UK GDPR Data Compliance Support Service

Providing Practical Guidance & Mitigating the Risk of Infringement

Our unrivalled GDPR Data Compliance Support Service provides practical guidance, management systems and procedures relating to the use of surveillance and security technology enabling you to achieve GDPR compliance.

The service mitigates the risk of infringement of which the consequences are substantial fines levied by the ICO as well as potential harm to your organisation’s reputation.

Scope of Service

The service is based on a competitive annual service charge that covers:

Annual site visits to undertake systems assessment and audit of management processes covering CCTV and, if applicable, Body Worn Cameras, Electronic Access Control, Visitor Management Systems and Key/Asset Registers

Help desk support throughout the year.

Data Viewing & Evidence Download Pack. Containing USB memory cards and Data Viewing & Release documentation. Refills supplied on an annual basis during the site visit.

Secure File Sharing software, training and support. This enables electronic dissemination of data such as video footage direct to applicants, rather than the inconvenient and insecure transfer of physical media.

CCTV Check software for diarising regular system checks with automated fault reporting.

Data Sharing Agreements. (Required if sharing data such as access control with your occupiers/tenants.)

Data Subject Access Request management. In the event of an individual making a request for CCTV footage, you will need to ensure that third parties’ identities are masked. As part of the service we include 10 minutes worth of video redaction editing.

Why do I need to be GDPR Compliant?

As an organisation operating in the UK, it is important to comply with the General Data Protection Regulation (GDPR) for a number of reasons. The GDPR is a regulation that was introduced in the European Union (EU) in May 2018, and it governs the collection, processing, and storage of personal data for EU citizens, including those residing in the UK.

Firstly, compliance with GDPR is a legal requirement for organisations that process personal data of EU citizens, regardless of where the organisation is based. Failure to comply with GDPR can result in hefty fines and penalties, which can have significant financial implications for your business.

Secondly, complying with GDPR can help to build trust and confidence among your customers and clients. By demonstrating that you take data protection seriously, you can show that you are committed to protecting their personal information and safeguarding their privacy.

Finally, GDPR compliance can also help to improve the overall security of your organisation’s data. By implementing GDPR-compliant policies and procedures, you can help to identify and address potential data security risks, and minimise the likelihood of a data breach occurring.
In summary, compliance with GDPR is essential for any organisation that processes personal data of EU citizens, including those residing in the UK. Failure to comply can result in legal and financial penalties, as well as damage to your reputation and loss of customer trust.

Annual Site Visit

The following is a précis of issues that are addressed and actions that are taken in relation to all surveillance and security systems including, but not limited to: CCTV, ANPR, Biometric Technology, Persons of Interest, Drones, Voice Recording, Electronic Access Control, Visitor Logging, Key/Asset Register, Lost Property Register, Accident Register and Security Management Documentation.

Privacy

In the case of video surveillance (CCTV, ANPR, BWC, etc.) this means ensuring that cameras cannot view areas where people have a reasonable expectation of privacy. The viewing capability of each camera is assessed and any potential for privacy breach is flagged in the report.

Data Minimisation

The amount of data collected and its retention must be no more than reasonably required to achieve the purpose. The archive retention period of each system is assessed and reported on if judged to be excessive.

Secure File Sharing & CCTV Check Software

Secure File Sharing software, training and support. This enables electronic dissemination of data such as video footage direct to applicants, rather than the inconvenient and insecure transfer of physical media. CCTV Check software for diarising regular system checks with automated fault reporting.

Keeping People Informed

In the case of CCTV etc., public information signs must be installed informing that CCTV is in operation, its purpose and contact details where further information can be obtained. We provide a review of public information CCTV signage, mapping location supported by photographs and stating size and type required. We do not include the cost of signs although we will be pleased to quote for supply only, or liaise with your preferred sign company.

Data Subject Access Requests

Under data protection legislation individuals have the right to obtain information, usually at no cost to themselves, about how their data is being processed by the data controller. They can also receive copies of that personal data. In the case of security and surveillance systems this would typically be CCTV images or access control data. In the event of an individual making a request for CCTV footage, you will need to ensure that third parties’ identities are masked. As part of the service we include 10 minutes worth of video redaction editing.

Documentation & Media

Data that is downloaded from a password protected source must be held and disseminated securely. A Data Viewing and Release Log is provided as part of VeriFi’s annual service charge. It includes serially numbered USB memory cards for data release working copies, together with a 1Tb password protected portable hard drive or dedicated USB archive memory card, for retention of master copies. Refills supplied on an annual basis during the site visit.

