GDPR: One year on

Case Studies

GDPR : One year on and it’s a compliance mess by Andrew Crowne-Spencer MIET

UK CCTV & Technical Manager at Clearway Services, Dartford, with wide experience across the security and investigations industry. A Board member of the IFSEC installer advisory board, Andrew is an expert in physical and electronic security, risk assessment and video analytics.

It’s exactly a year since the General Data Protection Regulation became another piece of red tape on our radar with which we need to comply, not that I don’t think it’s very necessary to maintain an individual’s right to a certain level of privacy. However, a recent investigation by Clearway across our database has revealed alarming levels of non-compliance, in particular where the use of CCTV is concerned. The reasons for this worrying discovery were multiple, but appeared mainly to be because the management responsible hadn’t bothered to read all the regulations in enough detail, don’t think they apply to them, are too lazy to comply with it all or simply don’t understand them. It’s a very sorry state of affairs.

First invented and used in 1942 during WW2 by the Germans to monitor their rocket testing, and then rolled out commercially in the USA in 1949, it wasn’t until 1968 in New York that CCTV first appeared on a public street. However, CCTV cameras are now a fact of life and surround us. Six years ago, the BSIA estimated there were nearly 6m in the country, including 750,000 in “sensitive locations” such as schools, hospitals and care homes, and there are some 15,600 on the London Underground network alone. Other estimates put the national tally far lower at 1.85m but it’s virtually impossible to clarify the figures with any degree of accuracy without checking every single property and street from Scotland to Cornwall as they are literally everywhere.

Whichever figure is nearer the truth, that’s still a lot of cameras, which may persuade some people we live in a ‘surveillance society’, anathema to those who champion our right in the UK to privacy, freedom of speech and movement.

However, there is no doubt CCTV protects businesses, homes and public property while providing police forces and security organisations with a vital tool for both deterring and solving crime. Given the increasing current paranoia about terrorism, especially in high profile buildings and travel hubs, and the development of more refined technology, one wonders just how many cameras there are watching us anywhere and everywhere.

Lack of mains power is no issue as CCTV on inView Towers and mobile units have full solar capability. We supply them to clients for everything from construction sites and car parks, to agricultural locations and events and festivals. No doubt critical situations are also quietly observed from a satellite in space although we don’t yet offer that service! In this day and age there is definitely nowhere CCTV can’t go.

Since our streets and buildings bristle with CCTV cameras everywhere, inside and outside, recording details and images of our comings and goings (it’s estimated that the average Briton is captured on CCTV around 70 times per day) most people believe this is a small compromise to privacy necessary for improved protection from crime. However, facilities, building and security managers or property owners really need to check their compliance to GDP Regulation is up to scratch before someone complains and they face a hefty fine and all the attendant negative publicity.

One year on from the introduction of the new legislation, it is reported that EU GDPR fines totalled €56m, with more than 200,000 investigations, 64,000 of which were upheld. Admittedly, €50m of the €56m total was a single fine against Google in France, but the figures on investigations can’t be denied. The Austrian data commission was the first to act after only 4 months of the new regulations coming into force, fining a sports betting cafe owner who had installed a CCTV camera on the front of his property that also recorded a large part of the pavement where the public were walking past. The commissioner found this to be in violation of the Regulations as monitoring of public spaces is not permitted. In addition, a further offence committed was lack of signage about the presence of a camera conducting video surveillance.

When you think about it, as you are out and about yourself, do you really see or notice advisory signs about CCTV, as much as you should, given how widespread it is? Furthermore, have you any idea where all these CCTV images are stored, or if they’re deleted after a short time, or perhaps shared with other parties? Who really knows where you are going or what you are doing?

I believe the answer is a resounding no. The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators. Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that? Also, just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, or not set up correctly, that doesn’t help anyone except would-be trespassers or criminals. Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless.

That apart, I find it staggering that so many companies or organisations, even public sector ones, don’t seem to realise that if they’re not properly complying with GDPR they can be penalised financially because of it.

The following example was found on one site recently. It’s a great illustration of common compliance failings.

The DVR from the security CCTV feeds was sitting on the organisation’s reception desk in the building foyer with the monitor on top showing the images. No one was on regular duty at reception and while we watched, someone leaned over the desktop to look at the monitor to see if their taxi was at the front door and was busily watching the feed from all the cameras. Moreover, the username and password for the system was on a sticker attached to the monitor (we’ve redacted it on our image). Then, when we walked outside, we discovered all of the CCTV signage was so worn and old that the contact details had faded away and were illegible.

The message from all this is simple. Check the CCTV systems you are responsible for are doing what they should, and you are complying with the GDP Regulations. Because someone, somewhere will be watching what you’re doing sooner or later.