From the 25th May 2018 the CCTV industry will have to change.
CCTV data under the new General Data Protection Regulation (GDPR) will require the same respect and process as ‘traditional’ personal data such as a person’s credit card details, name, address and date of birth.
And ‘Accountability’ to secure the data is on the end user.
For the industry, this marks an important milestone in the ‘convergence’ of cyber security and data protection.
The General Data Protection Regulation (GDPR) is an EU wide legislation (not affected by Brexit and bought into wholesale by the UK government) that comes into force next year. It is the natural evolution of the Data Protection Act (DPA) as this was borne in a world where the term ‘cyber security’ didn’t exist!
The GDPR carries much of the same principles as its predecessor – a persons’ right to have their personal data protected – but it defines the responsibilities for those handling and using the data in much more detail.
The DPA was to some degree a tick-box exercise – it was easy for businesses to categorise themselves and declare that they understood and abided by the rules without having to think about it too much.
The GDPR changes all of that.
GDPR is not something that you can become ‘compliant’ with. It is a set of regulatory principles that require companies that have and use data, to understand, manage and above all protect the data that they have to the best possible standard – there is no set of standards to which any company can pin their badge to saying ‘I’m now GDPR compliant’!
There are 5 categories of data that the Information Commissioners Office (ICO) lists as being the main types of data to be considered.
These are;
Information Security
Direct Marketing
Records Management
Data Sharing and Subject Access
CCTV
If you ask most people on the street (and I have done this!) for examples of what they consider to be personal data then answers include things like, ‘bank details’, ‘addresses’, ‘names’, ‘medical records’, ‘email addresses’, ‘store cards’ and so on.
Not once has anybody mentioned moving or still images.
Yet this is the principle on which the CCTV industry is built upon – clear, accurate images, with every company trying to be the best.
So what are the key elements of the GDPR?
Fundamentally this can be narrowed down to one word.
Accountability.
Companies that have CCTV systems installed in their premises will be required by law to prove that they have taken all reasonable steps to protect the data they hold – whether they be a single owner corner shop or a multi-national chain.
Clearly at the moment this doesn’t happen – we’ve all seen the funny videos on You Tube of the inept burglar bumping into a lamp post after breaching a premises and often these types of videos are showing other people in the frame as well as other types of personal data – this can no longer continue as putting other peoples’ personal data (their images) ‘out there’ is proof in itself that the data is not being kept safe and secure.
So what does this mean for business owners who use CCTV systems?
Often a company’s CCTV system is standalone – that is that it is not linked to their email database, their marketing activity, their POS data or any other personal data that the company may hold. For this reason companies now need to look at their methods of data collection, why they have chosen CCTV as a method of data collection, what they plan to do with the data, who is responsible for the data, how securely the data is captured, how long they plan to keep the data and how securely the data is stored.
On the face of it most companies will have answers to these questions however the accountability required under GDPR will mean that every company will need to find a way of being able to prove that they have policies and documented procedures in place as well as monitoring and recording systems in place to cover all aspects of the data’s security so that in the event of a breach or suspected breach they can provide the required information to the ICO upon request.
This will have an impact on every business that employs the use of a CCTV system – considerations need to be given to whether they actually need CCTV in the first place, what systems they have in place to document each process and develop relevant policies, how will companies deal with subject access requests, deletion requests and the right to be forgotten?
In addition it will be incumbent on every business to educate their workforce as to the changes that GDPR will enforce on their business as well as potentially re-defining job roles or creating new ones.
Whilst the liability and responsibility for the safety and security of their data (which also includes the physical element not just the digital element) rests firmly on the shoulders of the end user, the CCTV industry also has a responsibility to both educate and work to develop data safety and security.
Manufacturers will have a responsibility to provide clarity on instructions on how to protect. Encryption must become the norm and they will have to lead by example.
Integrators/Installers will have an obligation to their clients to be able to explain to end users in more detail but they themselves will need to be educated in order to be able to convey the message clearly.
End users must make sure that they understand and can manage their CCTV system appropriately – ignorance or lack of knowledge is no longer a reason for failure of data security.
The CCTV industry bodies must also take the lead in educating those in the industry – this isn’t going away and with the potential penalty of a 20 million Euro fine, the ramifications will become severe.
We all know that the security industry can sometimes be guilty of falling behind other industries when it comes to technology, implementation and general attitude towards fast progress (compared to other industries) and whilst there are many conversations about cyber security happening which are exciting, innovative and massively advantageous to the end user, we must now position this against the backdrop of data protection and specifically the GDPR, otherwise the industry may have some serious questions to answer as well as a few multi million Euro fines.