Skip to main content

A Practical guide to the GDPR & CCTV surveillance

The GDPR is intended to update the Data Protection Act and give individuals more information and control over how their data is used. So, how does this impact CCTV?

 

For those who run a CCTV system, the act requires you to think and document the use of your system. The ICO have detailed guidelines on this. The purpose of this guide is to look at the practical considerations for most surveillance scenarios.

 

Let's start with what to consider and document:

Icon of a surveillance camera

Reason for surveillance

Do you know the reason you have, or are thinking about, installing cameras?

 

Having a strong reason or aim for the installation can help you evaluate if CCTV is the right choice and provide a means to evaluate effectiveness, post installation.

 

For example, if you're trying to deter vandalism around your property at night, lights may be a more effective deterrent.

 

Whatever your choice, write it down. This could be a few simple paragraphs outlining your need and the reasons you've made the choice you did.

 

By knowing your reason for surveillance, you can decide your basis for surveillance which also needs documenting.

Icon depicting privacy

Considering privacy

As part of your reasons for surveillance, you should note down what precautions you'll take to minimise the impact to privacy. This could include thinking about camera positioning, data retention and keeping your system as physically and cyber secure as possible.

 

Here are some examples of questions for you to consider:

 

1. Have you followed the hardening guide for your cameras?
2. Who has access to your security system?
3. Can system access be audited?
4. Are staff aware of data retention policies?
5. Are they followed?
6. Do you have alerts to detect incidents?

Icon depicting a document/folder for "policies and procedures"

Policies and procedures

A key requirement of the GDPR is written documents, particularly policies and procedures. Here's some examples of what you could include:

 

1. What should be recorded
2. Who can view the footage
3. How long it should be retained for
4. Practical examples of situations and how to respond
5. Finally, ensure that your staff are aware of the policies and they have been trained in them. Your data controller should check understanding and that the policies are being followed.

Magnifying glass icon

Areas of extra scrutiny

With the ever-improving array of features in IP cameras, there are some which pose a larger threat to privacy and therefore require more thought:

 

1. Audio input (particularly where you can record conversations)
2. Automatic number plate recognition
3. Facial recognition
4. High resolution PTZ

5. Audio

 

All these solutions can be used, but they require more justification than general surveillance. If you choose to use this technology, ensure it's clear on your signage.

Icon depicting a cycle of review

Regular (at least annual) reviews

The needs of your organisation change over time, so keeping your assessments up to date is important. The CCTV Data Protection Impact Assessment (DPIA) from the Surveillance Camera Commissioner suggests carrying out a DPIA when:

 

1. Cameras are added/removed/move position
2. System is upgraded (whole or partially)
3. New system is installed
4. Biometrics are introduced


The government data protection impact assessment is available to download as a template.

 

Other regular checks could include more practical tasks to keep your system secure like:

 

1. Are your security feeds encrypted?
2. Is the VMS accessed with user logins for everyday surveillance (i.e. an account without admin rights)?
3. Are there any firmware updates that can be added to the system?

Icon depicting the silhouette of a person

Accountability - named responsible person

The GDPR requires accountability through a named person within an organisation.

This could be your head of security, IT or business owner. In GDPR speak they're known as "data controllers". It's their responsibility to carry out regular checks to ensure that your policies and procedures are adhered to.

Icon depicting a loudhailer

Informing the ICO

Unless you're a home user, you need to make the ICO aware that you're using CCTV. This is done by paying an annual fee to the ICO if you use your CCTV for crime prevention.

You'll also need to inform the ICO if you have a breach, for example, if your security footage is hacked.

Icon depicting a scroll to signify "Laws"

Other laws which affect CCTV footage

The GDPR isn't the only law that governs security footage, the following also apply:

 

Network and Information Systems (NIS)
Freedom of Information Act
Protection of Freedom Act


The NIS relates to critical infrastructure like energy, transport, finance and digital infrastructure. As well as emphasising policies and procedures, it requires organisations to manage risk in their supply chain.

 

The Freedom of Information Act applies to public sector organisations and entitles members of the public to request information. This means a person can request a copy of footage containing them.

 

While the Protection of Freedom Act introduced a statutory code of practice for CCTV and automatic number plate recognition systems.

Conclusion

From a security system point of view, the GDPR puts personal freedom first, so surveillance is:

 

1. Used for a specified purpose
2. Not kept for longer than necessary
3. Clearly signposted


A common failing with many organisations is the lack of written documentation. In other words, the organisation has done the hard work but hasn't documented anything.

Hopefully, this guide helps to point you in the right direction to comply with the act.

 

Further reading:


ICO CCTV Code of Practice

ICO CCTV Checklist

We're here to assist you
Speak to one of our experts, call us on 0151 633 2111