SMEs must be vigilant not only in arming their premises but also in the way in which they handle the security process. The words General Data Protection Regulation (GDPR) are ingrained on the minds of businesses and consumers alike.
After four years of EU-led negotiation, May 2018 saw an international rollout to bring European data regulation into line with the new ways in which data is used, with tougher penalties on those that breach these regulations.
But how much is known about GDPR’s impact on more physical security practices, such as the way that CCTV footage is captured and handled?
Your obligations to employees GDPR-compliant products currently do not exist, which makes human awareness of legislation even more important.
The UK is often cited as being one of the most surveilled nations globally, with up to 5.9 million CCTV cameras in operation in 2015.
Businesses from small convenience stores to large office buildings have surveillance systems in place, whether it be for security, monitoring or health, and safety purposes. While the use of cameras on business premises naturally deters burglars, owners and senior personnel must remain vigilant as even employees have a right to privacy.
Recent legislation means that business owners are not only obliged to disclose that cameras are in use
They also now need a valid reason to install CCTV systems in the first place – this could be to protect assets, to gain a clearer understanding about employee wellbeing, or to capture footage of potential incidents.
Businesses using closed-circuit surveillance must appropriately communicate to employees the legal basis for using it, and camera positioning must be both reasonable and proportionate. Clearly displayed signs (usually with a contact number) on your business’ premises should be present to inform people they are being recorded.
It’s less known that employees themselves are able to protest against the use of CCTV in a certain area. Your obligations to members of the public GDPR also creates an obligation from businesses to members of the public, who are able to request that images of themselves captured on a firm’s CCTV system are shared with them.
Businesses must provide this footage to those who ask for it within 30 days. Should there be a significant number of requests, fulfilling these would be manual and a significant drain on resource, as other people’s identities must be blurred out (something that would usually have to be done on a frame by frame basis).
However, there are firms that are developing software that automatically does this for a business, which is something that those with CCTV systems should consider.
Storing footage the right way
Retention of video captured by CCTV cannot be indefinite. Thirty days is not uncommon, but if footage needs to be kept longer, GDPR legislation states that a risk assessment must be carried out to document the reasons why.
For instance, a retailer would have no reason to keep CCTV footage for six months, as many crimes would have been reported and footage reviewed in that time.
Should footage need to be reviewed by the emergency services, this is usually onsite, so would not be deemed as a data leak, especially if the footage is encrypted.
It is obligatory for businesses that use cloud recording services and storage to know the exact location where their footage is being processed and stored.
Data is rarely stored where the cloud provider is based, thus the data can be moved around between a supplier’s data centres – effectively meaning it could end up anywhere in the world.
Protecting your business
To comply with GDPR laws, businesses should only collect and retain necessary data, as well as confirming what data processing is being conducted. Businesses must also ensure that they own the information and that it isn’t shared with third parties.
Having your CCTV systems installed by security experts will ensure nothing goes amiss. Guidance from experts (such as the firm that installs your CCTV) is available, but I must emphasise that this is all it is – guidance.
The onus to ensure that this data is protected is very much on the business owner, not the supplier of the CCTV system.
Thus far, regulators have made an example of companies such as Google, handing out record fines for GDPR breaches, but small businesses should by no means think that they are off the hook; regulators have shown that they aim to take breaches seriously, so a crackdown at some point in the future is inevitable.
Ensuring your business complies
The obligations that GDPR legislation creates for businesses can often seem both daunting and vast, but providing that business owners and senior team members know the law, there’s nothing for them to worry about.
Training on GDPR compliance is something that all small businesses should strongly consider – there will be wider laws on data protection that businesses simply don’t know about.
In the interim, in terms of CCTV and GDPR compliance, business leaders need to ask themselves the following questions:
• Is your CCTV system infringing on your employees’ privacy? Have you displayed a notice to let them know they are being filmed?
• If filming employees, do you have a valid reason for having a CCTV system?
• How long are you storing footage for and why? For the latter, have you carried out a risk assessment to ascertain and document these reasons?
• Where is your data (footage) being stored? Are you confident it isn’t being shared with third parties?
• If there’s a breach, what’s your plan? As a starting point, the above questions will do, but in the long term, training from a reputable supplier needs to be given to senior team members.
In this digital era, there are many different factors to consider when installing a CCTV system, but it is undoubtedly something that small businesses cannot do without.
However, grasping the law, as well as the obligations of your business to members of the public and your staff, is something that you as a business leader need to do as soon as possible.