Could the GDPR be the key to CCTV cyber security?

Data protection is a fundamental concern to all organisations which hold personal information – and both regulations and penalties are about to become significantly more onerous when the General Data Protection Regulation (GDPR) comes into effect on 25th May 2018.

The GDPR is a set of laws designed to protect personal data from commercial abuse and to encourage organisations that retain such data to harden their defences and improve their processes for looking after it. This will significantly crank up the importance of control over all types of data, not least because companies that breach any of the GDPR’s principles run the risk of massive fines (up to €20 million or 4 per cent of turnover, whichever is higher) immediately the regulations come into effect.

In brief the principles of the GDPR are:

  • Lawfulness, fairness and transparency – the handling of data must be lawful, with consent and any use of the data should match the stated purpose.
  • Purpose limitation – data collection, retention and processing must be limited to only what is necessary to meet the purpose.
  • Data minimisation – data collected should be: adequate for the stated purpose, limited and relevant to the purpose.
  • Accuracy – data collected needs to be accurate and up to date.
  • Storage limitation – data should be kept for no longer than necessary.
  • Integrity and confidentiality – data should be processed securely and should be accurate and complete.

What many organisations often do not realise is that personal data is not just written material but includes video and audio if this allows individuals to be identified. One area of particular concern is CCTV. The design of most CCTV equipment sold today has not changed since before the Web was invented by Tim Berners-Lee and when computer viruses and hacking were the stuff of science fiction. So it comes as no surprise that there is a constant flow of news articles highlighting the security flaws that have enabled hundreds of thousands of CCTV systems across the world to be hacked and used in DDoS attacks.

CCTV systems are inherently vulnerable to cyber-attacks when connected to the Internet and the security and privacy of the data they hold is best ensured by physically restricting access to them – just as it was back in the 1970s.

When the GDPR comes into force, management will set out operational processes to help their employees demonstrate compliance. Due to the inherent limitations of traditional CCTV, where data is held on DVRs, these will inevitably restrict general access to the equipment rather than allowing access to specific data by authorised employees.

Moreover, companies that want to avoid the disruption of an investigation and potential fines will want comprehensive oversight of the operation of their CCTV systems and the data held on them. This will require both increased manual intervention and physical lock down, making CCTV more resource hungry and less productive. For organisations with more than one CCTV system in more than one location this starts to become very restrictive.

The solution is to hold CCTV information securely in the cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the cloud. Such systems can not only provide an overview of all visual data collected by the CCTV cameras connected to it but also complete control over access to that data – which is encrypted from end to end and can be viewed using  a regular computer, tablet or smartphone via secure browser technology. They can also only record CCTV data when needed and can automatically delete it when it is no longer required.

Not all cloud providers offer all the facilities, so organisations must ensure their provider is compliant with the forthcoming legislation. They should also bear in mind that many cloud providers have clauses which allow them to share data with third parties – clearly inappropriate for personal data.

However, the advent of cloud-based CCTV means that for a very modest sum not only does it become much easier for organisations to make their current CCTV systems compliant with the GDPR but they also improve their cyber security and obtain a more accessible and flexible CCTV system at the same time – without the necessity of having to rip out and replace their existing systems.

By James Wickes, CEO and co-founder, Cloudview.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.