GDPR – The Implications for You
The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
The principles are similar to those in the Data Protection Act (DPA), with added detail at certain points and a new accountability requirement. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data – these are specifically addressed in separate articles.
The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
This will have an impact on installation and operation of key elements of your integrated security systems such as CCTV.
The following items need to be carefully considered: –
- Privacy Impact Assessment (PIA) – needs to be carried out and document the potential impact on individuals’ privacy. For example, you have positioned cameras to avoid capturing images of people not visiting your premises.
- Registration- Has your business registered its CCTV processing with the information Commissioner’s Office (ICO)
- Governance – has your business a documented policy and / or procedure about the use of CCTV. Have you nominated an individual who is responsible for the operation of the CCTV system?
- Requests for personal data – have you established a process to recognise and respond to individuals making requests for copies of their own images? and to seek prompt advice from the information commissioner where there is uncertainty.
- Training- Have you trained your staff to operate the CCTV system and cameras including recognising requests for CCTV information / images.
- Retention- You only retain recorded CCTV images for long enough to allow any incident to come to light and be investigated, such as theft.
- Data quality- your system produces high quality clear images which law enforcement bodies (usually the police) can use to investigate crime. You can easily extract these images from the system when required. You carry out regular checks to ensure the system is producing high quality images.
- Data security- your business securely stores CCTV images and limits access to authorised individuals. You regularly check that the CCTV system is working properly.
- Fair processing- You clearly display signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system, contact details are displayed on the signs. Your business outlines the use of CCTV and its purposes on its website (where applicable).
What should you do next?
For regular updates regarding the implications of GDPR, including white papers, opinion pieces and video, please visit our News pages. For further information regarding GDPR from the ICO, please follow this link. And to book your appointment to talk to one of our GDPR experts, or to arrange a Privacy Impact Assessment, please contact us using the Contact Form provided.