Retail: Q&A's on GDPR

Ian Johnson, CEO
CCTV Data Compliance Inspectorate

What do you think the impact of the GDPR will be for Retailers?

From a CCTV Data Compliance perspective, it is essential that all Retailers ensure that their CCTV systems meet the requirements of:-

• The current CCTV Code of Practice pursuant to the Data Protection Act (DPA), issued by the Information Commissioners Office (ICO) .

Fines of up to £500,000 for data breaches of the DPA are now being exercised by the ICO.

• From May 2018, the General Data Protection Regulation (GDPR) together with the Data Protection Directive (DPD) will update and replace the current DPA together with the issuance of a new CCTV Code of Practice at that time .
• Fines of up to Euro 20 Million or 4% of Annual Turnover for data breaches will be put in place from that date.
• GDPR will, for the first time, place obligations directly on Data Processors .In these circumstances, there will be much closer legal contractual relationships established between the Retailer as a Data Controller and the CCTV Installer acting as the Data Processor
• Understanding the legal basis of Consent, Communication with customers , Subject Access Requests etc most of which is  already covered within the current DPA, will be further emphasised by the GDPR in accordance with standards required  based on the Data Protection principles including the importance of reporting Security Breaches within a short period of time.

How do you think retailers will / should comply with the new regulations?

• By ensuring that only good quality CCTV products, such as Panasonic, are chosen to be installed to meet the requirements of the GDPR.

The CCTV Data Compliance Inspectorate provides a unique compliance training process, modelled on the very successful British Gas Safe  Register (formerly called the CORGI Gas Scheme which became mandatory in the late 1990’s) for ensuring the Monitoring of Compliance (similar to an MOT ) for  existing and newly installed Closed Circuit Television (CCTV) systems to meet the legal and good practice  requirements of the current  Data Protection Act ( DPA ) and  the new General Data Protection Regulation (GDPR) and Data Protection Directive (DPD) which both come into force in May 2018.

• This will enable individual CCTV Installing Engineers to become Certificated Licensed Assessors (CLA’s) and offer CCTV Data Compliance Services to all Retail CCTV Owner / Users UK wide on behalf of their Company.
• The CLA’s will provide the Owners of CCTV systems and the Courts with a completed, verifiable, numbered Compliance Assessment Form (CAF) from a secure Cloud Server which will be made digitally available to CCTV Installers, Police Forces  and the Criminal Justice system (CJS) for use in the  Courts.

What are your thoughts on government expectation and direction in relation to security and Data Protection?

The ICO / Government expectation and observation is that the CCTV Security Sector has  already started to prepare itself to meet the requirements of the new GDPR initially on a voluntary basis by May 2018 ,this being the date that the Information Commissioners Office (ICO) will update and replace the current CCTV Code of Practice to include the GDPR & DPD.

However, the likely trajectory will be similar to the Gas Industry --that is, to move quickly from a Voluntary to national Mandatory Compliance scheme

What difficulties and issues do you see Retailers face with regards to data capture for marketing purposes and business analytics, once the new data privacy regulations are set?

The ICO’s website  is currently  providing “up to date” information on the standards required for the above which will determine the ICO’s position at the point of changeover to the new Regulations in May 2018. This will take into account Global CCTV manufacturers technological advances which  will no  doubt include  Marketing, Business Analytics , Cyber security and other safety and data compliance features being offered at that time.

As the UK edges closer to a decision on how it will leave the European Union, so all institutions in the UK are examining what the departure might mean for their practices and business models. The Information Commissioner’s Office, responsible for personal data protection, has begun an information campaign addressing business and third sector bodies about the steps which they must take before the EU’s general data protection regulation becomes effective in May 2018 (which may not be that long before the UK actually leaves the EU). Maintaining the regulation standards in the UK after departure from the EU will be important to ensuring that businesses in the UK can continue to exchange personal data with their counterparts in the EU.