Cloudview discusses CCTV in the GDPR era and the importance of compliance across the surveillance market.
For many of us, video surveillance is something we are very much used to and, to some extent, we take it for granted. You can find video surveillance systems in commercial premises, in public spaces and even in private homes. The reason for this is that video surveillance is a key security measure that ensures the safety and peace of mind of its many users.
Over the last few decades video surveillance systems have changed drastically both in appearance and functionality. One of the earliest versions of these surveillance cameras were relatively limited in their functionality as these cameras were only applicable for live video monitoring and lacked the functionality needed for recording, storing and reviewing footage.
Fast forward to modern day video monitoring systems and we are now able to effortlessly record, store, transfer and review footage, making it incredibly useful for crime prevention and investigation. However – whilst this has turned video surveillance into a very powerful security tool – its application is now regulated by stringent privacy regulations subject to the region of operation such as the General Data Protection Regulation (GDPR), a European data and privacy legislation.
Since its inception a few years ago, GDPR has completely overhauled how we store, share and repurpose data via direct personal identifiers; names, DOB, addresses and more. Now, with a growing uptake and adoption of video surveillance systems such as CCTV cameras and smart video doorbells, both end users and service providers need to consider how the visual data collected and stored by these video surveillance devices should be handled in accordance with GDPR regulations. After all, personal data capable of identifying an individual is relevant to GDPR and this includes video images.
Importance of GDPR compliance in CCTV operations
Initially, it may be a surprise to learn that the qualitative data available from CCTV surveillance footage is still subject to GDPR regulations the same way other personal data such as names, dates of birth, addresses and contact details are – both sets of data can be used to directly identify someone. However, GDPR treats all identifiable data the same, regardless of its use. For instance, if video footage which comes in the form of visual data is either accidently leaked or maliciously hacked, the subjects (individuals) represented in the footage can be identified, leading to a breach of privacy given their personally identifiable biometrics are being used without their authorisation.
GDPR requires any organisation responsible for managing personally identifiable data to do it in a lawful, transparent, accountable and ethical way that follows guidelines – otherwise, they risk facing a sizable penalty fine; this makes non-compliance a costly mistake for both large and small organisations.
Much of the discussion around GDPR has been limited to the usage of customer data in company databases and very little attention has been given to issues concerning the data captured by CCTV video surveillance systems. This is likely due to today’s data economy because consumer data, in its non-visual form, is incredibly valuable and is often used for commercial purposes either to sell and upsell on products or to derive unique customer insights that cannot be found anywhere else.
However, visual data from CCTV cameras can be useful in its own way when it comes to consumer insights but it is likely not as commercially valuable as data points that reveal age, location, gender and contact details of consumers. Video surveillance systems can capture images of data subjects in the form of still images or video footage used for security and/or health and safety purposes. Under the GDPR stipulations these types of identifiable data are considered personal data and require the same level of protection and care as other data forms in the other areas of the organisation.
The lack of understanding around this can leave unsuspecting organisations open to severe punishments from regional data protection authorities that are responsible for enforcing regulatory data protection laws. One recent example is an online retailer that was fined €10.4 million by the German Data Protection authorities due to an alleged violation of GDPR regulations in regard to its improper use of CCTV video surveillance; this further highlights the urgent need for GDPR compliance amongst video surveillance users.
The issues with compliance seem to stem from a lack of education rather than complete negligence or poor application. Given at times that visual data is not deemed as valuable as other forms of consumer data, and is certainly not as readily available, it can be easy to assume that it wouldn’t be subject to the same stringent data protection laws. In many ways, service providers and end users often lack adequate knowledge of GDPR or simply do not have the technical safeguards in place needed to ensure their use of CCTV video systems is GDPR compliant.
This can be solved with a combination of things including solutions with efficient technical safeguards for privacy and security, regular audits and high security practices within the organisation, all of which will need to be combined to create a robust and compliant use of video surveillance. Having the right guidelines or tools in place that ensure GDPR adherence is what many CCTV surveillance users, private or commercial need.
