GDPR Systems a GDPR Solutions Provider discusses what the Morrisons Data Breach means in a GDPR World

Morrisons

“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.

The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
(Nick McAleenan – data and privacy law specialist at JMW Solicitors)

These words were said after the court ruling that Morrisons were ‘vicariously liable’ for the data breach carried out by a former employee.

But what does this example mean in a GDPR world?

It’s important to realise that this case is being handled under the scrutiny of the current data protection act but when GDPR comes into play on the 25th May 2018, would the outcome have been any different?

Could they have stopped this data breach?

Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”

I don’t know what the current data protection systems are that Morrisons have in place – I would hope, given the reputation of the brand, that they are already GDPR ready, but if they aren’t and we assume that the judge was ruling based on current legislation (the Data Protection Act), this throws up a whole lot of questions as to what the legal outcome would have been if we were already at May 25th next year.

Whilst this is interesting to speculate on, the fact is we’ll never know. However the key implications of this case are not with whether the company could or could not have prevented the breach in a GDPR era, but with the staff members reaction to the breach.

I’m not talking about the potential payouts that Morrisons may have to make, or how the claimants’ feel about their personal data being accessed and used in such a way, I’m talking about what the actions of the claimants have done to raise the awareness of personal data and what companies do with it.

This, in the context of GDPR, is key. Given that the whole point of GDPR is accountability and transparency.

The changes that the GDPR demands on every company are wide and varied and complicated so working to a GDPR checklist or with a GDPR solution provider will help companies to start the process of ensuring that there is nothing else that they could do to protect the personal data they hold from a breach.

The pressure to do this, at the moment, is coming from the scaremongering that many GDPR experts are banding around about the potential fines that the ICO could levy against any infringement.

But in the long term, this is not what is going to drive companies’ behaviour when it comes to GDPR – the reaction of the consumer is.

No company wants to appear inept at best or at worst uncaring to its customers and whilst the talk of reputational damage is valid, memories are generally short and companies tend to move on quickly.

However, It seems fair to assume that as we sit here now, most people aren’t really aware of what their rights are regarding their personal data that is held and used by companies.

Crucially, as more and more data breaches are reported in the mainstream press (given that data breaches happen now anyway – we just don’t hear about it too often!) there will be more and more references to the GDPR which will in turn create more awareness for the consumer about their rights and privileges when it comes to their personal data held by companies – large and small.

Increased knowledge will lead to more questions being asked;

‘can I be taken off your list please?’

‘where did you get my consent to send me this from?’

‘why have you kept video recordings of me?’

will be just a handful of the questions consumers will be asking – and will be expecting answers to.

So cases like Morrisons serve to highlight not only their data protection inadequacies, but where the real power lies in the transparency that GDPR demands – with the consumer – as it should be

 

 

 

WHAT?!  CCTV data is part of the EU GDPR?

From the 25th May 2018 the CCTV industry will have to change.

CCTV data under the new General Data Protection Regulation (GDPR) will require the same respect and process as ‘traditional’ personal data such as a person’s credit card details, name, address and date of birth.

And ‘Accountability’ to secure the data is on the end user.

For the industry, this marks an important milestone in the ‘convergence’ of cyber security and data protection.

The General Data Protection Regulation (GDPR) is an EU wide legislation (not affected by Brexit and bought into wholesale by the UK government) that comes into force next year. It is the natural evolution of the Data Protection Act (DPA) as this was borne in a world where the term ‘cyber security’ didn’t exist!

The GDPR carries much of the same principles as its predecessor – a persons’ right to have their personal data protected – but it defines the responsibilities for those handling and using the data in much more detail.

The DPA was to some degree a tick-box exercise – it was easy for businesses to categorise themselves and declare that they understood and abided by the rules without having to think about it too much.

The GDPR changes all of that.

GDPR is not something that you can become ‘compliant’ with. It is a set of regulatory principles that require companies that have and use data, to understand, manage and above all protect the data that they have to the best possible standard – there is no set of standards to which any company can pin their badge to saying ‘I’m now GDPR compliant’!

There are 5 categories of data that the Information Commissioners Office (ICO) lists as being the main types of data to be considered.

These are;

Information Security

Direct Marketing

Records Management

Data Sharing and Subject Access

CCTV

If you ask most people on the street (and I have done this!) for examples of what they consider to be personal data then answers include things like, ‘bank details’, ‘addresses’, ‘names’, ‘medical records’, ‘email addresses’, ‘store cards’ and so on.

Not once has anybody mentioned moving or still images.

Yet this is the principle on which the CCTV industry is built upon – clear, accurate images, with every company trying to be the best.

So what are the key elements of the GDPR?

Fundamentally this can be narrowed down to one word.

Accountability.

Companies that have CCTV systems installed in their premises will be required by law to prove that they have taken all reasonable steps to protect the data they hold – whether they be a single owner corner shop or a multi-national chain.

