The Impact of GDPR on CCTV Systems in Ireland

The General Data Protection Regulation (GDPR) came into effect on the 25 May 2018. These regulations drastically changed the way organisations approach data and the capture and handling of CCTV footage. It is crucial for businesses of all sizes, especially those involved with CCTV in Ireland, to understand the regulatory requirements, and know what actions are needed to be prepared.

The GDPR regulation came into force on 25 May 2018. The penalties facing businesses for non-compliance are fines of up to €20 million or 4% of global annual turnover. The regulations apply to all companies worldwide that process personal data of European Union citizens. This is a particular consideration for businesses operating CCTV Monitoring in Ireland, given the regulations’ broad application.

Businesses need to be aware of the impact the new GDPR regulations will have on them, and this includes reviewing the use of CCTV in Ireland.

A recent survey carried out on behalf of the Department of the Taoiseach and the Government Data Forum revealed that 80% of individuals are more concerned about their online privacy now as compared to 5 years ago

Understanding GDPR Compliance for CCTV Monitoring in Ireland

Up until now, many organisations in Ireland would install CCTV in Ireland without fully considering the consequence of this action. Once you are collecting recognisable images from your CCTV system, you are then managing ‘personal data’. This means you are now acting as a Data Controller, and with this comes responsibility. A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV Monitoring system in Ireland.

6 Essential Steps for GDPR Compliance in CCTV Systems

 

1. Reason: Justification for CCTV in Ireland

Is your CCTV Monitoring system justified?

If you are placing cameras around the perimeter of your site to detect intruders, it should be easy to justify this. However, if you have installed a camera to monitor employees, then it becomes more complicated. This could be seen as an invasion of privacy. If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past, that may be acceptable.

When you are capturing images where someone would expect privacy, then you must justify the need. For instance, in rest areas or just on a public walkway – if there has been a significant level of security incidents, then this must be proven to allow for these cameras. This could apply to businesses operating CCTV Monitoring in Ireland, where public spaces may be monitored.

2. Informing Individuals about CCTV Presence in Ireland

You must inform people of CCTV in Ireland

The purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health & safety, this needs to be highlighted to persons being captured by the cameras. A sign(s) highlighting CCTV use in Ireland use and contact number for anyone wishing to follow up is sufficient.

Netwatch can assist clients with signage design and templates. Contact Us

3. Data Retention and Justification for CCTV Monitoring in Ireland

A Data Controller needs to justify reasons for storing and retaining data from CCTV Monitoring in Ireland.

It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera.

When setting up your system, Netwatch will assist in ensuring that best practice in this area is achieved. Have questions? Get in touch

4. Access Requests and Personal Data Rights in CCTV Systems

Requests for personal data from CCTV in Ireland

GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’

So, anyone who is captured by your CCTV Monitoring cameras has the right to request that footage, it is seen as personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.

Netwatch can provide our clients with a footage request form template, and perform the redaction service on the footage. Find out more

5. Supplying CCTV Images to the Gardaí in Compliance with GDPR

Supply of CCTV images to the Gardaí

The Gardaí may request footage from you and you may supply this, but always ensure it is followed up by a written request on Garda headed paper. Gardai will often just want to view the footage on the premises of the Data Controller or Processor, this action would not raise any concern for data protection.

As with general public requests, Netwatch can provide clients with templates for footage request forms from the Gardaí for CCTV Monitoring systems in Ireland. Contact Us

6. Ensuring GDPR Compliance in CCTV Systems in Ireland

Responsibilities of security companies

Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. Security companies or CCTV Engineers, follow this procedure when dealing with CCTV in Ireland. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.

A reputable security service provider, especially in the context of CCTV in Ireland, will automatically adhere to all GDPR regulations. Ask the system provider for their policies in relation to GDPR. Find out more about Netwatch

Looking Ahead: Security Arrangements and GDPR Compliance in Ireland

Taking the above into consideration, many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems in Ireland. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers, like those providing CCTV Monitoring in Ireland, you may leave yourself open to prosecution and fines.

The Netwatch team are very clear on the necessary requirements under the new GDPR and will assist all clients in adhering to these regulations. If you have any doubts over your CCTV system in Ireland and would like to discuss how Netwatch can help you meet your requirements under the GDPR legislation, contact a member of the Netwatch team.

Useful Links

Data Protection Commissioner – GDPR & You

Irish Government News Service – New data protection responsibilities

The EU General Data Protection Regulation – FAQ

PDF version of the General Data Protection Regulation (GDPR)

Consumer Data Protection – Enterprise service to control personal data