GDPR: Photos & CCTV

Published by tinsleyNET Admin on

Are you GDPR Ready?

“,”serverSync”:”2018/06/13 11:55:14″}’>

General Data Protection Regulation

If you’re primary business is photography, have you considered the impact the GDPR is going to have on you and how you operate?

What about if you have CCTV that monitors and records an area that members of the public can access?

Photography

Are photographs classed as Personally Identifiable date and as such covered under the GDPR? This depends on the photo. The ICO state that a photo is classed as personally identifiable data if an individual is identifiable in the image to the data controller (i.e. You, the photographer) or would be reasonably identifiable to any other individual.

With services such as Facebook, Google and Bing being able to search massive collections of photos and perform biometric analysis on the images to find individuals faces, the likely hood of being able to be identified in a photo has increased significantly.

Consent, Contract or Legitimate Interest?

If you’re taking photos as part of a contracted service, that’s likely to be your lawful basis for processing the information, but it’s not as simple as that.

Say you’re taking photos at a wedding. Your contact is probably with the bride and groom, so what about the photos of all the guests? are they also a part of the contract, do the bride and groom have the authority to ask you to include their guests in the photos of their wedding? It’s not going to be practical to get consent from everyone so maybe you can use Legitimate Interest as a basis for processing their information, but at a private event would individuals expect a certain level of privacy?

It’s probably going to be best to use a mix of the two lawful bases, the bride and groom are contractual processing, and as part of the contract the guests are notified of the processing under a legitimate interest before the big day. You need to be mindful to the principles of the GDPR of transparency and of notifying the individuals to the processing BEFORE the processing happens, and in giving individuals freedom of choice.

Now imagine a sporting event, say a run with 5000 runners. Your contract is going to be with the run organiser so how are you going to notify the participants and how are you going to make sure you don’t process any individuals who have restricted the processing of their information?

It may be that some people approach you to ask you not to include them on photographs, at that point their right not to be processed probably overrides your legitimate interest (as identified in your Legitimate Interest Assessment). And strictly speaking it’s not a case of ‘I’ll check through the photos after the event and remove any with them on’ as that in itself is processing the data, so you need to be able to spot any ‘opt-outers’ and make sure they are not identifiable on any photos at all.

You’ll need to consider the way you tag your photos too, if you use software that identifies individuals, such as bib numbers at a sporting event, or faces at a social event, how are you going to manage that additional data?

Right to be forgotten

How are you going to manage and process any individual requests for a right to be forgotten? If you’ve been taking photos from sporting events for the past three years and suddenly someone sends you a request to be forgotten you’re potentially going to have to go back through all your photos identifying the individual and removing them from the photos. How are you going to identify the individual and how are you going to process the request?

Using software to identify individuals is quite straightforward, but what about other individuals in the photos? Can you refuse the request or can you find other ways to process the photo to make the individual unidentifiable (such as obfuscating the image)

What about photos you have sent out to individuals, such as the photo set for the bride and groom, or photos people have bought from a run website, do you need to notify individuals of those copies?

Photo hosting

If you host photos on a website or share links to social media, how are you going to manage that under the GDPR? If the photo contains identifiable individuals, and will be accessible to individuals who were not at the event, you’ll need to identify the lawful basis for that and notify the individuals of the basis and reason for the processing.

CCTV

CCTV footage is also classed under GDPR as personally identifiable information if individuals (or individuals personally identifiable information) is identifiable in the image.

As such you need a lawful basis for recording and processing the information, and you need to be able to comply with individual user requests, such as the right to restrict processing or the right to erasure. This will depend on the basis you use for processing the information and you’ll want to know what rights individuals have and how you can respond to those rights.

You’ll need a way to supply CCTV footage to a user if they submit a request for information, or if a legal requirement exists that requests the information. Can you easily retrieve and supply the requested information?

Home CCTV

If you have CCTV at home, such as a webcam or more sophisticated equipment, generally it’s not going to be covered by GDPR if it;s entirely for a household process, that’s probably the case as long as it only includes footage from within your property boundaries.

However if it includes footage from outside your property boundaries, especially if that covers any neighbouring property or public areas such as a pavement or road, then you will probably need to register with the ICO and comply with regulations, and that means having procedures in place to manage individual user requests, and keeping documented procedures in place.

#WeCanHelp

tinsleyNET IT Servces Consultants #WeCanHelpThere’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Contact Us Today!

Some of the GDPR specific services we offer include:GDPR General Data Protection Regulation

  • Data Protection Officer Services
  • Policy Writing
  • Data Handling
  • ICO Registering
  • Process Monitoring
  • Process Assessment


it@tinsleynet.co.uk


07825 650122


Contact Us

Categories: GDPRPolicy
Tags:

0 Comments

What are your thoughts?

Related Posts

Home Office GDPR
Data Protection Act 2018

Understanding how GDPR fits into the new normal.

There are so many benefits to working from home, and with the enforced home working caused by the coronavirus lockdown, it's suddenly a more appealing prospect. But with home workers there are some extra data security measures you need to consider and plan for. #WeCanHelp #GDPR #HomeWorking

WorkFromHomeC19
Business Development

The Office (after Coronavirus)

The new normal doesn't have to be the old normal. With the benefits of working from home realised, your business can move to a more dynamic working arrangement with home office remote workers, a smaller office space and a greener future.

British Airways Logo
Data Breach

Why was British Airways fined so much?

Last year, British Airways suffered a data breach that resulted to the details of hundreds of thousands of its online user's details being stolen, including email details and credit card details including the 3-digit security code from the back.