Great, if that’s been included in your documention you’re ready to move on to the next question.
Think about how your footage could impact privacy. If you have a 4k ultra HD PTZ that can follow a person on a street that's more invasive than a 2MP static camera with gives an overview of a scene.
If your reason for filming means you need to identify people, then consider how you do this. More on that in the questions below.
Do you capture public areas like roads and paths?
Can your field of view be adjusted so that only your own site is under surveillance?
If not, then consider the next question.
OK that's fine, you can move on to the next question.
This is less risky from a privacy point of view. On to the next question.
Is your footage stored securely?
Great news! Have you considered both physical and cyber security?
If yes, then on to the next question.
Can you make the area footage is viewed physically secure? If you have a control room, can you restrict those who enter? Can you take any measures to ensure the footage isn't overseen, perhaps by adding a privacy film to windows?
There are some exceptions to this. For example, if you can see the live footage of a shop this can be OK as long as it shows what you could see by looking around.
Also consider the cyber security of your system. Is the footage encrypted? Has the default password been changed for all cameras? Is the firmware up to date?
Do you have a defined retention period?
That's good news. How is this enforced?
Document how long you need to keep your footage and then ensure that older footage is deleted (unless it's being kept for evidence). Typically 31 days is enough time for an incident to come to light.
Have you got "CCTV in operation" signs?
That's good news, you can move on to the next question
Add CCTV signage to your site, it should be prominent and adequate. You may wish to show who's filming (your logo), why you're filming and contact details.
Do you have policies and procedures for CCTV?
Great, move on to the next question
Documentation is crucial. Your policy could include:
Purpose of recording
What should be recorded
Who should have access to your footage
How long your footage will be kept for
Your procedures should look at what to do in certain scenarios. For example, if you have a theft, how it should be investigated? The procedures should also mention who's responsible for controlling your data and what checks are in place.
Do you regularly review your requirements?
Well done this is a crucial step.
Carry out a review at least annually to make sure your procedures being followed. The ICO in their Data Protection Impact Assessment (DPIA) suggest that you also carry out a review when:
Cameras are added/removed or change position
The system is upgraded
A new system is installed
When you implement biometrics (i.e. facial recognition)
The end?
These questions are intended as a high-level overview of the most common requirements of the GDPR. If you want more detailed information, read our guide to the GDPR.