Few weeks ago, we started a GDPR-inspired series of articles with the aim of helping you make your business compliant with the new law the easiest and most convenient way.
So, after going over the need of GDPR and demonstrating how it may affect the Internet giants, we authored a manual for developers and went over the main talking points which will certainly be of interest to most IT service providers.
To our surprise, in the meantime, we realized
that few companies which have installed CCTV networks believe that GDPR doesn’t concern them.
However – as should be obvious – it most certainly does. And it’s right around the corner: it’s effective come tomorrow.
So, if you are in the business – and don’t want to end up paying a fine larger than one you can pay – it may be a good idea to read ahead and find out what you need to do to get your company GDPR-compliant.
What You Should Know About Personal Data
Everything you collect with CCTV (Close Circuit Television) is considered personal information, for the very simple fact that you can identify people on the footages and images.
Therefore, you need to have a substantial security reason for doing this; and you should be able to clarify it clearly.
For instance, placing CCTV around the perimeter of the business building can be explained away easily as a preventive measure, but filming employees in the working space may not be justified that effortlessly.
What Your Customers and Employees Should Know
One of the main things introduced with GDPR is transparency: data subjects, says the new regulation, have the full right to know the reason why you are collecting their data and how much of it you have an access to.
In addition, If the data subject requests to see some of his personal data (whether images or footage) at any point, the service is obliged to respond during the next month.
In addition, the side which performs the monitoring is obliged by default to post a visible warning alerting subjects that a site is being monitored.
What Security Measures You Should Take
Here are six things you should be aware of at all times:
#1. Collect Only the Information You Need
Or, to put that in even more comprehensible terms: don’t collect any more information than what you actually need. The use of CCTV should be limited to the particular security purposes. The location of the cameras is a critical issue. The more the privacy is for people at a certain area, the more difficult may be for you to justify the use of CCTV.
#2. Edit and Blur When Asked
You need to edit and blur any sensitive images when sharing records with third-party services. So, if a person asks to be omitted from a video which has accidentally captured him or her, you need to edit it so that that person is indistinguishable. Otherwise, it would mean that you’re sharing someone’s personal information.
#3. Put Clear and Visible Signs
As we said above, it’s necessary to tell potentially affected data subjects (customers and employees) that your cameras are rolling. And you need to do that properly, by putting up a sign which not only informs about the fact, but also explains the purpose behind the CCTV installation. The sign should be clear and visible. Moreover, it should contain contact information which data subjects can use to get more details about the information which is being collected about them.
#4. Work With GDPR-Compliant Companies
Make sure that you are doing business only with reliable processors (security companies and CCTV engineers) which are GDPR-compliant themselves. It’s a common mistake to think that after a new regulation comes into force, every working service will automatically become compliant (just because they should). So before granting access to a company to some personal information of your data subjects, take some time to find out whether this won’t lead to violating the law.
#5, Hire a DPO
If you are not sure about some of your obligations, you should seriously consider asking for the help of a Data Protection Officer (DPO). As described in Article 37 of GDPR
“the data protection officer may be a staff member of the controller or processor, or fulfill the tasks on the basis of a service contract.”
Though you are not obliged to have one (except in cases which involve large-scale monitoring of individuals or specific categories of personal data), you may need the services of a DPO to ensure that your workflow is compliant with GDPR.
#6. Delete What You Don’t Need When You Stop Needing It
Don’t retain footages longer than it’s really needed
. Normally, it’s 30 days. If you need to keep them for longer, you should have a clear reason for it. In this case, you need to conduct a risk assessment.
The GDPR clearly states that “the processing of personal data should be designed to serve mankind.” However, it doesn’t provide strict rules about how you should evaluate the possible risks. Even so, it’s obvious that you should be able to conduct a risk versus benefits assessment.
In order to do this, you need to identify and classify potential risks by their severity (low, moderate, high), take into consideration the balance between risks and possible benefits, and constantly monitor your data to repeat the evaluation.
Your 7-Step CCTV-Related GDPR-Compliant Routine
Let’s translate theory into practice:
- Make sure that your CCTVs aren’t placed in an area where people should reasonably expect privacy.
- When placing the cameras, try to place them in a way which will guarantee that you will not collect more information than you actually need (such as, for instance, pedestrians or cars passing by).
- Put relevant – large and visible – CCTV-informative signs on the site in question and in the adjacent areas (especially in case if there’s a risk of accidentally collecting irrelevant information).
- Make sure that your designated staff knows how to work with the CCTV and has the experience and knowledge to respond to any requests and questions from data subjects.
- Prepare a specific data protection impact assessment, which should include the main purpose for placing the CCTV and the necessity of using it, in addition to an evaluation of risks and the way you’d deal with them.
- Modify your data protection policy in accordance with the GDPR.
- Conduct timely reviews of CCTV performance (to make sure that its use is still relevant).
All the data you collect by means of CCTV is considered personal data, which means that the new data protection regulation (GDPR) is applicable in the case of your business. To comply with the GDPR, you need have a clear reason for monitoring data subjects (health, security, etc.), put signs which will notify them about the cameras installed in the area, and be ready to give them access to the data you have collected about them at any moment.
Also, you are required to delete data after a period of 30 days (otherwise, risk assessment is required). To make sure that you are compliant – even though you are not obliged to (unless you fall into exceptions described in the Article 37
) – a good idea may be to ask some help from a professional DPO.
After all, since everything you need to know about GDPR is open and easily accessible, a lack of knowledge on the subject cannot serve as an excuse for not complying with the regulations.