Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

Guide to CCTV video redaction and GDPR compliance

Are you unsure why GDPR requires the redaction of certain faces, objects or words captured in video footage? Uncertain about what to redact and what not to redact? Is redaction a daunting prospect? This Guide clarifies video redaction and compliance requirements.

Guide to CCTV video redaction and GDPR compliance

Under the Data Protection Act and GDPR (General Data Protection Regulations), data captured in video footage is considered personally identifiable information (PII). 

PII or personal data must be protected by law and not revealed or shared with third parties. 

A problematic issue is that PII extends to more than what might be obvious. In documents, for example, names, addresses, financial and health data are clearly examples of personal data. However, video cameras capture much more. 

What constitutes personal data in video footage?

Video camera operators can deliberately or unwittingly capture personal data and PII, all of which has to redacted (masked) in order to share footage compliantly.

In video footage, PII includes:

  • Faces

  • Tattoos and distinguishing marks

  • Vehicle number plates

  • Signage, words and location indicators

  • Information on computer screens

In order to comply with GDPR, all but the subject(s) of interest must be completely redacted when video footage is made public or shared with third parties.

GDPR articles relevant to CCTV redaction

Here are a select number of GDPR articles that indicate a redaction requirement to maintain compliance:

GDPR Article 9

GDPR’s Article 9 prohibits the processing of personal data without explicit consent of the data subject, unless there are special circumstances. Images of faces are just one of the examples given there.

GDPR Article 15

Data subjects have the right to obtain from your organization (the data controller) the personal data that pertains to them and the related information linked to its use. This may include video footage of the subject or audio recordings.

GDPR Article 17

GDPR Article 17 provides data subjects the “right to erasure” or “right to be forgotten”. Data subjects can request that the data controller erase their personal data. Therefore, you erase or redact subjects from video and audio as soon there is no legal reason to retain them.

What is a DSAR?

By law, people can ask you for a copy of any information that relates to them, as it is deemed to be their personal data, and they have a legal right to see it. If someone asks you for a copy of their personal data, by phone, in person, or in writing, they have made a ‘data subject access request’ (DSAR), and by law, you need to respond. Check out our 10-point fulfilment checklist to help you fulfil a data subject access request.

DSARs: why is CCTV redaction important?

Protecting subject data is a legal requirement. As a data controller, you have a legal responsibility to comply with GDPR when disclosing surveillance footage of individuals.

Compliance with GDPR is particularly important when responding to data subject access requests.

DSARs are a regular occurrence in the working weeks of many companies now. DSARs are on the increase owing to the public’s awareness of privacy rights and the involvement of lawyers.

As a minimum requirement the identities and PII of any all individuals other than the subject shown in the footage must be redacted (masked, blurred, pixelated) in order to release video compliantly.

GDPR privacy breach penalties

Under GDPR, fines of up to £20million or 4% of a company’s turnover can be imposed if a company is found to be in breach of data protection laws.

Even if by accident, a video reveals the identity of someone who is not the subject, the ICO is likely to action on the grounds that someone’s privacy rights have been breached.

Guide on post-Brexit GDPR redaction requirements

The name-change from EU GDPR to UK GDPR in 2020-21 has not changed privacy video redaction requirements.

The core data protection principles, rights and obligations found in the EU GDPR remain in place in UK GDPR.

GDPR: CCTV surveillance and private recordings

Commercial CCTV cameras are strictly governed by privacy laws. However, what about privately recorded videos?

Videos are a popular means of communication. Company meetings are often recorded for knowledge sharing and review purposes.

It is important to note that and video recording can contain sensitive data or PII. When processing and sharing privately recorded video and audio, the consent of data subjects should be obtained as required by Article 9 of GDPR.

Data subjects can request to view video they appear in, which presents a potentially difficult problem as many videos contain more than one data subject.

All other data subjects in any video must be redacted in order to protect their PII.

If a data subject exercises their “right to be forgotten”, you must redact them in the video or erase it completely.

