MSFM warns businesses of new GDPR regulations for CCTV - Mercury Security and Facilities Management
Skip to main content

MSFM warns businesses of new GDPR regulations for CCTV

Norhern Ireland’s biggest independent security company Mercury Security & Facilities Management has warned local businesses that the new EU General Data Protection Regulations (GDPR) could have serious implications on their security systems and procedures, including the use of CCTV cameras.

Why companies choose to use CCTV on their premises and what they do with data and images captured will come under the microscope under the new GDPR regulations which come into effect on May 25, 2018.

Mercury Security director Francis Cullen said:  “The impact of GDPR on business is far reaching and not just confined to your email address books or your customer, supplier and personnel files.

“For any businesses using CCTV cameras, for example, the accountability required under the new GDPR means that every company will need to prove that they have policies and documented procedures in place as well as monitoring and recording systems in position to cover all phases of the CCTV data’s security.

“In the event of a suspected security breach, companies must be able to provide the Information Commissioner’s Office (ICO) with all the information they require including how securely the CCTV data is captured, how safely it is stored and how long they plan to keep it,” he added.

“So considerations should be given as to whether you need CCTV in the first place, and if so, what methods you have in place to document each process, develop relevant policies and deal with the many requests, including subject access requests, deletion requests and the right to be forgotten?

“Ignorance or lack of knowledge is no longer a reason for the failure of data security that includes CCTV.  End users must make sure that they understand and can manage their CCTV system appropriately – and installers have a duty to their clients to be able to explain all this in more detail and make sure that all the relevant boxes are ticked for them,” concluded Mr Cullen.

The General Data Protection Regulation (GDPR) will be replacing the UK Data Protection Act 1998 and will apply in the UK from 25 May 2018.  The government has clarified that the UK’s decision to leave the European Union will not impact the enforcement of GDPR.

Under GDPR, all businesses are required to be able to demonstrate a lawful basis for all data collected from individuals, as well as provide clear and comprehensive privacy notices to help these individuals understand how their data will be used.

Organisations that are found to be in breach of GDPR could be fined up to 4% of annual global turnover or €20 million, whichever amount is larger.  Fines will be tiered based on the level of severity of the data breach.

The Information Commissioner’s Office (ICO) is the regulatory body for GDPR within the UK and Northern Ireland and is recruiting an additional 200 staff to help enforce the new regulations.  Its latest advice and guidance can be found at