GDPR, CCTV and convenience stores


GDPR is a new regulatory framework which is due to come into effect on 25th May 2018. It will standardise and make businesses accountable for the personal information they hold of people within the European Union – this includes the UK, regardless of Brexit.

CCTV images and audio are seen as personal data and under the new regulations will need to be taken much more seriously when it comes to data protection.

CCTV has long been the weapon of choice in the fight against crime for convenience stores. Intelligent store layout and shrewd placement of cameras is a proven strategy, particularly at entrances, exits and till points.

Convenience stores will have many unique challenges, and will face a very specific and diverse set of issues on a daily basis. Cameras will be used for everything from monitoring age restricted sales to self-service tills to anti-social behaviour.

In addition, many stores have extra cameras in areas such as stock rooms and staff areas, to help deter any internal theft. Staff theft can take many forms such as price overrides, taking cash from the till, double ordering or fraudulent refunds. Aiming to prevent these types of theft is a justification for a CCTV system, particularly if it’s something that’s happened before.

In terms of customer theft, certain higher value items like meat and alcohol may also require CCTV surveillance and again this is acceptable under the new directive. However, once GDPR comes into force, camera location and purpose will need to be scrutinised and documented in more detail than before and the purpose of each camera should be very clear. Staff must also be fully informed and trained on all policies and procedures that the company has in place regarding the store’s use of CCTV.

Fines for a lack of adherence to the GDPR can top 4% of annual turnover – a massive deal for a small convenience shop.

Whilst some smaller convenience store groups and individual stores may be exempt from certain aspects of the GDPR, all convenience stores will be faced with other issues such as, for example, if a child is caught stealing from the shop the owner may see this as a personal grievance and wish to show the CCTV evidence to the child’s parents. Under the new legislation however, this could cause issues with privacy and a small business owner should be cautious. Additionally, convenience stores are often located in built up areas or housing estates and privacy of local residents is vital. Store owners should be certain that any external CCTV cameras do not inadvertently ‘look’ into people’s gardens or private property.

What do convenience stores need to do?

There are many ways in which to get lost in the GDPR, however there are some core elements which need to be actioned.

Each store should;

  • Conduct privacy impact assessments
  • Register with the ICO
  • Have in place policies and procedures relating to
  • Good governance in the use of CCTV systems
  • Personal data requests
  • Staff training
  • Retention policies
  • Data deletion policies
  • Data security measures
  • Lawful basis for data processing

In addition to all of the above, relevant personnel should be identified and all actions should be logged.

As the cornerstone of many communities, the local convenience store is often a hub of local activity – both positive and negative, and so owners deserve the right to protect their property, their staff and their customers. CCTV represents a very effective way of doing this  – and it whilst it may be daunting and time consuming for many owners to ‘get up to speed’ with the GDPR, the benefits will far outweigh the consequences if it is done properly.