Since its introduction in 2018, the General Data Protection Regulation (GDPR) has had time to bed in. Now, legislation relating to personal data and its usage are well-defined, well-published and enforceable, so there’s no excuse for not being informed about what’s expected.

Under GDPR, all organisations that gather, store and/or process personal consumer information must have a lawful basis for doing so, and this includes CCTV images in which individuals can be identified. If your businesses use CCTV, here’s what you need to know about GDPR.

Is CCTV covered by GDPR?

Yes. The GDPR definition of personal data is “information that relates to an identified or identifiable individual”, which covers images captured by CCTV. GDPR states that any organisation already using or intending to install a CCTV system must be able to prove ‘legitimate interest’ – in other words, a justifiable and legally-compliant reason for taking and recording CCTV images. For most businesses and organisations, their legitimate interest will be premises security and/or safeguarding of staff and visitors. However, whatever the case, it’s important to note that the legitimate interest in question must apply to the entire area covered by the cameras.

Another significant statute of CCTV under GDPR is the length of time images are stored and processed. Organisations cannot store CCTV footage indefinitely; in fact, they can only keep it for “as long as is completely necessary”, which depends upon why the images are captured in the first place. GDPR doesn’t define any acceptable retention periods so it’s a bit of a grey area, but common sense would dictate that a shop wouldn’t need to retain footage longer than six months, for example – by which time any reported crimes should have been investigated.

There’s more detailed information on CCTV, the GDPR and what’s covered available from the Information Commissioner’s Office (ICO) website, including a data protection code of practice for surveillance cameras and personal information.

Do you have to display signs if you have CCTV?

Yes. All organisations that use CCTV have a legal obligation to inform people that they may be recorded and why the CCTV is in place. This includes members of the public and staff members alike.

Signage is generally the simplest way to tell people that they’re in a surveillance area, these must be clearly visible and readable, and should include details of your purposes for using CCTV, how long you will retain the footage and who it will be shared with.

Crucially, it’s also a requirement that the ICO is notified of any business use of CCTV. You may also need to pay a fee, depending on how many people your business employs and your annual turnover. You can notify the ICO online.

Do I have to show people any images of them under personal data compliance?

Yes, if they request to see it. This is known as a ‘subject access request’ - the law states that anyone can ask to see images recorded of them on CCTV, and that these must be provided by the organisation in question within one calendar month, free of charge. If a subject access request is made, you can ask the requester to provide personal details that will enable you to confirm their identity and find them in the footage.

Let the experts help you implement efficient and compliant CCTV

If you’re unsure of any legislative aspect of CCTV usage and what’s expected of your business, we can help. Our specialist team can advise you on legal CCTV compliance, as well as the most suitable solutions for your organisation and its unique security needs, so please get in touch today.

 

ABOUT THE AUTHOR – LYNDEN JONES

Lynden joined Touchstar ATC (formally Feedback Data) in a sales role for Access Control in 2010.  Prior to joining the company, Lynden held both Production and Account Manager roles, gaining wide technical and commercial experience within the electronics market.  

In 2013 Lynden was promoted to Sales Director and in 2017 he took overall responsibility of the business as Managing Director. As well as running Touchstar ATC, Lynden still remains extremely active in the sales and key account management aspects of the business. When not involved in the business, Lynden is a keen performance car enthusiast.