The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation. However, that General Data Protection Regulation (due to come into effect next year) will enable the sector to enhance its public image and create opportunities for new valued-added services. This is according to a paper from a cloud-based video surveillance company.
Cloudview asked Andrew Charlesworth, Reader in IT Law at the University of Bristol, to examine the impact of the changing nature of data privacy regulation on the CCTV industry. The resulting paper, Watching the Watchers, shows how changing technology has altered both the data protection environment and public perceptions of what is acceptable to protect their privacy, and explains how it creates opportunities for providers to offer enhanced value services.
CCTV cameras across the UK’s homes, schools, business and public spaces will come under the GDPR. The paper points out that UK regulation has been relatively light touch until now, using recent court cases to show how current legislation has been applied. It explains the key changes that will be required as the GDPR changes the focus of data protection from compliance to accountability. As the new regulation coincides with a transition to new IP- and cloud-based CCTV systems, it creates opportunities and risks, Mr Charlesworth suggests.
James Wickes, Cloudview CEO and co-founder said: “The GDPR places new demands on CCTV users, and non-compliance puts them at risk of a significant fine. However, they may be able to use the changes it requires in a positive way. The GDPR gives them an opportunity to tackle what is often a negative image, of being watched by a third party, and take the lead in demonstrating accountability and privacy protection. They will need to review and possibly change their privacy policies, but by using new technologies such as cloud they can meet the new regulations while improving data accessibility and opening up new applications for visual data.
“Cloud allows selective and secure access to CCTV footage from any device by nominated employees, and it also offers performance improvements such as making data more readily accessible, providing accurate date and time stamping and providing constant updates on camera status so any technical problems can be rectified immediately. It’s up to the industry to use the GDPR as an opportunity to rethink the way that visual data is stored, how it’s secured and ultimately how it can be used to better effect as a business tool rather than purely as a security system.”
The White Paper can be downloaded here http://www.cloudview.co/whitepapers/watchingthewatchers.
Until recently the courts had held that damages could only be awarded where a data subject had suffered monetary loss, but in the case of Vidal-Hall V Google Inc (2015) the Court of Appeal ruled that damages could be awarded solely for distress. This is aside from any damages that might now be claimed for breach of private information (Peck v UK (2003)). In the court case of Woolley v Akbar (2017), a dispute between two householders, A’s breaches cost her over £17,000 in damages for distress caused to W for breaches of their data protection rights. More details in the paper.
Meanwhile, a crowdsourced threat intelligence product firm has brought out a survey of over 900 conference participants at the Infosecurity Europe show in London in June. Almost half (49pc) of respondents said that the threat of GDPR fines is making them more nervous of using cloud-based apps and services. This could be due to the lack of cloud security expertise that participants described within their organisations. Over a quarter of them (28pc) described the level of cloud security expertise in their organisations as either ‘novice’ or ‘not very competent’.
A quarter of those surveyed (27pc) admitted to cutting corners with cloud security; to reduce costs, such as sharing credentials to access cloud-based apps and services within their organisations.Almost half (48pc) either don’t have, or aren’t sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data.
Javvad Malik, security advocate at AlienVault , said: “Cloud security is clearly still a thorn in the side for some organisations, with IT teams still struggling to monitor their environments effectively for security threats. In a separate AlienVault survey, we found that around a fifth of IT professionals don’t know how many cloud applications are being used within their organisations. This lack of visibility raises the question of how cloud-consuming organisations are going to cope with the requirements of GDPR if they don’t even know which apps are being used.”
The 72-hour rule
Article 33 of the GDPR states that an organisation must report a data breach within 72 hours. A national data protection authority will then decide how much to fine the organisation for the breach; this could be up to 4pc of the organisation’s global annual turnover, or over 20 million Euros, whichever is greater. Half respondents believe that the 72 hour rule could do more harm than good. For example, people might try to cover up data breaches, rather than reporting them in a less timely manner. One reason for this could be because a significant proportion (43pc) of survey participants don’t think their organisation could, or aren’t sure if they could, identify and report a data breach within 72 hours.
Javvad Malik said: “Organisations with small and overstretched security teams, and limited budgets for cybersecurity, are likely to be extremely worried about the threat of GDPR fines. After all, the potential of having to pay up to 4pc of global turnover could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies. Set against this backdrop, it’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.”
And as for encryption, over a third of respondents (38pc) said that their organization would refuse to put a backdoor in their customer data if asked to do so by the government. Many respondents were scathing about the UK Government’s policies towards encryption.