In order to operate a cctv system in compliance with GDPR, businesses must satisfy six criteria, these are as follows:
- Why? – You must have a legitimate reason for operating a cctv system, eg; health and safety reasons, based on previous incidents, or as a theft prevention measure
- Where? – You must inform people of its existence. Signage should be clear, and visible. Information for persons wishing to submit a Subject Data Access Request or a simple query should also be included
- For How Long? – Retention periods for data gathered, should be clearly defined. Generally, this is 30 days. However in cases where a company has a legitimate reason, storing data for longer may be acceptable
- Who can view? – Anybody captured by your cctv system ,has a right to see the footage pertaining to them. However they do not have the right to see other individuals within the same footage, as this is the personal data of other persons.
- What about the authorities? – Businesses using cctv, are likely to be subject to a request from the Gardai for footage from time to time. However there must be a legitimate reason for the request, e.g it is part of an investigation
- Data Processor V Data Controller? – Under GDPR, the company reliant on the cctv is held as the data controller, and the data protection responsibilities lie with them. Any entity such as Komply, who process data on behalf of the company using the system, are viewed as a data processor. Processing, is defined as “ obtaining, recording or holding information or data”
Time is now truly of the essence in ensuring that your cctv system is operated in compliance with GDPR, and that all members of your team are aware of how to maintain this compliance. At Komp.ly, we are more than happy to offer any advice we can in this area. We are also on hand, to field queries on Processing SDARs, facial blurring, anonymisation and redaction of data. It’s not too late to get your house in order. Contact us if we can help: komp.ly/#contact