Watching the Watchers: Why the CCTV sector needs GDPR

There are at least 5.9 million CCTV cameras in the UK. From May 2018 every individual and organisation that has deployed one will be required to comply with the General Data Protection Regulation (GDPR), the EU regulation that will replace the Data Protection Act 1998 in the UK.   

No new legislation will be needed in the UK to bring the GDPR into law, and it is unlikely that the UK’s position with regard to Brexit will have any effect. The GDPR will come into force before the UK leaves the EU. In any case, it will apply to all data controllers and data processors outside the EU who process the personal data of EU citizens. 

It is often said that regulation brings with it control, hampering opportunities to innovate and grow. But as Andrew Charlesworth, Reader in IT and Law and Director of the Centre for IT and Law at the University of Bristol (CILT) points out in the White Paper Watching the Watchers, the GDPR offers the CCTV sector opportunities to tighten up on data security, and create new and better services. 

Taking responsibility 

A prevailing criticism of the current data protection system in the UK is that its focus on meeting specific regulatory requirements has allowed broader accountability issues to fall through the cracks.   

The area of taking responsibility for data is one which the GDPR should help to bring to the fore. While maintaining the same underlying principles as the Data Protection Act 1998 which it replaces, the GDPR emphasises that people need to be made aware of where, when, how and by whom their data will be processed.   

This requirement should help put an end to situations in which the abuse of personal data captured by CCTV causes individuals distress and puts the whole sector into disrepute. For example, cases like one from 2017 in which a domestic CCTV camera owner was ordered to pay their neighbour £17,000 in damages for distress caused by a breach of their data protection rights simply should not be able to occur because the GDPR will result in a clearer understanding by both parties of their rights and responsibilities.   

An opportunity for review 

CCTV is undergoing something of a technological revolution. Older technologies based around local recordings accessed manually are being replaced by more flexible IP based systems that use cloud storage. The visual data stored in cloud systems can be accessed at any time, from any location. Access does not depend on inflexible client software tied to a specific workstation. Moreover systems can be instructed to send instant alerts, triggered by particular conditions, to mobile devices. 

The new technologies are unquestionably more fit for purpose, but can be susceptible to data protection issues. For all their potential IP cameras are more vulnerable to attack than cameras on a closed system. Too often we read about CCTV cameras being used in botnets, or providing backdoor entry to company networks.   

The GDPR provides the ideal opportunity for organisations to look long and hard at their current setup and invest in a move away from legacy, possibly piecemeal technology to more sophisticated and secure modern systems. 

It also affords organisations with an opportunity to make greater use of visual data much more generally. Sight is our most effective human sense and yet we rarely use visual data to assist with decision making. The GDPR provides a set of guidelines as to how we can start to use data more commercially and effectively without abusing the rights of others. 

Taking the initiative to tackle security 

Importantly, the GDPR gives organisations the push they might need to take the initiative in closing security holes. It makes space for kitemark style certification covering a range of aspects of data processing. The CCTV supply sector could work with certification bodies to help define kitemarking that could be key to raising standards across the industry.   

For example, imagine certification for IP based CCTV systems which come with user dashboards that make it easy to set data storage periods and control other features that, as data controllers and processors, people should understand and configure. Imagine CCTV suppliers issuing ‘data protection guidance’ with all their cameras, so that all users, from the household and small business to larger organisations, have ready access to information about their legal responsibilities. And imagine kitemarks for cameras which are certified as without backdoor access and promised regular, automatic firmware updates into the future.   

Such measures could help transform public perception of the CCTV sector from ‘big brother’ to ‘helpful friend’, while supporting those organisations that need to upgrade equipment to meet GDPR requirements. They might even drive providers that are not kitemarked out of the industry. 

A kitemarking system might also help camera providers produce meaningful, strong and useful Privacy Impact Assessments (PIAs), which the GDPR will make mandatory for what it calls ‘high risk’ processing, an example of which is monitoring public areas. PIAs include assessment of how protection of personal data will be ensured. Cameras with software vulnerabilities should be ruled out by PIAs in a wide range of situations from public spaces to schools, hospitals, transport networks and more.   

Seize the day 

The GDPR will be incorporated into UK law in May 2018. It is likely that both data controllers and data processors will need to take stock of a whole raft of data management processes as they prepare for this, of which CCTV is just one element.   

The last thing the sector wants to see is itself being overlooked as higher profile parts of an organisation’s technology setup absorb its resources. Nor should the sector be content to sit back and watch while other players, keen to promote their own cloud services for using visual data to help organisations be safer, more productive and more efficient, squeeze longstanding operators out of the market by taking a forward looking approach to the issues the GDPR seeks to address. 

Instead, the CCTV camera sector has a golden opportunity to take the initiative and help organisations deal with this particular aspect of their technology setup. The sector itself can take GDPR as a cue to improve data security on cameras, move into secure cloud data storage, and address the ‘big brother’ perception. It can - and should - also work with external agencies on the development of certifications and kitemarks. 

James Wickes, CEO and Co-Founder, Cloudview 

Image Credit: Jeremy Reddington / Shutterstock