Setting up a fool proof CCTV surveillance system
Both video surveillance service providers and end users need to use tools that have safeguards to ensure complete GDPR compliance. For any CCTV surveillance system to be fully GDPR compliant, they need to cover the following list of things:
Collect minimal data when operating
CCTV systems, whether for commercial or private use, should be collecting and storing as little data as possible. Any collection of data from subjects should be relevant, adequate and limited to what is necessary for your use of the data in accordance with Article 5(1)(c) of the GDPR legislation; this emphasises that users need to obtain a sufficient amount of data necessary for what they want to achieve and nothing more. However, companies from various different industries may have differing opinions on this as what is relatively sufficient for one organisation may not be enough for the next one. As a result, it can at times be a little hard to judge how much data is deemed ‘sufficient’, but as long as you conduct regular data reviews and consistently delete data that you no longer need, this will put you in good stead for ensuring you remain GDPR compliant.
Access to CCTV image data should be limited
Limiting access to CCTV footage should be key to avoiding data breaches as restricting access only to those who require it reduces the chances of data being leaked accidently or maliciously. Those who have the obligation to access CCTV imagery should be management personnel, security and/or those who require access to fulfil their job role. In this instance, operators need to have clearly defined user roles for monitoring and managing the video surveillance systems. By adopting and implementing powerful security processes, including authorisation and authentication – and by extension, multi factor authentication – organisations can ensure the right users have the appropriate access to sensitive data, leaving no room for any mishaps or user mix-ups.
Cloud-based CCTV systems are emerging as key solutions for keeping CCTV footage safe and secure as they offer cloud storage that enables encryption on secure servers whilst still ensuring the data can be accessed by those with permission.
Ensure transparency in the use of CCTV systems
When adopting and implementing CCTV surveillance usage, you need to ensure transparency about how and where you are using it in the interests of remaining GDPR compliant; this requires you to notify the collection of personal data to those individuals concerned. One way of sufficiently achieving this is to use signs stating that CCTV is in operation in a clear and simple manner. It’s also worth noting that cameras need to be confined to private spaces owned by or occupied by the operators otherwise permission of use would need to be granted for setting up video surveillance in public or non-private spaces.
In addition to this, you also need to state the reasons for collecting data via CCTV surveillance which can also be done by way of signage as well. In line with GDPR regulation, you simply cannot collect and process this data without explaining what you need it for.
Access request compliance
A major focus of GDPR is to enable individuals the unequivocal right to access their personal data as well as knowledge of how its collected, stored and what is used for. One of the ways this is achieved is by allowing individuals to make subject access requests. Any requests for data access from either the public or organisation members need to be honoured and authorised without any issues as the data subjects ultimately have the right to their own data. Whether this is a formal or informal request to access specific CCTV data, you should be well placed to carry out these requests for information in a secure, safe and accessible way.
Data protection assessments are key
CCTV surveillance systems are deemed high risk data processing tools which means that users will be required to carry out a data protection impact assessment before setting up CCTV systems. What’s more, they should also be conducting regular data regulatory audits to assess how compliant they are with their designated regulatory body. Under GDPR stipulations, organisations are obliged to not only carry these assessments and audits out when first setting up the video surveillance systems, or each time the cameras are moved, upgraded or modified, but periodically to make sure the standard of GDPR compliance is held to a consistently high level.
Ever since the inception of the GDPR regulations back in 2018, CCTV operators will have been required to comply with its set requirements by having the right solutions and tools that have the necessary safeguards in place for adequate data protection of its subjects. This means operating with full transparency, ensuring the safe and secure storage of data, minimising data collection, responding appropriately to access requests and conducting adequate impact assessments before installing or upgrading CCTV systems.
To find out more information about Cloudview, visit: https://cloudview.co.uk/
This article was originally published in the December edition of Security Journal UK. To read your FREE digital edition, visit: digital.securityjournaluk.com