Personal data according to the general data protection regulation (GDPR) refers to anything that can identify an individual including CCTV cameras. Footage can be used as surveillance to deter or identify intruders and if so, must be available to the Police as required. It must be stored securely and encrypted wherever possible.
GDPR is a new European regulation governing data protection but the UK is introducing a very similar piece of legislation which will apply after Brexit. Personal data includes CCTV footage, email marketing, social media posts, names including newsletter recipients, European cloud storage, IP addresses for websites as well as data already in scope under existing data protection law. GDPR is overseen by the Information Commissioner’s Office (ICO.)
It allows individuals to request a copy of any CCTV footage where they are clearly identifiable. If the request is valid, the organisation must show the footage to the individual within 30 days. GDPR will take effect in just over three months’ time on 25 May this year, 2018, and businesses need to be ready. It is very important that organisations get the use of data right because they can face fines of up to 20 million Euros or 4% of global turnover if they get it wrong. GDPR is overseen by the Information Commissioner’s Office (ICO) who set the fines.
Individuals must give active consent that is, ‘freely given, specific, informed and unambiguous’ so implied consent will no longer be sufficient. Organisations must make CCTV cameras very obvious and may need to obtain further explicit consent from individuals to record them.