The following article gives a guide to how CCTV owners and CCTV installation companies can be GDPR compliant, including explaining what GDPR is in relation to CCTV, along with practical steps to get GDPR compliant.

What is GDPR, and how does it affect CCTV?

GDPR stands for the "The European Union’s General Data Protection Regulation" and came into force on 25 May 2018.  The General Data Protection Regulation (GDPR) is an EU regulation to protect the personal data of individuals.

The GDPR requires technical and organisational security measures to ensure a level of security appropriate to the risk.

The GDPR applies to: (i) all organizations established in the EEA/UK and (ii) organizations outside the EEA/UK processing personal data, if this relates to the offering of goods / services to, or the monitoring of, individuals in the EEA/UK;

It affects CCTV as the processing and storing of video data is covered by GDPR as images of persons are considered to be personal data.

Image data must be stored in a lawful, fair and transparent manner. The data must only be stored for as long as needed for a justifiable purpose.

A CCTV system must store images in a manner that is only accessible by persons who are authorised to access and must also only record persons that it is reasonable to do so.

Read the full GDPR document here

And read additional GDPR guides on the ICO website and at IPVM.

Everything you need to know about AI CCTV in one place ;-) This is where our team share their knowledge about various aspects of AI CCTV - from how AI works to what kinds of signage you need to display . . .

​​​CCTV & GDPR - a guide to CCTV and GDPR law & how to be compliant

​​What practical steps does an owner of a CCTV system need to do to be GDPR compliant?

To address when GDPR applies we must consider different types of property (e.g. commercial or domestic) and different scenarios for the usage of CCTV. Firstly some general points for all instances that GDPR applies to CCTV.

When GDPR is applicable for CCTV then the following steps must be complied with:

Data controller: The person who has CCTV is classed as the "data controller" who are responsible for making sure only persons who it is reasonable to have access to the data have access.

Security set-up: Make sure access to the system is only possible in a secure manner and by appropriate persons passwords they set onto a system are complex so they cannot easily be guessed.

Easy access to footage: Make footage available of persons if they request to see the images that have been stored of them by your system through a "Subject Access Request". The person who has the recordings has 1 month to respond to this request.

Footage deletion: If requested to delete footage of a person then this should be done unless unpractical to do so or this footage is required for a legitimate reason (i.e. a burglar cannot require you to remove footage of them breaking into your property).

Footage storage: Footage must only be stored for "as long as needed". There is no specific time scale for this within the guidance so it is up to the person or company to have a policy to cover this.

CCTV & GDPR in a domestic property

If CCTV which has been installed only records your private domestic property then the data protection laws do not apply. "Private domestic property" is defined as being up to the boundary of the property (including the garden).

If a CCTV records into a neighbour's property or onto public property then the data protection laws and GDPR do apply to the CCTV system. In addition to the general points above, anybody who is subject to the GDPR then the following needs to be implemented/thought about:

It is recommended to discuss with neighbours about CCTV before it is installed. It may also be useful to have neighbours see what the cameras are capturing to reassure them about what is in place.

Is it reasonable for the system to be recording beyond the borders of the property? i.e. is there a legitimate

It is not necessary for a domestic property to be registered with the ICO or pay a fee (this previously was the case). Records must be kept to say why the CCTV is in place, how images are being captured and how long the images are stored for.

Full/further details are available by following the link below from the Information Commissioner's Office (ICO) who are "The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

CCTV & GDPR in a commercial property

If a commercial property is using CCTV then they must be registered with Information Commissioner's Office (ICO) unless they are exempt (most commercial premises will not be exempt).

In order for a commercial property to assess if they must register and pay for a licence from the ICO then the Self assessment available below must be used.

What does a CCTV installation company need to do to be GDPR compliant?

A CCTV installation company must inform all customers upon install to be aware of their obligations under GDPR if appropriate. If there is any doubt about what is needed to be done by the customer then they must be referred to the appropriate links below for more guidance.

A CCTV installation company is referred to as a "data processor" within GDPR.

Make sure all signage and other material supplied is appropriate to conform to the guidance.

Make sure all CCTV units are supplied with a secure password and this is only given to appropriate persons within the property/business.

Make sure all data stored on customers including CCTV connection details is only stored where necessary and for appropriate usage in a secure manner so it cannot be accessed by unauthorised persons.

Make sure the Data controller is aware of and authorises the use of a separate monitoring company if this is appropriate as they are classed as a separate "Data Processor".

Above was written based on previous links and below:

What does a CCTV monitoring company need to do to be GDPR compliant?

The actions required by a CCTV monitoring company are very similar to an installer as they are a "Data Processor".

All data must be processed in accordance to the rules of GDPR.

As they act as a "Data Processor" and if a separate company to the installer then separate authorisation from the "Data Controller" (place/company who have the CCTV installed) is needed to be allowed access.