Data Protection Compliant CCTV Systems and the way in which we protect our customer data was recently highlighted in a case study from international software compliance company GDPR365.
GDPR365 selected Advanced Overwatch from their extensive client base to create a case study showing how we as a leading GDPR CCTV and Security Solutions provider manage the implementation of GDPR and data compliance via their platform.
What is GDPR365
GDPR365 was incorporated by lifelong software entrepreneurs who have built successful cloud-based businesses involving large volumes of sensitive personal data, and are therefore well-versed in the risks involved with managing data privacy. Their goal with GDPR365 is to help businesses and organisations understand data protection, and simplify the process and maintenance of GDPR compliance.
Advanced Overwatch adopted the GDPR365 platform in order to migrate existing paper based GDPR compliance to an electronic platform that will scale and flex with our growing business.
Data protection compliance applies to virtually every business and the principals of it are a cornerstone of how Advanced Overwatch run their operations. The company pride themselves on the discreteness of services provided and the way in which sensitive and personally identifiable information is treated and flows through the company.
Where can I view the Case Study?
You can view the Advanced Overwatch GDPR365 CCTV Compliance case study by clicking here.
The important of protecting customer data in our security and CCTV installation business
Advanced Overwatch are registered with the Information Commissioner’s Office (ICO) – https://ico.org.uk/ as required by the Data Protection Act – various aspects of the CCTV and Security Systems business operations make Advanced Overwatch a data controller. Policies and procedures are in place to ensure that all obligations are met and as an extension a culture of regulation compliance among staff and management.
We employ the services of a Data Protection and Compliance Manager who sought out a digital and paperless platform and in conjunction with the Managing Director and senior management settled on the implementation of GDPR365.
Why is GDPR and Data Protection so important to Advanced Overwatch
There are many gray areas around CCTV and Security Systems compliance and a main aim of Advanced Overwatch is to utilise their in-house team to help our clients demystify customer system compliance by providing a complete solution which meets current regulations. We help our customers to navigate the complexities of Data Protection relating to their CCTV Systems and other security related services.
What data protection impact can CCTV Systems have
CCTV regulation and compliance: Surveillance footage and the new GDPR information security standard
CCTV regulation has always been something of grey area.
Since 24 October 2001, there has been a requirement for businesses using CCTV to register with the Information Commissioner’s Office (ICO). The registration is essentially a declaration that the business is processing Personal Identifiable Information, or PII. This is because CCTV footage may enable people to be identified.
As a general rule the vast majority of organisations and businesses where CCTV is installed and there is public access fall inside the scope of the requirement to register:
- The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt.
- If you use CCTV on your business premises for the purpose of crime prevention, you need to register with the Information Commissioner’s Office.
With approximately 5.4 million SMEs in the UK and some 465,000 businesses registered on the ICO’s database, about 8.6 percent. While many of the 5.4 million SMEs are unlikely to be in scope because they simply do not utilise CCTV, it is likely that there are many that are in breach of the regulation.
CCTV compliance regulation changes
This was an overhaul of best practice and regulatory code for security and surveillance systems. This was the first guidance issued since 2000 under the Data Protection Act (DPA) 1998. The grey area here is that it is guidance in the shape of a code of practice. It essentially means that businesses and organisations need to self-regulate voluntarily. There will be consequences should a breach of privacy actually occur and come under scrutiny of the regulator, however, there is little to compel compliance.
Essentially there are no fines for breaking the ICO code of practice. The code is not enforceable; it is a guide to best practice. However, the majority of surveillance systems are used to monitor or record the activities of individuals. Recording is essentially the collection of PII.
The reason that an enforceable code was avoided was because privacy and security have to co-exist side by side. In combination with the DPA, the ICO code of practice is designed to bring the needs for privacy and security together, by safeguarding privacy without throwing insurmountable obstacles in the way of security.
You can view the revised ICO CCTV Code of Practice by clicking here.
GDPR and the need for certainty and clarity around CCTV compliance
The problem with voluntary codes of practice is that because CCTV and information security is now of such importance, grey areas are no longer acceptable. There needs to be certainty and clarity and at Advanced Overwatch we provide both to our clients.
GDPR came into force on the 25th May 2018 and was designed to strengthen the privacy laws governing the data of EU citizens around the world. Protecting PII, including image data which may allow individuals to be personally identified, is a central consideration and it brings CCTV data in scope of GDPR.
Here are the key facts about GDPR:
- The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
- In the case of the UK standing outside of the EU as a result of Brexit, the UK government has stated its intent to write GDPR into UK law in the next parliament. One of the reasons for this is to remove any potential barriers to trade and security post-Brexit, that might arise if the UK had a different data protection framework.
- The GDPR widens the definition of personal data, bringing new kinds of data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
- The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data.
- The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects. The inclusion of PIAs is mainly due to the influence of the UK’s Information Commissioner’s Office (ICO).
- The GDPR introduces a common data breach notification requirement that harmonises the data breach notification laws in Europe. This is intended to ensure organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.
- The GDPR introduces the right to be forgotten. Organisations are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected. Data must be deleted at the request of the data subject.
- The GDPR requires that privacy is included in systems and processes by design. Software development processes must factor in compliance with the principles of data protection. Essentially, all software will be required to be capable of completely erasing data.
- The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines for non-compliance of up to €20m or 4% of group annual global turnover.
CCTV, integrated security systems and our clients GDPR compliance
Businesses and organisations operating CCTV and electronic surveillance systems need to consider:
- Conducting a Privacy Impact Assessment (PIA) to be sure all CCTV cameras serve a legitimate purpose.
- Allowing CCTV systems to be on / off switchable, where appropriate, so recordings of footage are not continuous. Audio and video need to be independent (on / off) from each other as well. Legitimate reasons for recording either or both need to be clearly established.
- Sound recordings should only be obtained only where absolutely necessary to support the legitimate reasons. The use of CCTV surveillance systems should not be ‘normalised’ in the working environment to record conversations between the public and employees.
- Recordings from CCTV systems need to be securely stored and access restricted to authorised personnel.
- CCTV recordings need to be of an appropriate quality to meet the purpose intended.
- Regular checks are needed to ensure date and time stamps recorded on images is accurate.
- Recording and playback functions need to provide access to recordings made in specified locations and times to comply with subject access requests from individuals in recordings or in response to police requests.
- Appropriate policies need to be in place so that employees know how to respond to requests from individuals or police for access to CCTV recordings.
- Ensuring appropriate security safeguards are in place to prevent interception and unauthorised access, either copying recordings or viewing.
- CCTV recordings that no longer serve a purpose need to be deleted. Clear documentation of the information retention policy which is clearly understood by CCTV system operators.
- The need for signage and the availability of other appropriate information. There is a need to notify individuals of surveillance information processing, such as their presence in an area where CCTV is in operation, and their rights of access to recordings/images of themselves.
Get certainty on GDPR compliance of CCTV with Advanced Overwatch
Advanced Overwatch holds CCTV and security accreditations with in-house experts on both data protection and compliance specifically relating to CCTV and Security Systems. All CCTV systems are installed, operated and maintained in full compliance with applicable regulatory codes and guidelines.
The regulations are yet another demonstration of the convergence of physical and digital security.
Advanced Overwatch CCTV and surveillance compliance services help:
- Smaller businesses to meet their obligations while avoiding unnecessary cost and complexity
- Larger businesses to take complete control by understanding and meeting the compliance requirement in full