Does Your CCTV Comply with GDPR? A Complete Guide on UK Data Law

With maximum fines of either £17.5 million or 4% of the organization's annual worldwide turnover, keeping compliant with GDPR should be central for your company and its CCTV. 

What is GDPR?

GDPR stands for the General Data Protection Regulation, a legal framework that governs how personal data is collected and processed within the UK.

The aim is to protect the personal data of any individual in the UK to ensure that data collected follows the same procedures and policies to upkeep their individual rights.

Personal data covers any information that could be used to identify an individual, including their name, phone numbers, photos, and other features that could be used online or physically.

Most individuals will come across GDPR training as it tends to be involved in multiple industries, businesses and job roles.

There are several rules and these are as follows:

• Use data fairly, lawfully, and transparently 
• Use data for specified purposes 
• Limit the amount of data collected 
• Ensure data is accurate and up to date 
• Keep data for no longer than necessary 
• Keep data secure

Why is CCTV Considered Personal Data Under GDPR?

Where CCTV can capture photo and video that could identify individuals, this is subject to GDPR, just like any other data considered to fall within this law. This includes any audio captured also. 

In all instances, whether it is for domestic use or for business purposes, if your CCTV falls within the above statement, you need to be vigilant with the laws surrounding GDPR and your CCTV, otherwise it can be catastrophic to you.

Before understanding how you must adhere to these rules, it is important to firstly understand if you as an individual, employer, or business owner are considered responsible for complying with GDPR.

Am I Responsible For Complying with GDPR?

Now that you are aware of how CCTV falls under GDPR laws, the next step is to understand whether you are specifically responsible for ensuring compliance with this.

CCTV controllers are considered as those who have control over how and why data is being processed, placing them as the individuals responsible for ensuring GDPR compliance.

For domestic use, the individual utilising the CCTV will be considered as the CCTV controller. If there are multiple individuals involved in this, you would label this as joint controllers and all those involved would be held responsible for this.

With businesses, an individual or group of individuals may be assigned as credit controllers, similarly to domestic use, all those holding this responsibility will be expected to manage the compliance of their CCTV with GDPR. 

As an employee, if you are unsure who is responsible, speak with the appropriate individual within your business to establish this.

However, even if you are not considered a controller, it is still important to understand the compliance rules surrounding CCTV with GDPR. 

Take time to learn how to follow this correctly, and why it is important as if you are witness to any potential breaks in compliance, you need to report this and the process involved to do so.

Why is it Important For Your CCTV to Comply with GDPR?

By knowing the importance of why you need to ensure your CCTV complies with GDPR will help you maintain the standards required.

As much as the large financial implications for both business and domestic purposes is clear, there are other consequences that can be caused through non-compliance. 

With domestic use non-compliance, you could damage relationships and lose trust with neighbours or those in the surrounding area in addition to any legal repercussions. 

For businesses, it can be even more serious with the reputational damage that can be created. In addition to any fines or legal repercussions, relationships with employees can be damaged, there could be loss to business, and connections with other businesses you are currently connected with or plan to be with in future. 

The impact of non-compliance with GDPR regarding your CCTV is not worth the long-term damage that will be caused from it. Therefore, below takes you through the various rules and considerations that should be factored in when utilising a CCTV system.

The GDPR Rules and Responsibilities with CCTV

In most cases, GDPR rules and responsibilities are similar in expectations for domestic and business use, however, there are some differences to be aware of.

Utilising our 20 years of expertise in security solutions, WCCTV understands the importance of GDPR for those using the service and those captured through it. Therefore, below provides the various rules and responsibilities for all individuals considering CCTV or those currently using it.

Registering Your CCTV

Initially, you need to register your CCTV with the Information Commissioner's Office (ICO). 

This is not required for domestic use where you can only view your home or garden, however, in all other instances where you are capturing video outside your property boundary, you must inform the ICO.

For businesses, you must register them, especially any external CCTV systems as they will capture public spaces and personal information from individuals.

Before starting the process of registration, consider the reasons behind the CCTV, you will need to know this as the ICO will want to establish the reasoning in your registration. 

For domestic use, you cannot directly focus on another person’s home or home boundary as this could be considered as an invasion of privacy.

You may be required to pay a data protection fee to complete the registration, so be prepared with this during the registration process and this will all need to be completed in one session.

Complete a Data Protection Impact Assessment

Following registration, a Data Protection Impact Assessment (DPIA) may need to be completed in some instances before any processing begins.

It is a useful tool to help identify the impact of CCTV on people and how to reduce risks present.

You must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.

The term ‘high risk’ within this context represents the potential for any significant physical, material or non-material harm to individuals. ICO provide a list of operations where alone or where some are combined require a DPIA automatically, and these are as follows:

• Innovative technology
• Denial of service
• Large-scale profiling.
• Biometrics
• Genetic data
• Data matching
• Invisible processing
• Tracking
• Targeting of children or other vulnerable individuals
• Risk of physical harm

If following the assessment you find that high risks cannot be mitigated, you must contact the Information Commissioner's Office (ICO) before you begin using the CCTV.

There are exemptions within this whereby a DPIA may not be required and you can find these on ICO, along with more support information on them. 

Consider the Location of Your CCTV

Due to privacy laws, there are limitations with where CCTV cameras can be set up. 

