The GDPR will come into effect on 25th May 2018 and has been described as the biggest shake-up of data protection law for 20 years. James Wickes, CEO and co-founder of cloud-based visual surveillance company Cloudview, looks at the changes businesses need to make and the consequences of getting it wrong.
Data protection is a fundamental concern to all organisations which hold personal information. Next year new, tighter legislation comes into force which has been described by legal firm Wright Hassall as the biggest shake-up of data protection law for 20 years.
The General Data Protection Regulation (GDPR) becomes law on 25th May 2018. It will be directly applicable in the UK without further implementation, and serious breaches could see organisations facing fines from the Information Commissioner’s Office (ICO) of up to €20 million or 4 per cent of turnover, whichever is higher. These increased fines will apply immediately, so organisations need to ensure that their GDPR compliant policies and processes are in place promptly. Large organisations also need to be aware that the size of the fine is calculated on the turnover of the whole organisation, not the operating division or subsidiary in which the breach occurred.
Personal implications for senior executives
Fines, however, are not the only potential penalty. The new legislation could have a personal impact on any senior executive with legal responsibility for their organisation’s behaviour.
The Culture, Media and Sport Committee’s investigation into cyber security, triggered by the cyber-attack on TalkTalk, was published in June 2016 and makes two recommendations. First, it suggests that a portion of CEO compensation should be linked to effective cyber-security. The report says: “To ensure this issue [cyber-security] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber-security, in a way to be decided by the Board”.
It goes on to say: “We concur with the ICO [Information Commissioner’s Office] that whilst the implementation of the GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.” So executives could face jail as well as fines for breaching the new regulations.
The need for consent
To understand the implications of the GDPR, we commissioned a briefing note from independent solicitors Wright Hassall. They identified two key issues:
- Organisations whose core activity is processing special categories of data or the systematic monitoring of individuals on a large scale will have to appoint a Data Protection Officer to monitor compliance with the rules.
- Organisations will have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’. In most cases implied consent will not be sufficient. In my area, CCTV, it is as yet unclear to what extent organisations will need to seek to obtain explicit consent from individuals to record them via a CCTV system as we are already are required to make the presence of cameras very clear.
To prepare for the GDPR, the first step organisations should take is to carry out a Privacy Impact Assessment (PIA) to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. They need to consider whether there is a legitimate reason to collect specific information, whether it is stored securely, with safeguards to prohibit interception and unauthorised access, and whether data is deleted when it no longer serves a purpose. This latter issue has recently been raised as a concern by the surveillance camera commissioner, who points out that the Metropolitan Police are failing to delete number-plate records after two years, but have retained the data since the London Olympics in 2012.
Organisations also need to have a documented information retention policy which is understood by those handling data collection, and ensure that staff know how to respond to requests from individuals for access to their personal data. For more information, the ICO has produced a useful guide.
Personal data is not just text
What many organisations often fail to understand is that personal data covers every type of information, from written text to video and audio. This is increasingly important with the growth of the Internet of Things (IoT). All the data we upload onto our phones, from how many steps we take to changes in our heating systems, could be included if it allows individuals to be identified. IT departments are often responsible for all these devices and all this data.
Yet one area falls outside the remit of ‘traditional’ IT: CCTV, which many organisations use to monitor communal areas, manufacturing sites and warehouses. If video footage enables individuals (clients, employees, or passing members of the public) to be identified, the GDPR is applicable. CCTV surveillance systems should not normally be used to record conversations between members of the public or staff as part of a working environment – this is highly intrusive and unlikely to be justified.
CCTV footage differs from other types of data in that systems are binary in their ability to be secure or accessible. Because IT systems have moved into data centres, or better still, to the cloud, it is relatively straightforward for IT departments to ensure that data protection regulations are met, for example by ensuring that only authorised individuals can access certain information. However, access to current DVR-based CCTV systems has to be physically constrained by using locks or passcodes, as anyone with access to the equipment can access the data. Remote access has to be managed through a VPN (Virtual Private Network) which is expensive to set up, not always secure and inflexible. Processes also need to be enforced rigorously to ensure data protection standards are met. CCTV is typically seen as peripheral to a business – but the legislation still applies, as do the fines.
One solution to this CCTV GDPR compliance problem is to hold CCTV information securely in the cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the cloud. Such systems should be configured to record CCTV data only when needed and should automatically delete it when it is no longer required. Cloud-based CCTV systems should also have all the required security and encryption necessary to protect data and verifiable audit logs to prove that data was handled, transmitted, viewed and deleted appropriately. Not all providers offer this level of end to end service, so organisations still have to take responsibility for ensuring that their cloud provider is compliant with the appropriate regulations. They should also bear in mind that many cloud providers have clauses which allow them to share data with third parties – clearly inappropriate for personal data.
Ignorance is no excuse for breaking the law, and this includes data protection legislation. The new legislation comes into force in just over a year’s time, so organisations need to begin preparing now.
More information is available in the briefing note ‘Is your use of CCTV compliant with data protection legislation’ from Wright Hassall, available on the Cloudview website http://www.cloudview.co/dls/white/Cloudview-CCTV-Article-vanilla-23-05-16.pdf