Guide to Data Protection Laws and the Use of CCTV at Commercial Property

It has been demonstrated that a CCTV security system is one of the most effective measures you can take to both prevent and detect crime at your commercial premises. Just the presence of those cameras can deter potential thieves, while if a crime is committed the film it records could be used as evidence afterwards.

However, when you install CCTV cameras in public areas, you are entering into territory governed by data protection laws which govern any information held – including photos and video – that can be used to identify an individual.

To make sure you’re staying within the law when using CCTV cameras – and this applies to domestic as well as commercial users – we’ve compiled a handy guide to how their use is affected by GDPR regulations.

Things you need to do to comply with GDPR when you install a CCTV security system

Complete a DPIA

Before setting up any cameras, you need to complete a data protection impact assessment (DPIA), which will identify potential risks to the rights and freedoms of individuals as a result of the data and images you’re going to be collecting; that will also give you the chance to minimise those risks in advance where possible.

Make sure people know your cameras are there

People going about their normal business and likely to be caught on your cameras while doing so need to be aware of that possibility, so when filming in a public area you must post signs saying that cameras are in operation there. For domestic users, this only applies where you are filming outside the boundary of your property. If you are a business using CCTV to monitor your employees, they also need to be aware that it is happening and the information must be included in your company’s privacy policy. 

Tell people why your cameras are there

It’s not enough to make sure that people know that they’re being filmed – they also need to know why. So, when filming in a public area, your signs also need to contain information saying something like “CCTV is in operation to help prevent crime”. And when using it to monitor employees, your privacy policy also needs to state why you’re doing it.

Use your cameras only for the purpose stated

If your reason for using CCTV is crime prevention, then that is all you can use it for. You cannot use it to monitor staff – no matter what you pick up – unless that purpose has also been previously and clearly stated.

Manage access to any footage

It’s essential that any footage you do record and keep is only viewed by properly authorised personnel as a legitimate part of their job. Digital data needs to be securely protected, while any physical tapes should be safely locked away.

Delete or dispose of data you no longer need

Not only is there no need for you to keep footage any longer than necessary, but you’re also actually legally obliged to delete or otherwise dispose of it. That can’t just be when you run out of digital memory or physical space, however, or whenever you happen to remember that it needs to be done. To comply with GDPR, the timeframe for which you’ll need any footage has to be established before you start to acquire it. That doesn’t mean you can set a period of years unless you have very good reason – usually a couple of weeks is as much as should be necessary.

Allow people who have been filmed to see the footage

If someone has been filmed on your CCTV cameras and asks to see the footage, you will usually be required to let them do so, free of charge, within a calendar month.

What are the penalties for non-compliance with GDPR regulations?

While the need for businesses and individuals to protect themselves with appropriate security measures is recognised and understood, it is important to remember that individual rights and freedoms are also treated very seriously. GDPR regulations are there to help maintain that balance and ensure that individual rights are not overlooked, so the penalties for ignoring them can be severe.

Potential penalties for GDPR breaches can include a warning or reprimand, a permanent or temporary ban on data processing or fines of up to a maximum of £17.5 million or 4% of annual global turnover, whichever is the greater.

For the very best in modern CCTV and surveillance systems, you can’t do better than talk to the team at Scutum London. With access to some of the most effective security solutions on the market today, we’re the first choice for businesses across London, Surrey and the rest of the South East when it comes to improving security at their premises. 

Call us now to find out more.