Locations considered to be private areas such as toilets, changing rooms, and places where say employees expect privacy should not have CCTV set-up there. 

Before setting up any CCTV system, think about this factor and whether the location could be deemed as a private area.

Have a Lawful Basis For the Processing of CCTV Data

For businesses, they must have a lawful basis for the processing of CCTV data and the purpose it was intended for must be the only purpose in which the CCTV data is processed based on.

For businesses, a lawful basis will often be provided based on legitimate interest. This include:

• To ensure the safety and security of their premises
• To protect their assets
• To protect staff
• To monitor for unlawful activity

There will be occasions where employers may require CCTV due to legal obligations also such as, for health and safety regulations or industry standard.

Keeping Data Transparent 

For both businesses and domestic CCTV where it covers outside the property boundaries, you must be transparent that CCTV is present and in operation, providing clear signage to indicate this.

There are several rules surrounding signage to ensure individuals are informed correctly with privacy laws considered:

• Signs Must be Clearly Visible - They need to be readable and clearly indicate that CCTV is in operation, making sure the sign suits the location it is in. For example, an A4 sign for internal usage and A3 for external usage.

• Signs Should Include Details - They must include details such as, a mailing address, website, or phone number as a point of contact. 

• Signs Should Explain the System’s Purpose - You need to include who is responsible for the CCTV. This could be a specific person or organisation.

• Must Inform Individuals of Filming - Due to privacy laws, individuals must be informed when their personal information is being collected.

Ensure Data Minimisation

Like with all personal data, with both business and domestic purposes, CCTV footage should only be collected and retained for as long as necessary to achieve the purpose it was stated for. 

If you hold onto CCTV for longer than deemed necessary, you could be found to be in breach of the rule on data minimisation under GDPR. 

The term ‘as long as necessary’ is subject depending on the data collection reasoning, however, this should be considered before processing to ensure footage is managed correctly to this. 

The most common retention period tends to be 7 to 30 days, but this can go up to 90 days in higher-risk environments.

As part of this, you also need to consider who can access the CCTV footage as this should also be minimised as best as possible to only those necessary. For businesses, this could be individuals in management positions or data controllers.

Store CCTV Footage Safely and Only Share When Necessary

When storing CCTV footage, appropriate security measures should be implemented to protect CCTV footage from unauthorised access, loss, or destruction.

These measures include encryption, permission-based access controls, and safe storage systems.

Access of such footage should be restricted and there needs to be clear rules on who can access it and why, ensuring that when it is shared to others within a business that personal data is redacted and hidden, except the data subject.

For domestic CCTV, there are restrictions on sharing also. You avoid sharing any footage publicly online and share in cases where necessary such as, for security, legal reasons, obtaining consent, and supporting the police. 

In all cases where a criminal offence has been captured, you must comply with Article 10 of GDPR.

Provide the Right to Request with Your CCTV Footage

With both domestic and business CCTV, you must provide footage to anyone who requests it under GDPR. 

As a business, you must respond within one calendar month of the data subject access request (DSAR), however, this can be extended by a further two months if the request is complex or involves a large amount of data. When extending, you must communicate this to the individual who has requested it within the first month. 

Whereas, with domestic CCTV, where there is a request you must do this within 40 days and can charge up to £10 administrative fee for doing so. 

Below explains the best way to respond to a DSAR:

• Verify the identity of the data subject 
• Clarify the request 
• Check if the requester's data is being processed 
• Inspect, collect, and package the data 
• Provide the data subject with access to their personal data 
• If the request was received by email, you can send the information by email if the requester agrees 
• Make sure the requester can understand the information 
• Be transparent in your response

As part of the DSAR, individuals are allowed to request the erasure of data or rectification on incorrect CCTV footage.

Audit Your CCTV Regularly for Legal Requirements

Legal requirements can change and GDPR law could be altered, therefore you need to keep aware of any changes and audit your CCTV systems regularly. 

For businesses, it is recommended you appoint a Data Protection Officer to do this.

Assess your compliance on regular intervals and evaluate your practices against the GDPR principles to ensure your CCTV system still meets expectations. 

If any changes are required, implement them as quickly as possible to avoid breaching any laws and facing any consequences due to this.

Report Any Potential Data Breaches to the Data Protection Authority

By following GDPR with your CCTV, data breaches should be minimised, however, where they may have occurred you must inform the ICO.

This can be completed online via ICO’s website with the Data Security and Protection Reporting tool, through the webchat, or by phone. However, whichever method you decide upon it needs to be completed within 72 hours and should include the following information:

• What happened and when 
• The categories and approximate number of individuals and personal data records concerned 
• Your risk assessment 
• What you've done to contain the breach

If you are unsure whether you have carried out a data breach, you can complete a self-assessment online to find you if you have.

From here, the ICO will investigate and take action as required.

WCCTV: Market-Leading CCTV Camera Experts in the UK

WCCTV is the UK's leading supplier of Mobile Surveillance Cameras, helping across all industries to enhance public safety, deter crime, manage security, and protect assets.

With our wealth of experience within the security industry, we are knowledgeable in all relevant laws and ensure we maintain this understanding where changes occur. Our fully-managed services aim to support you as a business in supplying high-quality security that is maintained correctly.

Looking for support with your security? Get in touch today!

Contact Us