GDPR Implications to Security Systems

With GDPR (General Data Protection Regulation) live as of 25th May 2018 we’re keen for our customers to understand some of the implications posed to their security systems.

Whilst the GDPR maintains the same basic principles as The Data Protection Act 1998, there are some important changes worth taking note of with regards to security systems and especially CCTV.

The focus of GDPR is to give greater power to individuals with respect to the processing of their data. This processing includes any action taken with the data including collection, storage and sharing to name a few. Along with this increase in consumer power, it will be required that the ways the changes to data usage are communicated are clear and concise for individuals.

For instance, an access control system will log and register where in the building a visitor is. This information may be sensitive if the nature of the establishment is in its own right sensitive, such as a hospital. By tracking where in the hospital a visitor is and not keeping that data secure you may unintentionally make that personally identifiable and linked to the sensitive nature of their visit.

Under the GDPR this would be considered a breach which would have to be reported to the ICO, Information Commissioners Office. This could result in a large fine to the offending company and under the GDPR the cost could be up to €20 million or 4% of global turnover.

When looking to fit a CCTV system it is important to consider whether or not it is the most appropriate option for your security and what the purpose of the CCTV is. Will it deter people from breaking in or damaging property? Or will it be used as a means of evidence damages more effectively?

Once the need for the system has been established it is important to focus on the implications of having the system fitted. Will it infringe on the rights of those who are being recorded by it? Who will have access to the recorded footage? How long will the recorded footage be stored for? These are the types of important considerations that must be made when looking into new security systems.

In 2017, a Scottish court made a judgement on the case Woolley & Woolley v Akbar and Akram where compensation was sort for the breach of Data Protection Act 1998 for the incorrect use of a domestic CCTV surveillance system.  In the case, the CCTV system had been positioned in such a way that it recorded the neighbour with both audio and video. Following multiple unsuccessful attempts by the neighbour to obtain copies of the recorded personal information the case was taken to court.

As the GDPR attempts to further protect and empower individual data rights, Woolley & Woolley v Akbar and Akram can be a good point of reference when making considerations about the necessity and extent of the CCTV system you are looking for.

We are able to offer advice on the type of impact our systems may have on your protection of individual privacy and data protection. However, it is important that you make decisions in these fields based on knowledge provided by a legal professional and potentially following the completion of a data privacy impact assessment or a GDPR impact assessment.


For further information on GDPR and on data rights please visit the links below

Posted in Blog, Uncategorized.