Retail: Q&A's on GDPR
Ian Johnson, CEO
CCTV Data Compliance Inspectorate
What do you think the impact of the GDPR will be for Retailers?
From a CCTV Data Compliance perspective, it is essential that all Retailers ensure that their CCTV systems meet the requirements of:-
- The current CCTV Code of Practice pursuant to the Data Protection Act (DPA), issued by the Information Commissioners Office (ICO) .
Fines of up to £500,000 for data breaches of the DPA are now being exercised by the ICO.
- From May 2018, the General Data Protection Regulation (GDPR) together with the Data Protection Directive (DPD) will update and replace the current DPA together with the issuance of a new CCTV Code of Practice at that time .
- Fines of up to Euro 20 Million or 4% of Annual Turnover for data breaches will be put in place from that date.
- GDPR will, for the first time, place obligations directly on Data Processors .In these circumstances, there will be much closer legal contractual relationships established between the Retailer as a Data Controller and the CCTV Installer acting as the Data Processor
- Understanding the legal basis of Consent, Communication with customers , Subject Access Requests etc most of which is already covered within the current DPA, will be further emphasised by the GDPR in accordance with standards required based on the Data Protection principles including the importance of reporting Security Breaches within a short period of time.
How do you think retailers will / should comply with the new regulations?
- By ensuring that only good quality CCTV products, such as Panasonic, are chosen to be installed to meet the requirements of the GDPR.
The CCTV Data Compliance Inspectorate provides a unique compliance training process, modelled on the very successful British Gas Safe Register (formerly called the CORGI Gas Scheme which became mandatory in the late 1990’s) for ensuring the Monitoring of Compliance (similar to an MOT ) for existing and newly installed Closed Circuit Television (CCTV) systems to meet the legal and good practice requirements of the current Data Protection Act ( DPA ) and the new General Data Protection Regulation (GDPR) and Data Protection Directive (DPD) which both come into force in May 2018.
- This will enable individual CCTV Installing Engineers to become Certificated Licensed Assessors (CLA’s) and offer CCTV Data Compliance Services to all Retail CCTV Owner / Users UK wide on behalf of their Company.
- The CLA’s will provide the Owners of CCTV systems and the Courts with a completed, verifiable, numbered Compliance Assessment Form (CAF) from a secure Cloud Server which will be made digitally available to CCTV Installers, Police Forces and the Criminal Justice system (CJS) for use in the Courts.
What are your thoughts on government expectation and direction in relation to security and Data Protection?
The ICO / Government expectation and observation is that the CCTV Security Sector has already started to prepare itself to meet the requirements of the new GDPR initially on a voluntary basis by May 2018 ,this being the date that the Information Commissioners Office (ICO) will update and replace the current CCTV Code of Practice to include the GDPR & DPD.
However, the likely trajectory will be similar to the Gas Industry --that is, to move quickly from a Voluntary to national Mandatory Compliance scheme
What difficulties and issues do you see Retailers face with regards to data capture for marketing purposes and business analytics, once the new data privacy regulations are set?
The ICO’s website is currently providing “up to date” information on the standards required for the above which will determine the ICO’s position at the point of changeover to the new Regulations in May 2018. This will take into account Global CCTV manufacturers technological advances which will no doubt include Marketing, Business Analytics , Cyber security and other safety and data compliance features being offered at that time.
As the UK edges closer to a decision on how it will leave the European Union, so all institutions in the UK are examining what the departure might mean for their practices and business models. The Information Commissioner’s Office, responsible for personal data protection, has begun an information campaign addressing business and third sector bodies about the steps which they must take before the EU’s general data protection regulation becomes effective in May 2018 (which may not be that long before the UK actually leaves the EU). Maintaining the regulation standards in the UK after departure from the EU will be important to ensuring that businesses in the UK can continue to exchange personal data with their counterparts in the EU.