General Data Protection Regulation (GDPR) and how it impacts companies with CCTV on their premises

CCTV has long been a global favourite for protecting all types of premises, as businesses naturally want to safeguard their property, customers and employees. Cameras can be placed in as many different areas of the building as necessary and footage transmitted back to monitors elsewhere. This means less chance of burglary or vandalism (and a higher chance of catching the culprit if it does happen), as well as reducing insurance costs amongst many other things.


The subject of data protection and privacy is a hot topic in the media. Evolving legislation surrounding the location of CCTV cameras, as well as what the images can be used for, is not to be taken lightly. Up until now anyone and everyone could install a CCTV system without really thinking about the consequences – with the introduction of new General Data Protection Regulation (GDPR) this will all change.

After publication of the GDPR in the EU Official Journal in May 2016, it will come into force on 25th May 2018. The two year preparation period has given organisations time to prepare for the changes, which will take place regardless of Brexit.

The GDPR itself is Europe’s new framework for data protection laws, and it replaces the current Data Protection Act. It has been established that as technology has moved on massively in recent years, the current legislation is now out of date. The GDPR puts personal data control firmly in the hands of customers as well as harmonising data privacy laws across Europe.

In essence, GDPR is about adopting best practice around the handling, control and security of an organisation’s information. It is to update and enhance an organisation’s processes and improve the quality and integrity of data held. In addition, it encourages businesses to rethink why and how they capture personal data and to what ends.

What are the key actions to be taken?

It’s important to understand that just because a company is already highly compliant with the Data Protection Act, it doesn’t automatically mean it will comply with the new GDPR directive. There will still be changes required.

Broadly speaking, a business must:

  • Employ Data Protection Officers/Controllers – A senior member of staff should be designated a Data Protection Officer. This should be someone who takes responsibility for data protection compliance
  • Justify its CCTV – If an organisation is placing cameras around the perimeter of a site to detect intruders, it should be easy to justify this. However, if the main reason for installation is to monitor employees, then it is not straight forward as it’s potentially an invasion of privacy. If a business can prove that the cameras are there for Health & Safety reasons, particularly if there have been past issues, this may be acceptable.
  • Inform people – The purpose for the data being collected should be clear, especially if it’s not obvious. If it’s for employee monitoring or Health & Safety, this needs to be highlighted to anyone being captured by the cameras. Signs highlighting CCTV use and a contact number for anyone wishing to follow up is enough
  • Retain data – A Data Controller needs to have a very specific and valid reason for storing and retaining data. Retention is generally about 30 days. If a firm needs to retain CCTV data for longer, then a risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera
  • Satisfy personal data requests – GDPR dictates that anybody who is recorded on a CCTV system has the right to ask for a copy of their own personal data from the footage. This should then be supplied
  • Be able to redact images – If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. to blur out the faces of other individuals
  • Supply CCTV images to authorities – Relevant authorities such as the police may request footage and it should therefore be supplied
  • Ensure that any subcontractors follow procedure – A business will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following correct procedure. Under the GDPR, data breaches must be reported within 72 hours


Serious financial consequences are likely if non-compliance is determined. Any organisations which fail to meet the required standards can be landed with a fine of up to €20m or 4pc of global annual turnover, whichever is greater. Most notably, it doesn’t matter who is responsible for the breach – it will be the organisation itself that foots the bill and suffers any consequent reputational damage. This even applies if it’s not someone who is employed by the company, such as a malicious attacker or third party.

Starting this journey sooner rather than later will minimise the risk of a fine, bad publicity or even a legal process.

How does it affect CCTV customers with more than one premises?

Businesses working across multiple premises should make sure each one is well aware of the policies in place around CCTV. Every staff member in every premises must play their part and excellent communication is vital.

Each premises within the business is likely to be different in terms of size, CCTV camera locations and geographical location. Therefore, staff within each building need to consider how the individual premises will be compliant, because one size is unlikely to fit all.

Below are some key issues each premises must consider:

  • Examining what CCTV footage is already held (if any) – An information audit should be held for all staff across all departments. Each team should document what footage is held, where it came from and who it is shared it may have been shared with
  • Reviewing privacy – Current privacy guidance should be reviewed and a plan put in place for making any necessary changes in time for when GDPR comes into force
  • Access requests – Updating their procedures and planning how to handle requests from individuals to see any of the footage
  • Consent – Reviewing how they’re seeking, obtaining and recording consent and whether any changes should be made

In conclusion, it’s no longer acceptable to ‘not understand’ or ‘not be aware of’ the new GDPR legislation. Ignorance is likely to be very costly, in both finance and reputation. So whatever sector a business is in, they should start considering their next move now.