GDPR: Is your security provider compliant?

One of the biggest shake-ups to ever happen to data protection laws came into force on 25 May 2018, and has implications for any business that operates within the EU.

GDPR - which stands for General Data Protection Regulation - will replace the 1995 EU Data Protection Directive and 1998 Data Protection Act. Organisations who are already across these existing data protection laws, will be well on their way to compliance, however there are some important enhancements.

In a nutshell, the new legislation is designed to offer greater rights and protections for EU citizens, with regards to their personal data. For businesses, the regulation has implications for every area of operations, from HR to accounting and marketing.

The financial penalties for non-compliance can be severe, so it’s vital that businesses are not only taking steps to ensure they are compliant, but are also checking that any suppliers they work with are too – including physical security provision.

So, how does GDPR affect security companies and their services? And what are the key questions you need to be asking your provider?

What does GDPR cover?

*Before we start, a quick disclaimer - GDPR is a complex area of legislation and the information included here should in no way be taken as legal advice. If in doubt, always seek the advice of an experienced legal team, to ensure you’ve got everything covered.

GDPR relates to the personal data of EU citizens, which it classes as anything that can directly or indirectly identify an individual. For example, name, email address (including business emails), images and IP address.

The new regulation is similar to existing data protection laws, but takes everything up to a whole new level. It applies to any company which processes this data (collects it, stores it and uses it in any way), whether they themselves are based in the EU or not.

The key security functions affected by GDPR, are:

• CCTV
• Premises entry/exit logs

CCTV and data protection rules

CCTV is a popular security deterrent, used broadly by businesses of all shapes and sizes.  For anyone using CCTV, it is essential that any such system is being used responsibly and with proper safeguards in place.

Organisations should already be complying with the Data Protection Act 1998 and with the arrival of GDPR, the rules become even stricter.

Most surveillance systems are used to monitor or record the activities of individuals. As such, they are classed as processing individuals’ information - their personal data. This means they will be covered by GDPR, whether it’s a large corporation monitoring staff and visitors gaining entry to the premises, or a small business using CCTV for prevent crime purposes.

All types of filming are covered, including:

• Automatic Number Plate Recognition (ANPR);
• Body Worn Video (BWV);
• Unmanned Aerial Systems (UAS)
• Any other type of system that captures information that can be used to identify individuals

Can you justify using CCTV?

If you are already using a surveillance system, you need to regularly evaluate whether it is necessary and proportionate to continue using it. You need reliable evidence that shows that the surveillance system is justified and proportionate for the need it is designed to meet.

You need to undertake a Privacy Impact Assessment to justify the processing of the personal data and to confirm that you are not excessively reducing the privacy of data subjects.

It’s worth mentioning here that there are circumstances where the use of CCTV will be deemed to be lawful, such as when it is protecting the vital interests of data subjects, or carried out in the interests of the public. An example here would be body worn cameras used by police officers. While these lawful justifications most obviously lend themselves to local authorities and the emergency services, they are not just solely reserved for the public sector.

How is the data being processed?

You need to establish a clear basis for the processing of any personal data that is collected from your surveillance systems. Making sure you have clear documentation and up to date privacy policies is key.

As part of your GDPR compliance, you should already be looking at all the data you currently hold, when and how it was obtained, and what the legal basis for processing it is. In relation to CCTV, you need to outline the process from start to finish.

Define issues such as:

• What data are you collecting?
• How are you collecting it?
• Why and what is the legal reason for doing so?
• For how long will it be kept?
• Who will have access to it?
• How will it be stored and kept secure?
• How will you deal with any requests from individuals or the police in connection with the data?

 Under GDPR, you can only keep data for as long as is reasonable to do so. There is no set deadline for deletion, but you need to consider what would be most appropriate.

Individuals’ rights

 A key part of GDPR is a strengthening of the rights of the individual.

They now have the right to be informed about how and why their data is being processed. When using CCTV, one way to do this is to ensure it is communicated via appropriate signage, which should indicate the areas covered and pointing people in the direction of further information.

They also have the right to ask what information you hold about them and the right to be forgotten. So, you need a process in place for dealing with such requests, as you’ll only have 40 calendar days to do so. In the case of providing law enforcement with copies, again, you need to map out your process and who will be responsible.

One issue to bear in mind with requests to view CCTV, is that you must always ensure the rights and privacy of other individuals is protected. For example, you may need to blur out other faces. In most cases, you won’t be able to charge for handing such requests.

Data security

Security of personal data is another hot topic that needs to be taken into consideration. Think where it may be appropriate to use encryption or automated privacy tools. For example, video redaction that blurs out people’s faces unless there is a legitimate reason to reveal their identity.

Also consider the physical location of any screens that may be used to play live or recorded footage. They should only ever be viewed by authorised individuals and not members of the public who may happen to stray past.

Handling a data breach

If a data breach does happen, then you need to have a plan for how you will deal with it. GDPR specifies that you must inform the supervisor authority (in the UK, this is the ICO) within 72 hours of becoming aware of a breach.

 If a breach is likely to result in an adverse effect on individuals’ rights and freedoms, then you must also inform those individuals without delay.

You will need to document: how you will recognise a personal data breach, what steps you will take in response to any such breach and who will be responsible for doing it.

Team members need to be very clear on this and all other processes involving personal data, so they understand what their individual responsibilities are and how the new legislation affects their day-to-day job.

Entry and exit logs

Another area which needs to be considered is any personal data collected by security teams, as part of site entry and exit logs. For example, visitor sign in books, which will gather personal information about visitors coming to the premises.

You need a robust data management system, to ensure such data is handled in a GDPR-compliant way. For example, if you use a paper-based system, can visitors see the information of others? What happens to the entries? How long are they kept? Who has access to them? How are they secured? The same questions apply for digital logs.

What to ask your security provider

The main thing to remember is that for any data you make decisions over – such as CCTV, where it will be used, when and how – that makes you the ‘data controller’ in the eyes of GDPR and therefore legal responsibility falls on your shoulders.

We recommend you speak to your current security provider, as part of your GDPR planning, to check they are aware of the new regulation and up to speed on compliance.

You may wish to ask:

• Are they aware of GDPR?
• What action have they taken?
• What training are team members being given on data protection, and how often?
• Are they happy to sign something to confirm they are GDPR compliant?

For more information about GDPR compliance, the ICO website is packed with information: Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now

For an informal chat about your physical security requirements, call the Venture Security team on 01264 391538, or browse our full range of commercial security services.