top of page
Search

CCTV and GDPR Compliance: What Organisations Need to Know

  • Writer: Scott Naisbett
    Scott Naisbett
  • Oct 4, 2019
  • 3 min read

Updated: Mar 4

CCTV GDPR compliance concept showing security camera monitoring and data protection regulations.

How to Ensure CCTV GDPR Compliance in Your Organisation

Organisations using video surveillance must ensure CCTV GDPR compliance by clearly explaining why footage is recorded and how it is stored.



Does Your Use of CCTV Comply with the GDPR?

You might be surprised to learn that CCTV footage is subject to the GDPR (General Data Protection Regulation).


The Regulation isn’t just about written details such as names and addresses; it applies to any information that can identify someone. This includes pictures and video recordings, which means organisations must carefully consider how CCTV systems are used and managed.


Below are some key steps organisations should follow to ensure their CCTV practices remain GDPR compliant.



1. Make Sure People Know They Are Being Recorded

Transparency is a core principle of the GDPR. Organisations must clearly inform people when their personal data is being collected so they have the opportunity to exercise their data subject rights.


These rights allow individuals to access the personal data organisations store about them and challenge how that information is used.


The most common way to notify individuals is through clear CCTV signage indicating that recording is taking place.


If CCTV is used to monitor employees, organisations should also explain this in their privacy notice or employee privacy policy.



2. Clearly State Why You Are Using CCTV

Under the GDPR, it is not enough to simply say that personal data is being collected. Organisations must also explain why the data is being processed.

This requirement relates to the lawful bases for processing under the GDPR.

There are six lawful bases in total, and depending on the situation, different ones may apply.


Examples include:


Contractual necessity – for example, when monitoring is necessary to deliver a service.

Legal obligation – when data processing is required by law.

Vital interests – where processing protects someone’s life or physical safety.

Public task – typically used by public authorities performing official duties.

Legitimate interests – where a business has a genuine reason to process data, provided it does not override individuals’ rights and freedoms.


For example, signage might state:

“CCTV is in operation for the purpose of public safety.”

When employees are monitored, the lawful basis should also be explained within the organisation’s privacy policy.



3. Control Who Has Access to CCTV Footage

Monitoring practices can create additional risk if access to CCTV footage is not properly controlled.


The GDPR requires that personal information is only accessible to individuals who need it to perform their job role.


In most cases this will be:

  • security personnel

  • management staff

  • authorised investigators where necessary


CCTV footage should also be stored securely.

For example:


  • physical recordings should be kept in locked storage

  • digital recordings should be protected using access controls

  • encryption can be used to protect footage during transfer


This becomes particularly important when organisations receive Data Subject Access Requests (DSARs).



4. Delete Footage When It Is No Longer Necessary

Most organisations apply a retention period to CCTV footage because storing recordings indefinitely is impractical.


However, the GDPR requires organisations to be clear and systematic about how long recordings are retained.


Personal data must only be stored for as long as necessary for the purpose it was collected.


Organisations should therefore define and document their CCTV retention period and implement processes to ensure footage is deleted once that period expires.


In many cases, CCTV footage does not need to be kept longer than one or two weeks, although this depends on the organisation’s justification for recording.



Carry Out a Data Protection Impact Assessment (DPIA)

Before implementing CCTV monitoring, organisations should complete a Data Protection Impact Assessment (DPIA).


A DPIA helps organisations identify and minimise risks to individuals’ rights and freedoms that may arise from data processing activities.


The GDPR specifically highlights large-scale monitoring of public areas as a situation where a DPIA is required.


While it may appear to be an additional administrative step, a DPIA helps organisations:

  • identify privacy risks

  • justify CCTV use

  • implement appropriate safeguards


The Penalties for Non-Compliance

The GDPR significantly increased the penalties for organisations that fail to protect personal data.


One of the first fines issued under the GDPR involved an Austrian retailer that installed surveillance cameras outside its premises without informing the public.


The organisation was fined €4,800 (approximately £4,250).


Although relatively small compared with maximum GDPR penalties, it demonstrates that regulators take improper CCTV use seriously.


Under the GDPR, fines can reach up to:

  • €20 million, or

  • 4% of annual global turnover

— whichever is higher.


Need Help with Data Protection or Information Security?

Ensuring that surveillance systems and other security controls comply with GDPR requirements can be challenging.


If you would like guidance on information security, privacy controls or ISO 27001 implementation, Keystone Standards can help.


You can discuss your requirements with Lead Implementer Scott Naisbett.





Keystone Standards Logo

 
 
 

Comments

bottom of page