctv system allows 30 days retention of data.  If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why.  Longer retention times are allowed where you can prove past incidents / reasons etc.

Redactus can assist in ensuring that best practice in this area is achieved. Our software can also monitor retention times and provide audited proof.

4. PERMISSIONS

Access Requests for personal data

GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’

Anyone who is captured by your CCTV cameras has the right to request that footage, as it is seen as personal data.  They must follow a footage request procedure, but are perfectly within their rights. However, if any other individuals are visible in the footage, there needs to a footage redaction service in place to ensure their faces are blurred before the footage is shared or downloaded.

Usee can provide you with a means to control the whole footage request process, and perform the redaction service on the footage if required.

5. ASSISTING THE GARDAI

Supply of CCTV images to the Gardaí

The Gardaí may request footage from you, although they must have a valid reason for the request.  And although the request / process may be time consuming and inconvenient you may feel obliged to cooperate.  

As with general public requests, Usee can provide a service to liaise with the Gardai directly regards all footage requests.

 

6. VERIFICATION OF USE

Responsibilities of security companies

Security companies act as Data Processors under GDPR.  ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place;  and what verification procedures may apply.’

Ensure that any subcontractors working on your behalf, e.g. Security guards or alarm engineers also follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.

 

Conclusion:

Taking all the above into consideration, many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business.  It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.

The Redactus team are very clear on the necessary requirements under the new GDPR and will assist all clients in adhering to these regulations.  If you have any doubts over your CCTV system and would like to discuss how Redactus can help you meet your requirements under the GDPR legislation, contact a member of the Redactus team today.