It is hard to escape the news about the new General Data Protection Regulation GDPR rules. Why is it important? Well data protection laws have been in place for some time. But by next year (25th of May 2018 ) a few tweaks will be introduced. Namely, failure to comply with the new data protection regulation could cause your company to face a fine of up to 2-4% of global annual revenue. Ouch!
- What does it mean in relation to CCTV?
The key issue is that all CCTV systems need to have a justified purpose. Perimeter CCTV can be easily rationalized for precautionary reasons in case of an intrusion or vandalism. However, if the system is being used in perhaps an employees’ staff canteen then this may not be as easy to rationalize. There would need to a justified reason such as a high health and safety risk or proof of prior incidents.
It is also important to communicate the purpose of why CCTV is in operation. By using the ‘who, when, how and by whom’ method, you can communicate this effectively. Signage must be updated to be clearly visible, readable, highlight the purpose of the CCTV, contact details of the data controller, period of storage and right to request access or removal.
If you have CCTV operating on your household premises and are wondering whether GDPR applies to you, be aware that although the regulation does not apply to those using cameras for domestic or household purposes, it might apply if your CCTV also monitors a public space (a road outside a house). The regulation does apply to anyone operating a business.
- Can people ask for a copy of CCTV?
GDPR gives data subjects or people rights to their own data, including the right to obtain a copy and the right to request that this data be deleted. These services must be provided by companies free of charge and data controllers have one month to respond. The issue with video surveillance is that when someone requests a copy, by default information about others is provided i.e. other people caught on camera.
- Will redaction of faces be necessary?
As long as stored CCTV is kept in a secure way to fulfill the purpose that it was intended for, there is no need to redact faces or blur images for GDPR compliance. However, once video is shared with third parties, redaction and blurring of faces is required.
One of the big issues that companies will face is individual requests for a copy of CCTV footage recorded of them, where they are easily identifiable. It is within their full rights that a copy be made and given to them. The issue for companies if that if other parties are captured and identifiable in the video they need to be blurred prior to a copy being provided. This might sound simple, but the reality is not. CCTV format issues, busy scene and other technical difficulties can make this cumbersome.
- Other things to be aware of?
Where putting in place new cameras a “data protection impact assessment” (DPIA) to be conducted. looking at the risks and proportionality of the system being deployed. If video is transferred to another country, you must make sure the relevant safeguards are in place and video can also only be transferred to countries where. The GDPR rules set no limits on how long data should be stored but states that
data should not be kept any longer than is necessary for its original purposes. 30 Days is typical. One thing that data controllers should do is look at their video surveillance security settings. There are a number of things that can be done to enhance security but one of the simplest measures is to make sure you have a secure log in password.
- How can Kinesense help?
At Kinesense we provide forensic video services that can help deal with any GDPR requests. Such services include, video conversion, face redaction, event finding, muting audio and highlighting pertinent information.
If you are interested in finding out more, contact us at firstname.lastname@example.org