GDPR

General Data Protection Regulation (GDPR) has been put in place so that your personal information is handled correctly by businesses and organisations. This information includes any data that can identify an individual i.e. name, address, email and other any information that could identify you.

Who does this affect?

Whether you are a small independent business, or a multinational corporation, your systems need to comply with GDPR standards. If your business has older IT and CCTV technology, then these systems are less likely to comply and require reviewing.

Review Your Existing Systems

The Information Commissioner’s Office (ICO) have put some advice together so you can check your systems. There is no ‘one size fits all’ approach, so you need to apply this information to your business. An ICO CCTV checklist can be found here: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/cctv-checklist/

ICO Advice for GDPC

  1. Privacy Impact Assessment – The ICO recommends taking a Privacy Impact Assessment. This helps ensure any personal data that is being collected, is firstly, within reason and fit for purpose, and secondly, being stored and processed securely. This assessment should help uncover any areas of an organisation that need addressing.
  2. Data Processing and Storage – It is recommended that data is removed after an appropriate length of time and not stored unless necessary. This prevents businesses collecting unnecessary personal data and storing it for a long time. By doing this, it helps prevent organisations keeping high volumes of personal data when they don’t need to. By keeping large amounts of data, any breeches become more severe as more data is involved. So, think carefully about how long you really need to keep customer information.
  3. Encryption – “Privacy by Design” is a phrase commonly used in association with GDPR. Simply put, it refers to having systems and processes that have privacy fundamentally built into them. Encryption and anonymised data is much safer to store. Particularly with CCTV footage, thinking about how this is stored should become a top priority for businesses.
  4. Transparency – A key element of GDPR that will impact surveillance and security is that of transparency and lawful intent. You can’t simply invade people’s privacy and say it’s done for security reasons. Instead, it must be very clear in how and why you are processing data. As a business, you can monitor and track employees via CCTV and other security systems but there must be a lawful basis for doing so and it must be communicated clearly with all employees beforehand.
  5. New Technology – A key element of GDPR that will impact surveillance and security is that of transparency and lawful intent. You can’t simply invade people’s privacy and say it’s done for security reasons. Instead, it must be very clear in how and why you are processing data. As a business, you can monitor and track employees via CCTV and other security systems but there must be a lawful basis for doing so and it must be communicated clearly with all employees beforehand.
  6. Access and Accountability – Understanding who has access to what is an important part of GDPR. If unauthorised people can access CCTV footage, then that could become a huge data breech.
  7. Consent – In many cases, it is important to get explicit consent from an individual before you collect and process their data. This applies to both employees, customers and the general public. It must be clear from the start, what data is being collected and whether they provide consent for this.
  8. Frequent Evaluation – GDPR isn’t just supposed to be a manic period where people discuss privacy and then everything goes quiet until the next law change. Instead, businesses should allocate time frequently throughout the year to reassess their GDPR compliance and ensure any new business operations or processes don’t create vulnerabilities in how they handle data. If you would like any advice on your security systems, then we can review your existing systems and make the necessary recommendations.