Eyes everywhere – GDPR & CCTV one year on – are you compliant?
The new General Data Protection Regulation (GDPR) came into effect in May 2018. One year on, however, many organisations are simply not complying and nowhere is this more obvious than in relation to GDPR for CCTV systems.
CCTV has become part of the modern British landscape. The camera images protect businesses and homes while providing police forces and security organisations with a vital tool for both deterring and solving crime. Given the increasing focus on terrorism, especially in high profile buildings, travel hubs or many other potential targets, and the development of more refined technology, one wonders just how many cameras there are watching us anywhere and everywhere?
Millions of cameras in the UK
Six years ago, the British Security Industry Association (BSIA) estimated there were nearly 6m closed-circuit television cameras in the country. Many people dispute this figure and other research suggests it is more like 1.85m, but of course it is virtually impossible to clarify the figures with any degree of accuracy without checking every single property and street nationwide.
As far as London is concerned, an estimated 500,000 CCTV surveillance cameras operate in and around the capital and the London Underground Network has close to 15,600 CCTV operating cameras alone.
Whichever figure is nearer the truth, that is still a lot of cameras.
Understandably, this prevalence has also generated significant debate about balancing the use of surveillance with individuals’ right to privacy. However, across the UK and EU there are now stringent Regulations (GDPR) which cover of the use of CCTV, but just how good are organisations at complying with GDPR for CCTV systems?
GDPR and CCTV compliance failures
A recent investigation by my organisation revealed shocking levels of non-compliance with GDPR, especially where the use of CCTV was concerned. The reasons for this worrying discovery were multiple but mainly because the management responsible hadn’t bothered to read all the Regulations in enough detail, don’t think they apply to them, are too lazy to comply with them all or simply don’t understand them.
Since our streets and buildings bristle with CCTV everywhere, inside and outside, recording details and images of our comings and goings (it is believed the average Briton is captured on CCTV around 70 times per day), facilities, building and security managers or property owners obviously need to check their compliance with Regulations is up to scratch before someone complains and they face a hefty fine. And it WILL happen. Google has recently been fined €50m in France for data breaches, but the UK regulators are investigating much smaller cases as you read this, since they know our compliance here is frequently not up to standard.
GDPR advisory signage
Even though we accept we are on CCTV somewhere, when you are out and about yourself, do you really see or notice advisory signs about it, as much as you should? Which is what the Regulations order. And have you any idea where all these images are stored, or if they’re deleted after a short time, or perhaps shared with other unknown parties? Who really knows where you are going or what you are doing?
The answer is probably not. In my considered opinion the whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators. Therefore, in the case of straightforward crime prevention, if trespassers or criminals don’t even realise they’re on camera, as is often the case due to signage failures, what sort of useless deterrent is that?
And, just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, that doesn’t help anyone except the trespassers or criminals.
Finally, don’t these companies or organisations, even public sector ones, realise they’re not complying with the GDP Regulations and can be penalised because of it? Sometimes to the tune of many thousands of pounds?
Key areas of non-compliance
One year on from the introduction of the new GDPR, the following are some of the key failures for GDPR and CCTV that came to light in our investigation of our nationwide client and contact database: In no particular order:
- Failure to fit appropriate signage or keep the information on it accurate
- Failure to carry out a GDPR risk assessment prior to CCTV deployment
- Leaving DVRs (digital video recorders) unlocked or unsecured so anyone, not just designated security personnel, has access to footage
- Failure to ensure the lenses of CCTV cameras are not appropriately directed or they’re masked so that inappropriate footage is not recorded, and, if the data is shared with other parties, for example to monitor specific individuals, then innocent people are blurred out, something easily managed with the right software
- Having CCTV monitors viewable by the public
- Failure to have trained staff to monitor the CCTV
- Leaving passwords and usernames as default settings or noted next to the equipment
- If the images are to be shared with other organisations, eg the police, TfL, or other security service providers, failure to manage this appropriately to conform to Regulations
Examples of non-compliance
This is an example of what was found on one site recently:
- DVR on reception desk with monitor on top, no one at reception – someone leaned over the desk top to look at the monitor to see if their taxi was at the front door!
- Username and password on a sticker attached to the monitor
- We walked outside to find all of the CCTV signage was so worn and old that the contact details had faded away and were illegible
In a second example, there was a case of the settings on the equipment not being right specifically, the date and time were incorrect and two systems on the same site had times set 17 seconds apart.
That might sound petty but there was a break- in and when the intruder was arrested police showed the CCTV footage in court and the defence barrister asked for all cameras to be played simultaneously.
As the intruder was seen on two systems at the same time (due to timer not being synced) the barrister said the evidence was inadmissible as it was clearly inaccurate since how could the intruder be in two places at once?
Case dismissed due to lack of evidence!
Don’t risk a fine
A new IT Governance report at the end of 2018 claimed only 29% of organisations were fully compliant with GDPR. Even though their client base is global, and not just UK and European, it is food for thought and a further evidence of the situation I have highlighted.
Don’t be one of the 60% and risk a fine. Take my advice and check your compliance and systems now.
UK CCTV Manager,