Video surveillance is a great way to enhance the security of your business. It not only lets you keep a watchful eye on your premises, but also acts as a visual deterrent to potential intruders.

For small business owners, a burglary can have a substantial financial (as well as emotional) impact. SMEs must be vigilant not only in arming their premises, but also in the way in which they handle the security process.

The words General Data Protection Regulation (GDPR) are ingrained on the minds of businesses and consumers alike. After four years of EU-led negotiation, May 2018 saw an international rollout to bring European data regulation into line with the new ways in which data is used, introducing tougher penalties for those that breach these regulations.

But how much is known about GDPR’s impact on more physical security practices, such as the way that CCTV footage is captured and handled?

Your obligations to employees

GDPR-compliant products currently do not exist, which makes human awareness of legislation even more important.

The UK is often cited as being one of the most surveilled nations globally, with up to 5.9 million CCTV cameras in operation in 2015. Businesses from small convenience stores to large office buildings have surveillance systems in place, whether it be for security, monitoring or health and safety purposes. While the use of cameras on business premises naturally deters burglars, owners and senior personnel must remain vigilant as even employees have a right to privacy.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Recent legislation means that business owners are not only obliged to disclose that cameras are in use, they also now need a valid reason to install CCTV systems in the first place – this could be to protect assets, to gain a clearer understanding about employee wellbeing, or to capture footage of potential incidents.

Businesses using closed-circuit surveillance must appropriately communicate to employees the legal basis for using it, and camera positioning must be both reasonable and proportionate. Employees themselves are able to protest against use of CCTV in a certain area.

Clearly displayed signs (usually with a contact number) on your business’ premises should be present to inform people they are being recorded.

Your obligations to members of the public

GDPR also creates an obligation from businesses to members of the public, who are able to request that images of themselves captured on a firm’s CCTV system are shared with them. Businesses must provide this footage to those who ask for it within 30 days.

Should there be a significant number of requests, fulfilling these would be manual and a significant drain on resources, as other people’s identities must be blurred out (something that would usually have to be done on a frame by frame basis). However, there are firms that are developing software that automatically does this for a business, which is something that those with CCTV systems should consider.

Storing footage the right way

Retention of video captured by CCTV cannot be indefinite. Thirty days is not uncommon, but if footage needs to be kept longer, GDPR legislation states that a risk assessment must be carried out to document the reasons why. For instance, a retailer would have no reason to keep CCTV footage for six months, as any crimes would have been reported and footage reviewed in that time.

Should footage need to be reviewed by the emergency services, this is usually onsite, so would not be deemed as a data leak, especially if the footage is encrypted.

It is obligatory for businesses that use cloud recording services and storage to know the exact location where their footage is being processed and stored. Data is rarely stored where the cloud provider is based, thus the data can be moved around between a supplier’s data centres – effectively meaning it could end up anywhere in the world.

Protecting your business

Thus far, regulators have made an example of companies such as Google, handing out record fines for GDPR breaches, but small businesses should by no means think that they are off the hook; regulators have shown that they aim to take breaches seriously, so a crackdown at some point in the future is inevitable.

To comply with GDPR laws, businesses should only collect and retain necessary data, as well as confirm what data processing is being conducted. Businesses must also ensure that they own the information, and that it isn’t shared with third parties. Having your CCTV systems installed by security experts will ensure nothing goes amiss.

Guidance from experts (such as the firm that installs your CCTV) is available, but I must emphasise that this is all it is – guidance. The onus to ensure that this data is protected is very much on the business owner, not the supplier of the CCTV system.

Ensuring your business complies

The obligations that GDPR legislation creates for businesses can often seem both daunting and vast, but providing that business owners and senior team members know the law, there’s nothing for them to worry about.

Training on GDPR compliance is something that all small businesses should strongly consider – there will be wider laws on data protection that businesses simply won’t know about. In the interim, in terms of CCTV and GDPR compliance, business leaders need to ask themselves the following questions:

• Is your CCTV system infringing on your employees’ privacy? Have you displayed a notice to let them know they are being filmed?
• If filming employees, do you have a valid reason for having a CCTV system?
• How long are you storing footage for and why? For the latter, have you carried out a risk assessment to ascertain and document these reasons?
• Where is your data (footage) being stored? Are you confident it isn’t being shared with third parties?
• If there’s a breach, what’s your plan?

As a starting point, the above questions will do, but in the long term, training from a reputable supplier needs to be given to senior team members.

In this digital era, there are many different factors to consider when installing a CCTV system, but it is undoubtedly something that small businesses cannot do without. However, grasping the law, as well as the obligations of your business to members of the public and your staff, is something that you as business leader need to do as soon as possible.

Read more: SMEs remain largely clueless about GDPR – and the impact could be devastating

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up