Do you currently operate CCTV within your domestic or commercial property?
If the answer is yes, then you will be affected by the introduction of the new General Data Protection Regulations (GDPR), which come into effect on the 28th May 2018.
The GDPR is a new set of rules that aim to give the people of the EU better protection and greater transparency over how organisations use their personal data. Since a video recording of an identifiable person forms part of an individual’s personal data, there are a few new rules that CCTV operators need to follow in order to remain compliant under the GDPR.
These include:
Being transparent, open and honest about the recordings
If you have CCTV surveillance in operation, you need to take all appropriate measures to provide persons with information in a brief, comprehensive, transparent and easily accessible manner about why you are filming. As well as a CCTV sign, which many of you should already have, individuals now have the right to know details about the recordings, such as what they are used for. This information must be available in writing or other means in printed or electronic form.
Keeping a record
Camera system operators are now required to keep a written record of camera system operation. These records should be updated and monitored by your company’s data protection officer (if you are a public entity or specialist that processes this data).
Under most current models, the entire video surveillance system (including cameras, hardware, software and data storage) is handled by the data processor – which would be the outsourced company. The supplying company is likely to also appoint a GDPR officer here, who will act as a consultant and mediator for all data security processes.
Reporting data leaks to the Office for Personal Data Protection
Operators of CCTV must report breaches of personal data to the ICO within 72 hours. This is not a choice – it is a mandatory requirement, unless it is thought that the result of this would result in a risk to the rights and freedoms of the person.
Will the GDPR mean you can no longer monitor employees?
In short, no. The same rules that the Office for Personal Data Protection already define will still apply. Your employees will need to know where the cameras are located but you do not need to ask them for consent to film. This is because the employer has what is known as a ‘legitimate interest’ for implementing camera surveillance.
