4 Tips for using CCTV under the GDPR

There is 1 Closed-Circuit Television (CCTV) camera for every 14 people within London according to the British Security Industry Authority (BSIA). The number of CCTV cameras in London is expected to reach 642,000 by 2020. We live in one of the most watched countries in the world however it is not as easy as installing a camera at free will.

CCTV has developed over the years. We now no longer have simple video cameras on top of poles, recording on video tapes; the technology behind CCTV in the modern era is much less passive. The current systems are more proactive, which can be used to identify people of interest and track people’s activities. Such use of surveillance has lead to the rights and freedoms of individuals being questioned.

Since the implementation of the General Data Protection Regulations (GDPR), regulation of CCTV has become much more acute and the Information Commissioner’s Office (ICO) has stepped in and now offers guidance for how companies should be approaching the use of it. There have been cases recently of companies falling foul of the requirements set out by the ICO, which has resulted in fines and significant loss of reputation, which brought with it further business implications.

To help stay on the right side of the ICO, businesses should follow these four top tips:

Tip 1: Register with the ICO

Under the GDPR, it is a requirement to register with the ICO as a Data Controller if you are processing personal data. This is often overlooked as an obligation for companies. The simple fact is that most companies will be required to do this, regardless of their CCTV usage; however, if you do use surveillance cameras of any sort, you must register.

As explained above, CCTV is so advanced these days that the recordings are considered to impact the rights and freedoms of individuals – importantly that means you will be processing personal data, therefore must be registered.

Some systems capture additional data like device mac addresses and face recognition for example supermarket footfall analysis from iBeacon.

Tip 2: Carry out a Privacy Impact Assessment (PIA)

Something often ignored when carrying out any kind of processing of personal data is a PIA.

As CCTV is a form of processing, you’ll need a PIA and in it you’ll need to identify the benefit and impact of your processing.

Whilst it can be seen as another hoop to jump through, being able to justify your processing with a PIA will go a long way to protecting your company against a slap on the wrist…or worse.

Tip 3: Put up signs

This is likely to sound obvious; however, it is slightly more complicated than just throwing up a sign saying “we’re watching you”, or something to that effect.

Signs notifying individuals of CCTV operations need to be explicit, easily readable, visible to all and visible before capture has taken place (or as soon as possible). The purpose of this is to bring to the attention of all individuals that might or will be effected by the surveillance, that it is about to take place.

Unless you can justify covert surveillance (for which another PIA will be needed) the ICO guidance dictates that employees must be given clear notification as to where the surveillance is and why it is being carried out. Similarly, visitors to your premises must be made aware of the reason for the CCTV recordings. This can be as simple as including a brief explanation on the bottom of your sign.

To go above and beyond the requirements, you could include an interactive link, such as a QR Code, on your signs to allow readers to instantly access your Privacy Policy and be fully informed.

Tip 4: Be compliant

All the signs and PIAs in the world won’t help you if you aren’t compliant with the GDPR from the start and the ICO start looking in to you.

Whilst most companies may have undergone elements of work prior to 25^th May 2018, it is likely nothing, or very little, has been done since and now compliance is the last thing they think about. Unfortunately, it is still a very real obligation and if you are caught without having made any real progress, it is likely to come back to bite you, particularly if you are processing data without provisions such as a Privacy Policy in place.

As a separate type of processing, CCTV surveillance will need to be included in any policies you have (or don’t have). It will also need to be listed as a method through which you collect personal data.

Ultimately, it isn’t too late to be compliant, but if you have already carried out this work and are now looking to use CCTV, you will need to update your policies in line with the new types of processing.

The biggest takeaway from this should be that the decision to use CCTV should not be taken without some consideration. Most importantly, if it is taken, it needs to be done properly and by following the tips above you should avoid any altercations with the ICO.

If you need any assistance with data protection or would like advice on any of the above, do not hesitate to contact our dedicated team by phone on 01392 210700 or email dataprotection@stephens-scown.co.uk.