How to take control of CCTV GDPR compliance

The balance between security and CCTV privacy is a delicate one, however there are many actions an organisation can take to establish effective data compliance practices. Policies, processes and digital privacy protection tools enable organisations to be GDPR compliant.

1. Create a compliance framework

A compliance framework provides a structure for addressing compliance regulations that relate to an organisation and its industry sector. A compliance framework also helps to identify data that requires stricter security protocols, such as personal data and other sensitive data.

2. Define policies to determine what data is collected and why

Implementing advanced video data protection measures is essential for protecting sensitive information. There are many reasons to document what data is collected and why. An HR department will collect data to establish an employee’s ‘right to work.’ A marketing department may capture data on website visitors. The sales and finance departments are likely to capture transaction data. Each data type requires its own compliance measures. To satisfy regulators, it is advisable to create clear policies on data collection and use.

3. Create privacy policies

Be clear with your staff, customers or suppliers about what data is collected, what it is used for, how it is stored, and how long it will be kept. Also, specify how they can request access to their personal data or enforce their right to “be forgotten” and have their data removed from your systems.

4. Publish privacy policies

Publish and maintain privacy policies that detail if and how you collect data, and what you do with it.

5. Stay current with compliance regulations

Build privacy practices into IT systems and business practices. Companies that work internationally may have to factor in flexible practices to accommodate regional requirements.

6. Implement data retention and removal measures

Data retention schedules are critical to ensure that data is stored for the mandated amount of time and removed (purged) when its retention period expires. Data retention and purge schedules vary significantly by data type and industry.

7. Anonymise sensitive data

Data should be anonymised to remove personally identifiable information by using a reliable method, especially when sharing information with third parties. It is essential to choose a reliable redaction method to eliminate the risk of human error.

8. Implement digital processes to ensure data compliance

The complexity of data compliance management and attendant issues such as DSARs effectively rule out manual processes. Manually processing DSARs is time-consuming, costly and ultimately very risky. Data privacy breaches result not only in fines, but also in damage to an organisation’s reputation.

Manual CCTV redaction not fit-for-purpose

Facit has seen a significant rise in video data processing in the past year. Customers process and redact 25% more videos year on year.

The increased use of video and, therefore, the increased need for redaction largely accounts for why 27% of companies report that they have had to hire additional staff to cope just with the higher volume of employee DSARs.

The challenge for businesses is how to process vast amounts of video within the ICO 30-day deadline, without ‘busting’ company processing budgets.

Any organisation facing more than the occasional video data request has by now drawn the obvious conclusion that manual video redaction processes are neither cost effective nor reliably compliant.

Outsourcing video redaction has been deemed a ‘non-starter’ owing to high costs and off-site security risks

Take in-house control of CCTV redaction to comply with GDPR

Artificial intelligence redaction is today’s privacy solution and tomorrow’s compliance budget protector

Every indicator suggests that video data requests will continue to rise. As a result, businesses, quite naturally, are looking for reliable, budget-sparing video data privacy solutions.

Facit’s video redaction software, Identity Cloak, incorporates artificial intelligence and automated subject tracking to ensure that it is the fastest and most compliantly reliable redaction solution available.

Identity Cloak’s patent marks it as unique in the video redaction software market. Artificial intelligence, auto-tracking and GPU speeds make it the stand-out video compliance tool.

A range of elements that compromise companies’ best practice video compliance intentions, including:

  • High volume of DSARs

  • Quantity of video footage

  • Lack of dedicated staff

  • Inefficient technology

  • Manual redaction processes

  • Cloud redaction feature loss

Overcome compliance and budget tripwires. Facit’s video redaction solution allows you to redact an unlimited number of video files for a predictable low cost.

Identity Cloak is highly efficient because automation does the heavy process lifting. Your staff just ‘upload and go’; the user interface, the redaction process and the output of compliant video are all simple and fast.

Customers report that compliance workers are happier and more confident using Facit’s in-house automated program. They no longer feel overwhelmed by their workload and are pleased to be released from admin drudgery to work on higher value tasks.

Video redaction: A complete guide

Complete the form to find out more about fast GDPR-compliant CCTV redaction.