Top 3 Most Common Breaches of Data Protection Regulations (GDPR)
CCTV often gets forgotten in the world of data although it is constantly creating and sharing data in the form of images. Any information that can be that is identifiable is considered as personal data under EU General Data Protection Regulations, meaning these images and the CCTV system require the same attention that is put into other areas of your business, such as employees’ or clients’ personal details.
Having carried out many CCTV audits across many different sectors, Watch Systems Limited have listed the top 3 mistakes businesses make in terms of breaching GDPR.
1. Is your signage incorrect?
With the commercial property market back on the rise, with office spaces in particular slowly but surely rising in demand following the pandemic, properties are transferred from one managing agent to the other and often, the minor details can slip through the net.
Not only can CCTV signage be a deterrent against crime, but making sure signage is GDPR compliant is vital in ensuring your premises is not breaching any rules and regulations. According to the General Data Protection Regulations (GDPR) of 2018, any businesses that have a CCTV system in place are required to notify people that images of them are being recorded. These recordings are considered ‘personal data’, in that it may be possible to identify an individual from images captured.
All signage needs to detail the organisation operating the system, what it is being used for and list the contact details of who they can call if there are any queries. When managing agents change or property is sold, so does the authority responsible so it is important the signage around the premises is updated with the new authorisation’s details.
2. Do you have a policy in place?
The ICO (Information Commissioners Office) states that you will need clear procedures to determine how you use the CCTV system in practice. A policy is the easiest way to clarify that everyone involved in the organisation is using the CCTV system appropriately and consistently. It should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording. It is generally good practice to assign day-to-day responsibility for CCTV to an appropriate individual. They should ensure that your organisation sets standards, has procedures in place and that the system complies with legal obligations including individuals’ rights of access.
3. Are you storing your data for too long?
When setting up your CCTV system, whether IP or Analogue, you should determine how long you need to store the data, for the purpose your business has set. Data should be retained for the minimum time necessary and disposed of appropriately when no longer required. It would be easy to set up your recorder to store footage based on its storage capacity, but this may be a lot longer than deemed necessary in the eyes of GDPR regulations. A 31 day standard is recommended within most settings, in order to keep the images long enough in the event of a crime, with the recorder writing over this data once the 31 day period is up.
If you require any information regarding CCTV GDPR and the effect it has on your business’s security, Watch Systems Limited can provide a full site audit, to check the compliance of your system and make recommendations accordingly. To make an enquiry, click here.