Clearly at the moment this doesn’t happen – we’ve all seen the funny videos on You Tube of the inept burglar bumping into a lamp post after breaching a premises and often these types of videos are showing other people in the frame as well as other types of personal data – this can no longer continue as putting other peoples’ personal data (their images) ‘out there’  is proof in itself that the data is not being kept safe and secure.

 

So what does this mean for business owners who use CCTV systems?

Often a company’s CCTV system is standalone – that is that it is not linked to their email database, their marketing activity, their POS data or any other personal data that the company may hold. For this reason companies now need to look at their methods of data collection, why they have chosen CCTV as a method of data collection, what they plan to do with the data, who is responsible for the data, how securely the data is captured, how long they plan to keep the data and how securely the data is stored.

On the face of it most companies will have answers to these questions however the accountability required under GDPR will mean that every company will need to find a way of being able to prove that they have policies and documented procedures in place as well as monitoring and recording systems in place  to cover all aspects of the data’s security so that in the event of a breach or suspected breach they can provide the required information to the ICO upon request.

This will have an impact on every business that employs the use of a CCTV system – considerations need to be given to whether they actually need CCTV in the first place, what systems they have in place to document each process and develop relevant policies, how will companies deal with subject access requests, deletion requests and the right to be forgotten?

In addition it will be incumbent on every business to educate their workforce as to the changes that GDPR will enforce on their business as well as potentially re-defining job roles or creating new ones.

Whilst the liability and responsibility for the safety and security of their data (which also includes the physical element not just the digital element) rests firmly on the shoulders of the end user, the CCTV industry also has a responsibility to both educate and work to develop data safety and security.

Manufacturers will have a responsibility to provide clarity on instructions on how to protect. Encryption must become the norm and they will have to lead by example.

Integrators/Installers will have an obligation to their clients to be able to explain to end users in more detail but they themselves will need to be educated in order to be able to convey the message clearly.

End users must make sure that they understand and can manage their CCTV system appropriately – ignorance or lack of knowledge is no longer a reason for failure of data security.

The CCTV industry bodies must also take the lead in educating those in the industry – this isn’t going away and with the potential penalty of a 20 million Euro fine, the ramifications will become severe.

We all know that the security industry can sometimes be guilty of falling behind other industries when it comes to technology, implementation and general attitude towards fast progress (compared to other industries) and whilst there are many conversations about cyber security happening which are exciting, innovative and massively advantageous to the end user, we must now position this against the backdrop of data protection and specifically the GDPR, otherwise the industry may have some serious questions to answer as well as  a few multi million Euro fines.

 

 

 

General Data Protection Regulation (GDPR) and how it impacts companies with CCTV on their premises

CCTV has long been a global favourite for protecting all types of premises, as businesses naturally want to safeguard their property, customers and employees. Cameras can be placed in as many different areas of the building as necessary and footage transmitted back to monitors elsewhere. This means less chance of burglary or vandalism (and a higher chance of catching the culprit if it does happen), as well as reducing insurance costs amongst many other things.

GDPR and CCTV

The subject of data protection and privacy is a hot topic in the media. Evolving legislation surrounding the location of CCTV cameras, as well as what the images can be used for, is not to be taken lightly. Up until now anyone and everyone could install a CCTV system without really thinking about the consequences – with the introduction of new General Data Protection Regulation (GDPR) this will all change.

After publication of the GDPR in the EU Official Journal in May 2016, it will come into force on 25th May 2018. The two year preparation period has given organisations time to prepare for the changes, which will take place regardless of Brexit.

The GDPR itself is Europe’s new framework for data protection laws, and it replaces the current Data Protection Act. It has been established that as technology has moved on massively in recent years, the current legislation is now out of date. The GDPR puts personal data control firmly in the hands of customers as well as harmonising data privacy laws across Europe.

In essence, GDPR is about adopting best practice around the handling, control and security of an organisation’s information. It is to update and enhance an organisation’s processes and improve the quality and integrity of data held. In addition, it encourages businesses to rethink why and how they capture personal data and to what ends.

What are the key actions to be taken?

It’s important to understand that just because a company is already highly compliant with the Data Protection Act, it doesn’t automatically mean it will comply with the new GDPR directive. There will still be changes required.

Broadly speaking, a business must:

  • Employ Data Protection Officers/Controllers – A senior member of staff should be designated a Data Protection Officer. This should be someone who takes responsibility for data protection compliance
  • Justify its CCTV – If an organisation is placing cameras around the perimeter of a site to detect intruders, it should be easy to justify this. However, if the main reason for installation is to monitor employees, then it is not straight forward as it’s potentially an invasion of privacy. If a business can prove that the cameras are there for Health & Safety reasons, particularly if there have been past issues, this may be acceptable.
  • Inform people – The purpose for the data being collected should be clear, especially if it’s not obvious. If it’s for employee monitoring or Health & Safety, this needs to be highlighted to anyone being captured by the cameras. Signs highlighting CCTV use and a contact number for anyone wishing to follow up is enough
  • Retain data – A Data Controller needs to have a very specific and valid reason for storing and retaining data. Retention is generally about 30 days. If a firm needs to retain CCTV data for longer, then a risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera
  • Satisfy personal data requests – GDPR dictates that anybody who is recorded on a CCTV system has the right to ask for a copy of their own personal data from the footage. This should then be supplied
  • Be able to redact images – If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. to blur out the faces of other individuals
  • Supply CCTV images to authorities – Relevant authorities such as the police may request footage and it should therefore be supplied
  • Ensure that any subcontractors follow procedure – A business will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following correct procedure. Under the GDPR, data breaches must be reported within 72 hours

