GDPR & workplace CCTV: What do employers need to know?

The UK General Data Protection Regulation (GDPR) rules don't stop at written data; they also extend to video surveillance. This means that if your cameras pick up identifiable faces, you've got to follow the UK GDPR guidelines. Otherwise, you could face hefty fines for mishandling personal information.

Find out how to make sure your CCTV system follows the UK GDPR rules, and learn about the risks involved in setting up CCTV monitoring at your workplace.

What is GDPR-compliant CCTV?

GDPR compliance in CCTV is the process of ensuring that your CCTV system complies with the UK GDPR. According to the UK GDPR, organisations need to be upfront about handling personal data and get permission from users before gathering their personal info. To comply with UK GDPR, you must also make sure your CCTV system meets these basic requirements:

1. Have a clear purpose statement

Your CCTV system must have a clear purpose statement describing why it’s being used by the organisation (i.e., safety and security purposes).

2. Retrieve footage only if there’s suspicion

The footage from cameras should be retrieved only if there’s suspicion that an individual may have committed an offence (i.e. if it matches existing video footage from other sources).

3. Store footage securely

Any footage collected must be stored securely so unauthorised individuals or third parties cannot access it without consent from the individuals featured (i.e., via a password or biometric identifier).


 

Why might workplace CCTV monitoring be useful for your organisation?

The need for CCTV monitoring depends on each organisation. If you have storage units containing valuable items and sensitive information, CCTV may be useful in monitoring access and maintaining a log of activities around these areas. Other organisations may choose to only install CCTV following previous security incidents.

The monitoring of employees through video surveillance isn't required by the GDPR. It is left to the discretion of the data controller (your organisation) to identify a need for CCTV and decide.

 

How can you ensure your CCTV is GDPR compliant?

When we think about personal information, our first thought is written documentation, such as banking details and forms of identification. But it's important to remember that images and videos may also include personal information, a key consideration for CCTV systems under the GDPR. To stay compliant, remember these key points when using and sharing CCTV footage:

Maintain transparency around how/why CCTV is used

The GDPR is rooted in transparency, and you must inform people that they are under surveillance using visible signs. Signs should also include the following details:

  1. Why this data is being collected/its purpose, for example: “CCTV currently in operation to ensure public safety”
  2. Contact details of the data protection officer (DPO)
  3. Information about your organisation (data controller)
  4. Means to access other details upon request (via QR code, for example)

Aim to collect minimal data 

Article 5(1)(c) of the GDPR stipulates that data collection should be “adequate, relevant and limited to what is necessary” in line with its stated purpose. Be sure to review your CCTV practices and delete unnecessary footage regularly.

Ensure access to footage is limited to specific individuals

Only those who need access to surveillance footage should be allowed access, i.e. those in management roles and others who require this data to perform their duties. To facilitate this, cloud-based systems can store CCTV footage securely in an encrypted format that those with permission can access.

Conduct a data protection impact assessment (DPIA)

Before you set up your CCTV cameras and begin surveillance, you should identify and minimise any potential data processing risks. Gather this information through a DPIA - learn more about carrying out a DPIA and download a DPIA template. A DPIA should be conducted whenever CCTV equipment is newly installed or moved. 

Comply with reasonable access requests

Individuals should be allowed access to CCTV footage that concerns them. These requests can be formal or informal, and you are expected to respond to requests within one month. The requested footage should be provided in a secure and easily accessible way, with the identities of other subjects blurred to ensure their privacy.

When done effectively, CCTV can be a valuable tool in maintaining workplace security and protecting the confidentiality, availability, and integrity of sensitive information. However, there are a few risks you should consider before choosing to install CCTV. 

Watch our on-demand webinar: Master the GDPR compliance audit: A comprehensive guide

What are the risks associated with workplace CCTV monitoring?

Though not inherently risky, there are a few things you should aim to avoid before choosing to install CCTV at your workplace:

Breach of employee-employer trust

Monitoring workplace activities may damage your relationship with your employees, so they must be informed of any CCTV devices. Uninformed/non-consensual surveillance may result in complaints and staffing issues.

GDPR infringement

Your organisation might violate the GDPR and incur heavy fines if the collected data isn't adequately protected. This could damage your organisation’s reputation and put it at significant financial risk.

Human Rights Act violation

Ensure that the means of surveillance are not overly intrusive so as not to violate your employees' privacy. Such violations can result in legal action.

 

What fines can you get for CCTV GDPR non-compliance?

The ICO takes data privacy violations seriously, which extends to poor CCTV practices. GDPR violations can result in fines amounting to €20 million or 4% of an organisation’s annual global turnover – whichever is greater.

Take steps to make your CCTV GDPR-compliant

When reviewing how your organisation handles personal information, don't overlook that video surveillance might capture personally identifiable images. Following GDPR guidelines safeguards your organisation against unauthorised sharing of sensitive data, breaches, and hefty fines. 

Find out how to keep your organisation GDPR compliant and how our experts and platform can help you along the way. And if you’re ready, don’t hesitate to reach out:

 
GDPR Audit checklist 212x234 UK GDPR Audit checklist 800x600 MOBILE UK

GDPR Audit Checklist

Understand if your CCTV system is GDPR compliant with our GDPR audit checklist.

Download now!

About the author

DataGuard Privacy Experts DataGuard Privacy Experts
DataGuard Privacy Experts

Dive into the world of data protection, compliance, ethics, and data security with hands-on advice and actionable opinions from our certified Data Protection Officers and Privacy Consultants from Germany, the UK, and Austria. Coming from a wide range of backgrounds like business, legal, tech, or marketing, our specialists share the latest news and solutions to current challenges, as well as their takes on recent judgements and legal decisions with you. Their aim? Enable you to make the right decisions and keep your business safe, build trust, and grow revenue while remaining compliant with current privacy laws. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional/Europe (IAPP), Certified Information Privacy Manager (IAPP) Information Security, Certified Information Privacy Technologist (IAPP), Certified Practitioner in Data Protection (BCS), Certified Data Protection Officer (TÜV), Fellow of Information Privacy (IAPP), Certified EU General Data Protection Regulation Practitioner (IBITGQ), Data Protection Officer & Europrivacy Auditor, Practitionier Certificate in Data Protection, PC.dp. (GDPR)

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk