Understanding the Implications of the GDPR on Surveillance and Security

The European Union’s General Data Protection Regulation (GDPR) that became UK law on 25 May this year has caused confusion and a degree of panic across the security sector, with mixed messages being imparted about the impact this new legislation has on the use of surveillance systems, observes Derek Maltby.

In order to dispel the myths and misconceptions that are being put forward, the Global MSC Security Conference and Exhibition 2018 (which this year is run in association with Risk Xtra as the event’s Official Media Partner) will focus on ‘GDPR, Surveillance and Security’ by way of providing much needed clarity on the matter. The free-to-attend event is taking place on Tuesday 13 November at the Bristol Hotel in Bristol city centre.

Having spoken to numerous security and surveillance professionals both pre- and post-25 May, it’s clear to me that there’s no sector-wide consensus regarding the GDPR. The rights of the individual in relation to their personal data that the new regulation affords can appear to be at odds with the ethos and practices of successful security surveillance.

However, it’s also important to recognise that there has always been a clear responsibility for security operators to be mindful when regarding how they collect, store and protect information deriving from their security and surveillance systems. The GDPR is a legislative reminder that data collection and storage procedures may well need to be tightened up.

Data Protection Act 2018

The UK’s own Data Protection Act 2018 (which was introduced side-by-side with the GDPR to specifically cover our nation’s needs, as well as wider EU legislation) replaces the earlier 1998 Act, but many organisations and Local Authorities were already struggling to meet those stipulations.

Part of the problem is that many organisations still lack the internal expertise and training necessary to meet evolving legislation. Ideally, all organisations that deal with the personal data of individuals (which, in this day and age, is most organisations) need at least one Data Protection Officer in situ to ensure that they have procedures and rules in place allowing them to remain on the right side of the law.

The internal expertise issue seems to be particularly evident with Local Authorities. These bodies often use a number of smaller security surveillance networks – such as those found in council offices or public libraries, for example – that may lack the management oversight, processes, signage and even relevant technology needed to meet today’s legal requirements.

Understanding the consequences

Any organisation that deploys any form of surveillance system needs to be aware of the potential implications of failing to adhere to the GDPR and recognise whether or not their systems and procedures could be breaching the newly-tightened rules. Failure to do so could result in a hefty fine, but equally so may involve significant negative publicity and associated reputational and commercial damage.

Undoubtedly, the Information Commissioner’s Office will levy the substantial fines at its disposal at some point, with an example probably being made of a large or high-profile organisation found to be knowingly and repeatedly flaunting the rules.

Worryingly, it’s apparent that some GDPR compliance practitioners have played on these understandable fears (often with smaller and perhaps more financially vulnerable businesses) to win clients. Instead, organisations need to clearly understand the requirements of the GDPR and put measures in place to meet them as a mark of good practice and out of due respect for customers and the public every bit as much as the need to avoid potential punitive measures and punishments.

Don’t bury your head in the sand

The worst possible approach to adopt in relation to the GDPR is putting your head in the sand or assuming your organisation is somehow exempt. It’s very easy to presume that keeping a low profile and hoping for the best will work, but the legislation is designed to change general expectations around the use of personal data and looks to punish those who don’t comply.

The public is becoming much more savvy when it comes to privacy issues and the value of personal data, as well as being attuned to usage rights. The best approach is to understand the GDPR rules on surveillance and to ensure your organisation demonstrably meets them on an ongoing basis.

Interestingly, some high-profile Government agencies seem to be – in my view, anyway – setting a rather bad example. For instance, UK motorway surveillance cameras (as opposed to ‘speed’ cameras) still seem to lack adequate signage as stipulated by the Data Protection Act and the Information Commissioner. This sends confusing signals to other surveillance operators and is a good example of an issue that needs to be discussed and addressed with a view to providing greater clarity on the matter.

Global MSC Security Conference and Exhibition 2018

Derek Maltby

Derek Maltby

Among a ‘jungle’ of GDPR guidance from free and paid-for sources (and sometimes questionable ‘expert advice’), there’s some good and accessible general advice available (such as that provided on the Information Commissioner’s own website).

However, finding details on specific surveillance queries can be more of a challenge, and especially so for busy professionals who need to concentrate on running and building their business. Fear not. The Global MSC Security Conference and Exhibition 2018 will feature a wealth of presentations and seminars designed to dispel the myths and offer solid, accurate advice on the challenges presented by the GDPR.

Expert speakers include Surveillance Camera Commissioner Tony Porter QPM LLB MSyI, the ICO’s policy officer Anne Russell, Peter Spindler MSyI (director of Soter Protective Services), Avon and Somerset Police Sgt Chris Green, Jim Guiton (Community Control Room manager at Dacorum Borough Council in Hertfordshire) and Professor Pete Fussey, a criminologist at the University of Essex.

The event will offer relevant and honest advice such that security and surveillance operators can meet the expectations of the public while at the same time protecting them from danger. For further details or to register for the event visit www.globalmsc.net/seminars-2/

Derek Maltby is Managing Director of Global MSC Security

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts