Breaching data protection laws can be very bad for business. Fines are bad enough, but losing the trust of customers and bad publicity can have long-term repercussions.
Yet it’s surprising how many firms fit CCTV equipment in Bristol and the surrounding area, unaware that they could be perilously close to breaking the law.
Staying compliant with current legislation
The personal information covered by the word “data” in legislation is not just names and addresses, it’s images too – the sort of pictures and videos recorded by CCTV equipment every day.
Many companies are already grappling with the complexities of the current Data Protection Act and how it will affect security surveillance on site.
But life is about to get even more complicated. Because in May 2018, the EU General Data Protection Regulation comes into force. Don’t stop reading because you see EU and think that Brexit makes you immune from the GDPR. It’s a global law impacting on any business that holds personal data on EU citizens. So, there aren’t going to be many companies in the Bristol area that doesn’t include.
The GDPR is designed to give the general public far better protection and strong rights to dictate how their personal information is collected, used and held. It also covers the issue of under what circumstances data can be transferred and shared. Plus, how and when it should be disposed of.
Areas for you to think about
This clearly encompasses the images you may capture on your company CCTV equipment.
Under existing data protection rules and the surveillance code of conduct, you are perfectly within your rights to install CCTV cameras in your workplace as long as they are a “necessary and proportionate response to a real and pressing problem”.
These problems clearly include crime, but also antisocial behaviour and anything likely to cause risk such as monitoring areas where congestion can be an issue. Or these days, where you can spot behaviours which may be linked to preparations for acts of terrorism.
The Code is clear that your organisation must have carried out – or commissioned via your commercial CCTV installer – an assessment of the privacy impact.
This includes, for example, making sure external cameras aren’t accidentally recording innocent passers-by or your neighbours!
Once you have imagery, companies are strictly forbidden from using it for anything other than basic security considerations. This means, for instance, you can’t post imagery on public forums, such as social media, even to help “trace” someone.
You must also have clear and auditable systems for holding images only for as long as absolutely necessary.
And there should be a clear line of responsibility for the limited amount of staff in your company who have access to the material you collect via CCTV equipment.
This and more under GDPR
All of this will be tightened up under the GDPR and very heavy fines for breaches could kill off some firms.
You will need to be able to demonstrate that your CCTV operations are strictly necessary, carefully controlled and properly monitored.
This includes only using equipment for the times it is needed – not continuously. There are likely to be new requirements for how you notify people that CCTV is in operation too.
You will also need clear systems for what you would do if someone asks to see imagery you have gathered that includes them.
Under the GDPR, any data you hold has to be encrypted. Any identities you store will have to be issued with pseudonyms. The idea is that this material would be unusable if it fell into the wrong hands – by accident or due to malicious intent or thanks to cybercrime.
Get the installer right to stay lawful
None of this should put you off protecting your premises and equipment, and the people who visit your workplace. But you need to make sure you use reputable suppliers who understand the complexities of legislation and who keep up to date on developments.
In the Bristol area, that means Brunel Security – a company with a clear view of what counts for commercial CCTV equipment and operations.