Complying with GDPR
The GDPR regulation will come into force on 25th May 2018. The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. The GDPR aims primarily to give control back to citizens and residents over their personal data.
Sharp Group Fire & Security Services has compiled the following points to assist in ensuring your business has guidelines to meet the new GDPR Regulations.
Reason for CCTV Recording on site
All businesses will need to put a risk assessment in place to state the purpose of any CCTV Cameras on site, for example if you are placing cameras around the perimeter of your site to detect intruders, this will need to be recorded in your risk assessment. If you have installed a camera to monitor employees, you must prove that the cameras are there for health and safety reasons, highlighting incidences in the past, which may be acceptable for the installation of the Cameras.
The Right to be Informed
Signage must be visible to all persons on site stating that CCTV Cameras are in place. It should also state the purpose for the data being collected. It should also detail a contact number for anyone who requires additional details. If it is for employee monitoring or health and safety, this needs to be highlighted to persons being captured by the cameras.
Any Data Collected will be retained on site for typically 30 days. If a longer period is required a further risk assessment should be carried out stating the reason for holding the data and the time frame for the retention. When setting up your system Sharp Group will assist in ensuring that best practice in this area is achieved.
Request for Personal Data
Anyone who has been captured on CCTV Footage has the right to request their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested. If other individuals are visible in the footage, footage redaction service should be provided i.e blur out the faces of other individuals.
The Gardaí may request footage from you by a written request on Gardaí headed paper. Gardaí will often just want to view the footage on the premises of the Data Controller or Processor, this action would not raise any concern for data protection.
Security companies act as Data Processors under GDPR. “Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.” Any subcontractors working on your behalf, e.g Security companies or CCTV Engineers must follow this procedure.
All companies will be required to review their security arrangements and ensure there are no likely breaches of regulations. It is no longer acceptable to “not understand” or “not be aware of” the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines. For more information please follow the below link to the guidelines of the General Data Protection Regulations.