The GDPR is due to come into effect in 2018 and will require a full reassessment of data protection for the millions of CCTV cameras currently in the UK. This will bring about openings for the security sector as there will be opportunities to provide new value-added services.
All CCTV cameras in the UK, in homes, schools, businesses and in the public environment will fall under GDPR, changing the focus of data protection from compliance to accountability.
In recent years, the CCTV industry has transitioned to IP and cloud based CCTV systems, creating opportunities as well as risks, said a reader in IT Law at the University of Bristol.
Cloudview CEO James Wickes said: “The GDPR places new demands on CCTV users, and non-compliance puts them at risk of a significant fine. However, they may be able to use the changes it requires in a positive way. The GDPR gives them an opportunity to tackle what is often a negative image, of being watched by a third party, and take the lead in demonstrating accountability and privacy protection. They will need to review and possibly change their privacy policies, but by using new technologies such as cloud they can meet the new regulations while improving data accessibility and opening up new applications for visual data.
“Cloud allows selective and secure access to CCTV footage from any device by nominated employees, and it also offers performance improvements such as making data more readily accessible, providing accurate date and time stamping and providing constant updates on camera status so any technical problems can be rectified immediately. It’s up to the industry to use the GDPR as an opportunity to rethink the way that visual data is stored, how it’s secured and ultimately how it can be used to better effect as a business tool rather than purely as a security system.”
Here are our top 10 key points to remember about GDPR:
- Any organisation that does business with EU residents will be subject to GDPR, you may also be subject to GDPR if you collect IP addresses or track cookies.
- Data Protection Authorities (DPAs) will have the authority to enforce much more severe penalties in the case of breaches of personal data. GDPR has a set tiered approach to fines, with the maximum penalty for breaching the Data Protection Act set at £500,000.
- The definition of ‘personal data’ has been expanded and now includes identifiers such as mobile device identity and IP addresses.
- Organisations will require consent from individuals regarding how their data is processed, and businesses will no longer be allowed to use long, unattractive terms and conditions. Individuals will also have more rights regarding how their data is processed, for example the ‘right to be forgotten’ and data portability.
- The GDPR outlines the measures expected to be put in place regarding the protection of personal data. i.e. the ability to ensure confidentiality, availability, integrity and processes to test the effectiveness of the implemented security measures.
- Organisations will need to maintain and keep data processing activities, capturing the life cycle of data as well as the contact details of the data controller. Data processing registries will become compulsory.
- Data protection impact assessments will need to take places in instances where there is an elevated risk to individuals, i.e. data profiling.
- It will become compulsory to report personal data breaches. Under Article 33 of the GDPR, businesses much report any breach of personal data to the DPA within 72 hours of becoming aware of them. The affected individual must be informed without delay of the breach if it poses a high risk to them. An example of data breaches that would be seen as high risk is a breach relating to personal data that has not been encrypted.
- Businesses that monitor individuals on a large scale or processes particular types of sensitive personal data will be required to have a Data Protection Officer (DPO). The DPO will be responsible for ensuring organisations comply with the regulation and will be required to report to the highest management level within the organisation. The DPO will be required to perform tasks in an independent manner and cannot be dismissed or penalised for performing this role.
- The core of the GDPR legislation calls for the presence of data protection from the beginning of the designing of systems, rather than an addition.