Non-compliance

Serious financial consequences are likely if non-compliance is determined. Any organisations which fail to meet the required standards can be landed with a fine of up to €20m or 4pc of global annual turnover, whichever is greater. Most notably, it doesn’t matter who is responsible for the breach – it will be the organisation itself that foots the bill and suffers any consequent reputational damage. This even applies if it’s not someone who is employed by the company, such as a malicious attacker or third party.

Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process.

How does it affect CCTV customers with more than one premises?

Businesses working across multiple premises should make sure each one is well aware of the policies in place around CCTV. Every staff member in every premises must play their part and excellent communication is vital.

Each premises within the business is likely to be different in terms of size, CCTV camera locations and geographical location. Therefore, staff within each building need to consider how the individual premises will be compliant, because one size is unlikely to fit all.

Below are some key issues each premises must consider:

  • Examining what CCTV footage is already held (if any) – An information audit should be held for all staff across all departments. Each team should document what footage is held, where it came from and who it is shared it may have been shared with
  • Reviewing privacy – Current privacy guidance should be reviewed and a plan put in place for making any necessary changes in time for when GDPR comes into force
  • Access requests – Updating their procedures and planning how to handle requests from individuals to see any of the footage
  • Consent – Reviewing how they’re seeking, obtaining and recording consent and whether any changes should be made

In conclusion, it’s no longer acceptable to ‘not understand’ or ‘not be aware of’ the new GDPR legislation. Ignorance is likely to be very costly, in both finance and reputation. So whatever sector a business is in, they should start considering their next move now.

 

GDPR, CCTV and convenience stores

GDPR for CCTV

GDPR is a new regulatory framework which is due to come into effect on 25th May 2018. It will standardise and make businesses accountable for the personal information they hold of people within the European Union – this includes the UK, regardless of Brexit.

CCTV images and audio are seen as personal data and under the new regulations will need to be taken much more seriously when it comes to data protection.

CCTV has long been the weapon of choice in the fight against crime for convenience stores. Intelligent store layout and shrewd placement of cameras is a proven strategy, particularly at entrances, exits and till points.

Convenience stores will have many unique challenges, and will face a very specific and diverse set of issues on a daily basis. Cameras will be used for everything from monitoring age restricted sales to self-service tills to anti-social behaviour.

In addition, many stores have extra cameras in areas such as stock rooms and staff areas, to help deter any internal theft. Staff theft can take many forms such as price overrides, taking cash from the till, double ordering or fraudulent refunds. Aiming to prevent these types of theft is a justification for a CCTV system, particularly if it’s something that’s happened before.

In terms of customer theft, certain higher value items like meat and alcohol may also require CCTV surveillance and again this is acceptable under the new directive. However, once GDPR comes into force, camera location and purpose will need to be scrutinised and documented in more detail than before and the purpose of each camera should be very clear. Staff must also be fully informed and trained on all policies and procedures that the company has in place regarding the store’s use of CCTV.

Fines for a lack of adherence to the GDPR can top 4% of annual turnover – a massive deal for a small convenience shop.

Whilst some smaller convenience store groups and individual stores may be exempt from certain aspects of the GDPR, all convenience stores will be faced with other issues such as, for example, if a child is caught stealing from the shop the owner may see this as a personal grievance and wish to show the CCTV evidence to the child’s parents. Under the new legislation however, this could cause issues with privacy and a small business owner should be cautious. Additionally, convenience stores are often located in built up areas or housing estates and privacy of local residents is vital. Store owners should be certain that any external CCTV cameras do not inadvertently ‘look’ into people’s gardens or private property.

What do convenience stores need to do?

There are many ways in which to get lost in the GDPR, however there are some core elements which need to be actioned.

Each store should;

  • Conduct privacy impact assessments
  • Register with the ICO
  • Have in place policies and procedures relating to
  • Good governance in the use of CCTV systems
  • Personal data requests
  • Staff training
  • Retention policies
  • Data deletion policies
  • Data security measures
  • Lawful basis for data processing

In addition to all of the above, relevant personnel should be identified and all actions should be logged.

As the cornerstone of many communities, the local convenience store is often a hub of local activity – both positive and negative, and so owners deserve the right to protect their property, their staff and their customers. CCTV represents a very effective way of doing this  – and it whilst it may be daunting and time consuming for many owners to ‘get up to speed’ with the GDPR, the benefits will far outweigh the consequences if it is done properly.