Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
August 14, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

Faded signage, default logins

GDPR breaches rife among CCTV deployments, investigation finds

An alarming number of video surveillance systems could be in breach of GDPR, an investigation has revealed.

More than a year on since the EU data protection regulation came into force, vacant-property security firm Clearway discovered myriad examples of bad practice during investigations of its nationwide client base.

In one instance a court case was dismissed due to lack of evidence after it emerged that two systems on which an intruder was filmed were set to times 17 seconds apart.

“That might sound petty,” said Clearway in its press release, “but the defence barrister asked for all camera footage to be played at the same time. As the intruder was seen on two systems at the same time (due to the timers not being synced) the barrister claimed the evidence was inadmissible […] since how could the intruder be in two places at once?”

At another site, investigators discovered someone leaning over an unmanned reception desk to view the CCTV monitor to see if their taxi had arrived (see picture below).

The picture below shows a (redacted) username and password on a sticker attached to a monitor.

And at another site, the Clearway team found CCTV signage with faded, illegible contact details:

Other problems found at one or more sites included:

  • Failure to fit, or ensure accuracy of, signage
  • Failure to carry out a GDPR risk assessment prior to CCTV deployment
  • Leaving DVRs (digital video recorders) unlocked or unsecured – and thus accessible to unauthorised parties
  • Failure to ensure camera lenses were directed to capture appropriate, relevant footage
  • Sharing images with organisations – like the police, TfL or other security service providers – in ways that didn’t conform to regulations. This often included a failure to ‘mask’ (blur or pixellate) faces of innocent people (software is available to do this)
  • CCTV monitors being visible to the public
  • CCTV images being monitored by staff without sufficient training
  • Failure to change default usernames and passwords or writing them down near to the equipment


Clearway says these problems suggest that many facilities managers, security managers and property owners either haven’t read GDPR regulations, simply don’t understand them, don’t think they apply to CCTV systems or are complacent about the risks.

Divided into tiers, maximum penalties for GDPR non-compliance are either €10m or 2% of annual global turnover; or €20m or 4% of annual global turnover (whichever is greater in each case).

The estimated 4-6 million CCTV cameras in the UK include 750,000 in ‘sensitive’ locations such as schools, hospitals and care homes, and 15,600 on the London Underground network alone. The emergence of AI-driven video analytics and facial recognition software is heightening privacy concerns expressed by civil liberties groups.

“The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators,” said Clearway’s UK CCTV Manager, Andrew Crowne-Spencer. “Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that?

“And just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, or not set up correctly, that doesn’t help anyone except the trespassers or criminals.

“Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless. That apart, don’t these companies or organisations, even public sector ones, realise if they’re not properly complying with the GDPR regulation they can be penalised because of it? Sometimes to the tune of many thousands of pounds?”

Clearway advises: “The message from all this is simple. Check your CCTV systems are doing what they should and you are complying with the Regulations. Because someone, somewhere will be watching what you’re doing sooner or later.”

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.


Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

[…] Indeed, there is now the issue of facial recognition to think about. More and more vendors are now offering the technology as standard, but there is still much public debate over the usage of facial recognition – particularly in relation to data capture and GDPR. Once a face has been captured and identified as a ‘non-threat’, how long should this image be held for? And whose responsibility is it to delete this from the system? Should this be a built-in solution from manufacturers, or should the operator make the decision? There are numerous cases of GDPR breaches among CCTV… Read more »