Academic warns firms using CCTV not to be “caught out” by European Union’s GDPR

Organisations are putting themselves at risk of breaching the European Union’s General Data Protection Regulation (GDPR) because they’re failing to realise that the new regulations cover their CCTV systems as well as the visual data they collect. These are the words of Andrew Charlesworth, Reader in IT Law at the University of Bristol, and are spoken just over six months in advance of the GDPR being enshrined into law.

In a White Paper written for Cloudview, Charlesworth observes that, because CCTV systems have been lightly regulated until now, there’s a danger that end users will not understand their obligations under the new legislation. New IP-based systems can expose operators to significant data protection and privacy risks, but Charlesworth uses a recent court case to show how data protection legislation applies to all CCTV systems which record and store visual data, both in the public and private sectors.

Charlesworth cites a dispute earlier this year between two householders in Scotland where one recorded and stored data covering the other’s private property and from which they could be identified. This resulted in damages of more than £17,000 for distress caused. The court was not asked to consider whether data was kept appropriately secure and met other data protection requirements, which would also be considerations for data controllers running operational CCTV systems.

As there’s no compulsory registration process, it’s difficult to form an accurate estimate of operational CCTV cameras in the UK. In 2015, the BSIA said there were between four and six million cameras. Cloudview’s own research suggests that there are currently around 8.2 million cameras, all of which will need to comply with the GDPR.

“Changing technology created the need for the GDPR, altering both the data protection environment and public perceptions of what constitutes acceptable data processing,” explained Charlesworth. “From 25 May, all CCTV operators will have to be proactive in assessing, improving and ‘evergreening’ their compliance efforts. ‘Tick box’ compliance will no longer be sufficient. However, the GDPR provides a significant opportunity to enhance the industry’s public image as a valued and trusted service, rather than an unaccountable and privacy-invasive ‘eye in the sky. The Judge’s final comments in the case of Woolley versus Akbar are telling. The default position is that any professional (individual or organisation) setting up a surveillance system will be aware of the potential impact of their activities on data subjects, and also be familiar with the application of relevant law and guidance.”

James Wickes, CEO and co-founder of Cloudview, responded: “As Andrew points out, there are already precedents for fining CCTV end users who breach existing data protection legislation. Users need to assess their CCTV systems alongside the rest of their IT, always remembering that the law applies to everything from a single camera monitoring the entrance to their office through to a larger system used in a business or public spaces. The good news is that the GDPR affords CCTV end users an opportunity to tackle what’s often a negative image and take the lead in demonstrating accountability and privacy protection. They can also use new technologies such as cloud, which enable them to meet the new regulations while at the same time improving data accessibility and security.”

*The White Paper can be downloaded here http://www.cloudview.co/whitepapers/watchingthewatchers

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)

Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.

In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.

In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute’s George van Schalkwyk Award.

An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.

Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.

Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.

Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts