Summary

GDPR is a regulation that is already influencing how organizations handle data, including video data.

As a minimum, each organization that processes personal data needs one or more designated persons responsible for making sure that the organization handles personal data in line with GDPR and company policy (the number of man-hours allocated for this will depend on the size of the organization and the amount of personal data collected and processed). In addition, for some organizations, GDPR will require the appointment of a formal Data Protection Officer (DPO) to perform these tasks.

There will also be changes in the administrative process. Under GDPR, organizations need to keep detailed and accurate Record of Data Processing Activities. For a sample template of a Record of processing activities, see the Milestone Record of processing activities template. There’s a range of details that must be recorded, including but not limited to:

• What category of individuals the processed personal data relate to (for example, customers, employees, store visitors, and so forth.)
• For what purposes the personal data is used
• Whether the personal data is going to be transferred – to other companies and/or outside the EU
• How long the personal data will be stored
• Measures taken by the organization, in relation to each separate data processing activity, to ensure GDPR compliance

All of this is relevant when it comes to stored surveillance video, and defined in the video surveillance policy (see Appendix: Video surveillance policy).

Organizations are obligated to explain why a video camera is in a particular place, what is being filmed and why. In the case of video surveillance, appropriate signage in and around the area where the video surveillance is being used should be used to provide information about this.

The data controller may be obliged to carry out a Data Protection Impact Assessment (see Appendix: Data Protection Impact Assessment) when it comes to setting up a camera in a public place. An impact assessment should include:

• A systematic description of the intended processing operations and processing purposes
• An assessment of the necessity and proportionality of the processing operations in terms of purpose (This may require external assistance)
• Risk assessment for individuals’ rights and freedoms
• Planned measures to address these risks, including safeguards and mechanisms to ensure the protection of personal data and compliance with GDPR (this should consider the rights and legitimate interests of individuals and other affected persons)

One of the key features of the GDPR is that those who are being monitored need to be fully informed about what data is being held on them and how it’s being used. The right of information notice informs individuals who are affected of: the purpose of the surveillance, who keeps the data that is collected (data controller / data processor), and the retention policy. For a sample template of an on-the-spot notice, see the Milestone On-the-spot notice template.

Organizations storing video have clear responsibilities when it comes to storing personal data and must put into place robust measures to prevent unauthorized access. This means that it’s important to set out, in writing, who will have access to the cameras and recordings.

Organizations should also have a procedure in place for when an individual chooses to exercise their right of access to personal data or request its deletion. This is so that they can stay within the prescribed month-long window within which they must comply with these requests under GDPR. When making such a request, it is reasonable to expect the inquirer to provide adequate information to locate this data – for example an approximate time frame, and the location where the video was captured. That is, the subject should provide official identity papers proving who they are, and the organization should make a record of the recordings being shown or provided to the individual. Furthermore, other people in the video should be masked out, using third-party tools.

Organizations should use strong measures to prevent unauthorized access to the personal data that they are storing. The tactics used by each organization will be unique to the challenges they face. However, in all instances, organizations must employ robust security controls, stay up-to-date with cybersecurity best practices, and ensure that they are working with trusted partners who provide secure hardware, software, and thorough aftercare.

Personal data handling

When handling personal data, adhere to these principles:

• Assess: Know what personal information you have in your files and on your computers.
• Reduce: Keep only what you need for your business.
• Protect: Protect the information that you keep.
• Eliminate: Properly dispose of what you no longer need.
• Respond: Immediately report all actual or suspected security breaches.