Data Protection Impact Assessment
CCTV systems are one of the core services offered by Eclipse IP and there is no doubt that they are an essential component of a systematic approach to your company’s security. Whether it is monitoring external areas such as car parks, or providing essential oversight of high risk activities such as cash handling, CCTV can provide reassurance to business owners and staff alike that their activities are being properly and appropriately monitored and that in the event of an unforeseen incident, evidence will be readily available to ensure a speedy resolution.
It is not necessary to re-state the case for CCTV, after good quality locks it is probably the most commonly deployed security measure. However there are areas where careful thought should be given to where and how it is deployed if unintended consequences are to be avoided.
On the 25th of May 2018, the General Data Protection Regulation (GDPR) comes into force throughout the European Union (EU). Under the terms of the GDPR CCTV footage is deemed to be high-risk data as it directly identifies individuals; it is in short sensitive personal data.
This means that all companies deploying CCTV should think carefully about how they handle and process such data. The GDPR doesn’t prevent the use of CCTV however all companies need to be quite clear about their lawful basis for recording images of people and how they handle the resulting data. In a world where CCTV images are seldom if ever stored on video tape, encryption of CCTV records should be a relatively straightforward matter and we would encourage all users of CCTV to consider this as a matter of urgency.
It would be wise to conduct a Data Protection Impact Assessment (DPIA) to establish the potential risks to both the company and the individuals of recording and storing CCTV images and how they might cope with a breach or loss of CCTV data. Such a breach would mostly likely be reportable under the GDPR. Companies will, as a matter of course, have to review and possibly re-issue their privacy notices, clearly stating their reasons and lawful basis for recording and storing CCTV data.
Images resulting from CCTV surveillance are also subject to Subject Access Requests (SAR) and you should consider whether or not your current system is capable of fulfilling such requests from individuals within the 30 days permitted by the GDPR. Individuals have the right under the GDPR to request that data about them be erased. Can you do this easily with your current system.
You will need to re-evaluate your consent and lawful basis where employees are concerned, the general consent enshrined within most contracts of employment are no longer sufficient to meet the demands of the GDPR. There are appropriate lawful bases – fulfillment of a contract for instance – but this is something you may wish to discuss with us or with your employment law advisor.
A final observation (please excuse the pun) modern CCTV systems allow almost limitless overwatch of company premises and personal, and this is in some respects a very good thing. There is however a danger; whilst staff may appreciate monitoring to enhance their safety and security, they will not necessarily appreciate the idea that their employer is constantly peering over their shoulder. This is an age-old problem, well before CCTV there was the ever-present foreman or supervisor, but the ‘Big Brother’ aspects of remote surveillance can make some staff uneasy and may lead to resentment. This is a management issue, not a technological one, and we would encourage all businesses installing CCTV or upgrading and re-defining their current system to consider the possible effects on staff. No one likes being watched but the vast majority of staff are amenable to proper oversight if they understand the reasons and purpose behind it.
As a leading provider of security systems to companies large and small, Eclipse IP understands all aspects of securing your business and can offer not only the best hardware solutions available but advice on how to get the best out of any recommended option. If security is a concern, or if you are just worried about how the changing regulatory landscape might affect your existing installations, talk to us.