In review: CCTV, data privacy and the GDPR

Closed-circuit television (CCTV) is a ubiquitous presence in our daily lives. From shops and streets, to in-office cameras, its watchful eye promises security. But in the age of data privacy, how does CCTV use square up with the UK and Europe’s General Data Protection Regulation (GDPR)? 

In his latest blog, Clive Mackintosh, a seasoned lawyer, data protection expert and CEO of GDPR Representative services firm GDPR Rep explores the links between data CCTV, data privacy and the GDPR.

CCTV Footage and Personal Data

The GDPR classifies CCTV footage as personal data if it can identify individuals. This can be through facial recognition, gait analysis, or even clothing paired with location. Since the GDPR governs personal data processing, organisations using CCTV must comply with its regulations. 

Your business may not operate what you would consider a full-scale commercial CCTV system, but even a digital doorbell, such as the popular Amazon Ring doorbell would be classified as CCTV under the GDPR if in place at a commercial property. 

If you are thinking about implementing CCTV, or already have systems in place, consider the below requirements for GDPR compliance. 

Key Considerations for GDPR-Compliant CCTV

•  Lawful Basis: There must be a clear legal basis for using CCTV, such as legitimate interests (security) or fulfilling a legal obligation (traffic monitoring).
• Transparency: Individuals need to be informed about CCTV surveillance through signage or other clear communication methods.
• Necessity and Proportionality: CCTV use should be proportionate to the risk and limited to what is necessary. Excessive coverage or overly long storage periods might not be compliant.
• Data Minimisation: The system should only capture what's necessary, potentially using anonymisation techniques where feasible.
• Security: Robust security measures are essential to protect footage from unauthorised access, use, or disclosure.
• Retention Periods: Footage should only be stored for as long as necessary, with a clear deletion policy in place.

CCTV - Balancing Security and Privacy

Finding the right balance between security needs and individual privacy is crucial. Here are some additional tips to help ensure compliance. 

Conduct a Data Protection Impact Assessment (DPIA)
Conduct a Data Protection Impact Assessment (DPIA), this helps identify and mitigate risks associated with CCTV use, especially for high-risk scenarios like facial recognition. see the GDPR Rep article: Data Protection Impact Assessment (DPIA) explained.

Data Subject Rights
Individuals have the right to access and, in some cases, erasure of their CCTV footage under the GDPR.

Clear Signage
Showcase transparency with informative signage about CCTV use, the purpose, and the data retention periods of recordings.

The Takeaway
CCTV can be a valuable security tool, but only if implemented and used responsibly. 

Consider any systems you currently have set up, these could be external-facing or internal-facing. Not taking into account and adhering to the GDPR when implementing CCTV could result in a breach of the regulations which could in turn result in significant financial repremands and damage to reputation. 

GDPR Rep is on a mission to help every business achieve and maintain data protection legislation compliance, including the GDPR. If you are looking into how your organisation can fulfil its requirements why not schedule a no-commitment call with a GDPR representative expert today, or get a quote to understand how our value pricing makes compliance simple.