How secure redact ensures true GDPR-compliant video handling

GDPR compliance in video handling is not a single checkbox. It's a layered set of obligations that touch how data is collected, stored, processed, accessed, shared, and deleted - and video footage, particularly CCTV, body-worn camera, and dashcam recordings, implicates most of them simultaneously.

Organisations that have invested in camera infrastructure frequently discover that their compliance posture on the video side of their data estate is weaker than on the document or database side - partly because video is harder to control, partly because the tooling has lagged behind, and partly because the volume of footage makes manual compliance approaches impractical at scale.

Understanding how a purpose-built platform addresses each layer of GDPR obligation for video data is more useful than a generic "we're GDPR compliant" claim.

The core legal basis question

GDPR requires that every processing activity has a defined legal basis. For video surveillance, the most commonly used bases are legitimate interests (public safety, security, fraud prevention) and legal obligation (compliance with specific regulatory requirements in particular sectors).

What's sometimes overlooked is that when video footage is shared, disclosed, or used for a purpose different from its original capture purpose, the legal basis question must be re-examined. CCTV footage captured for security purposes that is then shared with a subject in response to a DSAR requires careful handling - the legitimate interests basis for capture may not straightforwardly extend to disclosure without appropriate privacy protection.

Redaction before disclosure is not just good practice; it's often what makes the disclosure lawful in the first place, by protecting the third parties who appear in footage alongside the requester. Failing to redact before DSAR disclosure isn't just sloppy - it's likely a GDPR violation in respect of those third parties.

Secure Redact is designed specifically for this use case, enabling organisations to fulfil their obligation to the DSAR subject while simultaneously protecting the privacy rights of bystanders and third parties in the same footage.

Data minimisation: the structural requirement

GDPR's data minimisation principle requires that personal data processed is adequate, relevant, and limited to what is necessary for the purpose. For video footage, this creates a structural challenge: cameras capture everything in their field of view, which is almost always more identifiable data than any specific processing purpose requires.

Data minimisation compliance in video has several dimensions:

• Limiting capture - ensuring cameras are positioned and configured to capture no more than necessary for the stated purpose

• Limiting retention - footage should be kept only as long as necessary; most routine footage has a retention window measured in days or weeks

• Limiting access - ensuring that only authorised personnel with a specific need can access original footage

• Limiting disclosure - when footage is shared, shared in a form that contains no more personal data than required

Redaction is the mechanism that enables the fourth dimension. It's how an organisation shares footage that serves the disclosure purpose without sharing the personal data of everyone else who happened to be in the frame.

Data processing geography: where video is processed matters

GDPR's data transfer restrictions apply to video data the same as any other personal data. Footage processed or stored on infrastructure in third countries outside the UK or EU must be covered by appropriate transfer mechanisms - adequacy decisions, standard contractual clauses, or binding corporate rules.

For organisations subject to UK GDPR, this means understanding where their redaction platform processes and stores data, not just where it is headquartered.

Secure Redact offers dedicated data processing regions for UK/EU and US deployments, allowing organisations to select the jurisdiction appropriate for their regulatory context. UK public sector bodies and organisations handling particularly sensitive data can ensure that footage is processed and stored on UK infrastructure without being routed through US data centres.

SOC 2 type 2 and security standards

GDPR Article 32 requires organisations to implement appropriate technical and organisational measures to ensure security appropriate to the risk of the processing. For video footage containing sensitive personal data, this means meaningful security rather than just a privacy policy.

Secure Redact has completed SOC 2 Type 2 certification - an independent audit of security controls covering availability, security, processing integrity, confidentiality, and privacy. This includes assessment of how personal health information (PHI) is handled, which is directly relevant for healthcare sector deployments where HIPAA compliance is also in scope.

Additionally, Secure Redact holds Cyber Essentials Plus certification - the UK government's baseline standard for organisational cybersecurity - and undergoes regular penetration testing via a grey-box approach with a specialist security partner.

These aren't self-assessments; they're independently verified standards that can be pointed to in a Data Protection Impact Assessment or in response to a regulatory inquiry about security measures.

Subject access requests: the operational compliance challenge

DSARs represent the most common point where video GDPR compliance moves from theoretical to operational. A subject who requests footage in which they appear is exercising a right that the organisation must fulfil within one month. The footage must be provided in a form that protects the privacy of third parties.

Without automated redaction, this process is manual, time-consuming, inconsistent, and at practical volume, effectively impossible to scale. Organisations with significant CCTV infrastructure quickly discover that a DSAR involving multiple cameras across multiple days of footage represents days of manual editing work per request - work that scales with every additional request received.

The time and cost reality of manual DSAR handling is what typically drives adoption of automated redaction. Elizabeth College, with 150 cameras across its school grounds, described having a backlog of DSARs they couldn't fulfil before implementing Secure Redact - with footage containing over 100 faces in a single clip making manual handling impractical. After implementation, tasks that had previously represented a full day's work were completed in ten minutes.

Retention, deletion, and the right to erasure

GDPR creates obligations not just around disclosure but around the lifecycle of personal data, including its deletion at the end of the retention period. For video infrastructure, this means systematic deletion of footage past its retention window - something that automated systems handle more reliably than manual processes dependent on individual administrators remembering to purge old recordings.

Secure Redact's chain of custody and audit logging capabilities support this by maintaining records of what footage has been processed, accessed, and when - giving organisations the documentation basis for demonstrating compliance with retention obligations as well as disclosure ones.

FAQs