A few weeks ago, we started a GDPR-inspired series of articles with the aim of helping you make your business compliant with the new law in the easiest and most convenient way.
By Iffy Kukkoo
24 May, 2018
A few weeks ago, we started a GDPR-inspired series of articles with the aim of helping you make your business compliant with the new law the easiest and most convenient way.
So, after going over the need of GDPR and demonstrating how it may affect the Internet giants, we authored a manual for developers and went over the main talking points which will certainly be of interest to most IT service providers.
To our surprise, in the meantime, we realized that few companies which have installed CCTV networks believe that GDPR doesn’t concern them.
However – as should be obvious – it most certainly does. And it’s right around the corner: it’s effective come tomorrow.
So, if you are in the business – and don’t want to end up paying a fine larger than one you can pay – it may be a good idea to read ahead and find out what you need to do to get your company GDPR-compliant.
Everything you collect with CCTV (Close Circuit Television) is considered personal information, for the very simple fact that you can identify people on the footages and images.
Therefore, you need to have a substantial security reason for doing this; and you should be able to clarify it clearly.
For instance, placing CCTV around the perimeter of the business building can be explained away easily as a preventive measure, but filming employees in the working space may not be justified that effortlessly.
One of the main things introduced with GDPR is transparency: data subjects, says the new regulation, have the full right to know the reason why you are collecting their data and how much of it you have an access to.
In addition, If the data subject requests to see some of his personal data (whether images or footage) at any point, the service is obliged to respond during the next month.
In addition, the side which performs the monitoring is obliged by default to post a visible warning alerting subjects that a site is being monitored.
Here are six things you should be aware of at all times:
#1. Collect Only the Information You Need
Or, to put that in even more comprehensible terms: don’t collect any more information than what you actually need. The use of CCTV should be limited to the particular security purposes. The location of the cameras is a critical issue. The more the privacy is for people at a certain area, the more difficult may be for you to justify the use of CCTV.
#2. Edit and Blur When Asked
You need to edit and blur any sensitive images when sharing records with third-party services. So, if a person asks to be omitted from a video which has accidentally captured him or her, you need to edit it so that that person is indistinguishable. Otherwise, it would mean that you’re sharing someone’s personal information.
#3. Put Clear and Visible Signs
As we said above, it’s necessary to tell potentially affected data subjects (customers and employees) that your cameras are rolling. And you need to do that properly, by putting up a sign which not only informs about the fact, but also explains the purpose behind the CCTV installation. The sign should be clear and visible. Moreover, it should contain contact information which data subjects can use to get more details about the information which is being collected about them.
#4. Work With GDPR-Compliant Companies
Make sure that you are doing business only with reliable processors (security companies and CCTV engineers) which are GDPR-compliant themselves. It’s a common mistake to think that after a new regulation comes into force, every working service will automatically become compliant (just because they should). So before granting access to a company to some personal information of your data subjects, take some time to find out whether this won’t lead to violating the law.
#5, Hire a DPO
If you are not sure about some of your obligations, you should seriously consider asking for the help of a Data Protection Officer (DPO). As described in Article 37 of GDPR