Does GDPR protection affect CCTV?
It certainly does. The usage of CCTV (Close Circuit Television) and the images captured of individuals, regardless of if its for security or
for health and safety purposes, all fall under the regulations of GDPR.
Any images which can identify someone are considered personal data and as such require the same level of consideration towards its storage as any other type of sensitive information.
To help, we have put together the most important aspects of GDPR
information relating to the correct and compliant use of your CCTV.
Can I justify having CCTV?
Most of us are should now be aware that the GDPR requires any processing of personal data to be fair, lawful and transparent. As your CCTV system collects personal data in the form of images it falls under the same rules as other data you may capture.
In almost all cases, the business owners we encounter have a legitimate reason for operating CCTV. However, you will be required to justify this should you ever be asked about your systems area of coverage. So ask yourself, ‘What purpose does
my CCTV serve?’
Individuals rights and freedoms cannot be ignored. Even inside your business premises, your employees have a right to privacy so camera locations need to be well thought out, and most importantly……justifiable.
How long can I keep footage for?
One of the main principles of GDPR is the duration of time which you keep data, or in the case of CCTV, footage. GDPR dictates that you only keep data for as long as it is justifiably required.
A good example would be a high street shop. This sort of business would not be expected to keep footage for any longer than 6 months as by then any theft or crime would have been reported and any footage reviewed.
To complicate things slightly there is no defined time frame to work to as CCTV is subjective to its purpose. You need to decide what’s justified to keep, and delete any footage that no longer has relevance.
However, depending on your level of storage CCTV systems will re-record over footage once the hard drive reaches capacity, in most cases 30 days
Can anyone request to see my CCTV Footage?
As with all other personal data covered by the GDPR, anyone captured by your CCTV system has a right to access. This could result in you having to disclose footage to them through a process known as a ‘Subject access request’.
You will need to be sure that the person requesting this is present in the footage and you are not disclosing anyone else’s personal data by providing it. This responsibility lies with the Business owner or their Data controller.
You may have to go as far as masking or blurring parts of the footage such as individual faces or even vehicle registration numbers. Any footage or data released to the applicant should be done free of charge.
Are you sure this all applies to me?
In general, Yes. CCTV is installed to view and in most cases record live images of individuals. This in mind, most uses of CCTV systems whether by businesses or organisations will be included.
The ICO has endeavoured to clear up any misunderstandings by providing a code of practice for any owners or operators of CCTV Systems.
This helpful document provides recommendations on the use of CCTV systems to help everyone be GDPR compliant.
If your company would benefit from some expert advice concerning your current CCTV provisions, of if you’d like a fully GDPR compliant quote for a new system, call Our expert team to arrange a consultation.