Data Protection - CCTV and the GDPR
GDPR is coming. And it will affect the convenience sector massively – mostly because we don’t really know what it is or how it affects us.The simple version is that if you hold, manage or use personal data in any way then you will have to make sure that your business is GDPR ready. But what does GDPR really mean? Essentially it means that you will have to know what personal data you use, know what lawful basis you have for using it, monitor and record where you store it, how you store it, who has access to it as well as having a procedure and policy in place to report a data breach should one occur. You will be required, if asked, to prove how you have achieved all of the above (and this is the simple version!) Knowing that this will be a minefield for the convenience sector, we decided to consult with one of our new corporate members – GDPR Systems ltd – and test one of their products designed to make GDPR life easier for the convenience sector.
Now, you may not know this, but CCTV images are classed as personal data – which means that any business that has CCTV must be able to do all of the above as well as have all of the relevant policies and procedures in place for their CCTV system. GDPR Systems Ltd has developed an online solution specifically designed to tackle the CCTV GDPR issue – and we decided to test it for you.
Essentially GDPR System’s CCTV GDPR product is designed with the small business in mind – for most of the convenience sector CCTV is one of the major forms of personal data (that isn’t employee related) that the sector uses and relies upon.
The first stage was to get registered – this is a painless process – simply give them some basic details and you will be sent a password (your email address is your login).
Go to the CCTV portal (you can access this from https://portal.cctvgdpr.co.uk/ and click on the ‘CCTV Portal Login’ at the top right hand side.
Fill in your login and password details and you’re in!
The second stage is to fill out the relevant information. This is laid out in a logical order – company details first followed by personnel details – here you can choose the person responsible for the CCTV data in your control. Then onto ‘breachable asset’ details.‘Breachable assets’ in this case are our CCTV cameras and storage devices.
Here you get to add in all of your equipment – there are a series of questions that you must answer which will determine whether the CCTV personal data that you have is sufficiently protected – none of them are difficult but in some instances you may need to contact your CCTV installer for the answers.
One of the crucial parts of this section is that you are asked to link the relevant personnel to the device – for instance the cleaner may have access to the back room where the storage device is located, so he/she will have physical access to the device but they won’t have administrative access to the device. This part, again is simple – it is just a matter of ticking a box and the system makes the link.
Once we had filled out all of the details we could clearly see on the dashboard for both cameras and storage devices what was safe and what was not safe – this is shown by a simple red or green traffic light system – green for good and red for needs some attention.
Policies and procedures. The average convenience store won’t have any of these in place and this section of the site will be a welcome relief for those people worrying about how they get the right documents. All of the relevant information that we had previously put into the system has now automatically populated the documentation. All of the cameras and storage devices are listed and I now have all of the documentation I need to be ready for the GDPR. These include.
- Privacy impact assessment
- Data security breach management policy & procedure
- Consent policy
- Retention & destruction policy
- Personal data request policy/document
- Training record
- Non-disclosure agreement
- Transfer of data information sheet
GDPR Systems estimate that these policies alone would cost the average convenience store around £3,000 in legal fees to have drafted up!
The system exactly fits what the companies mission statement is – ‘Making Complex Simple’.
Having had no experience of this kind of thing before, I found it really easy to fill out (even though I missed the duplicate button!). I am not technically minded so the risk was that this could have been too hard to fill out – I am pleased to say that it wasn’t – this bodes really well for convenience stores throughout Scotland and I would encourage all of them to invest in this system.
Don’t get me wrong – it doesn’t make your system safe – that is the owners responsibility, however it does make crystal clear how safe your system is, where the weaknesses are and more importantly it allows you to actually demonstrate how you are ready for the GDPR should you be asked by the relevant authority (The Information Commissioners Office). The directors assure me that there will be more developments to the CCTV option over the coming months which will add value to each of their clients – at no extra cost. Perhaps the biggest value for the convenience sector will be the ease of which they can make their use of CCTV personal data GDPR ready – with the minimum of hassle.