Data Privacy Impact Assessment

In brief; a Data Privacy Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project before committing to it. In the case of CCTV installed prior to instructing us, the privacy impact assessment we carry out relates to data capture and processing and does not attempt to retrospectively justify use of the technology.

Data Sharing Agreements

If a data controller relies upon the legitimate interest lawful basis for processing personal data, then the UK data protection regulator (the ICO) expects the controller to have conducted a Legitimate Interest Assessment (LIA). Only if the LIA concludes that the data subjects’ rights aren’t overridden by the controller’s legitimate interest will the processing be lawful. The legitimate interest lawful basis is commonly relied upon for surveillance and security systems operated at commercial properties. VeriFi provides a template LIA which can be edited by the client to suit specific applications.

Legitimate Interest Assessment

A data breach can occur when a data controller releases CCTV footage or access control records without a formal process. In order to enable the release of data to insurers and legal representatives acting on behalf of individuals whose data has been recorded, VeriFi includes Data Sharing Agreements and access to a Third Party Subject Access Request Form within the annual service charge. VeriFi provides detailed advice on how to implement a data sharing procedure which minimises the risk of unlawful disclosures.

Data Viewing & Evidence Release Pack

As part of the service a Data Viewing & Evidence Release Pack will be provided to ensure your data is managed correctly.

Pack A

This pack is supplied free of charge, for use on larger sites typically office premises with more than 20 CCTV cameras installed.

Contents

Custom box with foam insert & cut-outs. USB ‘Blank Off’ with instructions. 1Tb Encrypted Hard Drive with keypad access. 4 x 32Gb Serially numbered USB Memory Cards with Security Seals. Data Viewing & Release Documentation including Data Subject Access Request Forms. Instructions & Guidance Booklet

Pack B

This pack is supplied free of charge, for use on larger sites typically office premises with more than 20 CCTV cameras installed.

Contents

Custom box with foam insert & cut-outs. USB ‘Blank Off’ with instructions. 3 x Blue 32Gb Serially numbered USB Memory Cards with Security Seals. For evidence download. 1 x Red 64Gb Serially numbered USB Memory Card. For storing archive copies of evidence. Data Viewing & Release Documentation including Data Subject Access Request Forms. Instructions & Guidance Booklet.

Pack C

This pack is supplied free of charge, for use on large sites typically shopping malls and major office developments with more than 50 CCTV cameras installed.

Contents

Custom box with foam insert & cut-outs. USB ‘Blank Off’ with instructions. 8 x Blue 32Gb Serially numbered USB Memory Cards with Security Seals. For evidence download. Data Viewing & Release Documentation including Data Subject Access Request Forms.

Pack D

This pack is chargeable and supplied where USB memory cards from packs A, B & C been used up.

Contents

8 x Blue 32Gb Serially numbered USB Memory Cards with Security Seals. For evidence download. Data Viewing & Release Documentation including Data Subject Access Request Forms.

GDPR Enforcement Penalties

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection, and it is responsible for enforcing the General Data Protection Regulation (GDPR) in the UK. The ICO has the power to issue fines and other sanctions for non-compliance with GDPR, which can be significant.

Since the introduction of GDPR in May 2018, the ICO has issued a number of fines to organisations in the UK for breaches of GDPR. These fines have ranged from tens of thousands of pounds to millions of pounds, depending on the severity of the breach and the size of the organisation.

One notable example is the ICO’s £20 million fine issued to British Airways in 2020, following a data breach that resulted in the theft of personal data of over 400,000 customers. The ICO found that British Airways had failed to implement adequate security measures to protect the personal data of its customers, and had also failed to detect the breach in a timely manner.

Another high-profile case was the ICO’s £18.4 million fine issued to Marriott International in 2019, following a data breach that affected the personal data of around 339 million guests worldwide. The ICO found that Marriott had failed to conduct sufficient due diligence when it acquired Starwood Hotels and Resorts, and had also failed to put appropriate security measures in place to protect the personal data of its guests.

It is worth noting that fines are not the only sanction that the ICO can impose for non-compliance with GDPR. The ICO can also issue enforcement notices, order organisations to stop processing personal data, and even prosecute individuals and organisations for serious breaches of GDPR.
In summary, the ICO has the power to issue significant fines and other sanctions for non-compliance with GDPR in the UK. Organisations must take GDPR compliance seriously, and implement appropriate measures to protect the personal data of individuals in their care. Failure to do so can result in severe financial and reputational consequences.

The Dutch Data Protection Authority, has levied a €725,000 (roughly US$791,000) fine against a company for scanning its employee’s biometrics with a fingerprint time and attendance system. The Autoriteit Persoonsgegevens ruled that the company did not establish the exceptional grounds for the system’s implementation which would have provided a legal basis for its use.