A large number of retailers with CCTV systems are still at risk of falling foul of the General Data Protection Regulations (GDPR) which came into force more than two months ago, the Federation of Small Businesses (FSB) has warned.

For some small businesses, “the burden and scale of the reforms have proven too much to handle,” FSB national chairman Mike Cherry told C-Store. “There is now a real need for a more tailored support for SMEs,” he said.

“At its most basic level, most shop owners still won’t have made an asset list, won’t have the appropriate notices and won’t be able to deal with a subject access request,” Simon Bishop, director of GDPR Systems added. “And they almost certainly won’t have a CCTV breach management policy or procedure.”

Last month, a design and build company in Shropshire was fined £2,000 for not having the appropriate signage in place to alert people to its CCTV system. The company had also not registered with the Information Commissioners Office (ICO) despite it being a legal duty to do so.

Earlier this month, the Motor Fuel Group’s (MFG) ESSO store in Wednesbury, West Midlands received its first subject access request since the GDPR was enforced on 25 May.

Fortunately, the company had invested in staff training and a new online tool from GDPR Systems, which enabled staff to respond appropriately.

“We had a customer enter the store needing some CCTV date and time stamped footage as she needed to show where she was on a certain date and time,” contract manager Bobby Kana told C-Store.

“We knew this had GDPR connotations so the system was of great use, we could give the customer our GDPR policies and procedures and handle the whole incident without having any concerns, which we know can lead to big fines,” he added.

The regulations have a number of implications for the way convenience store retailers manage their CCTV systems and data, among other elements.

Camera location and purpose must be scrutinised and documented in more detail than ever before and retailers must provide any individuals whose information is recorded, prompt access to that information, should they request it.

There are also implications for CCTV signage, storage of images and videos, and staff training.

Since the GDPR was enforced the ICO has dealt with 7,285 calls from small businesses needing assistance, it told Convenience Store.

“We recognise that small organisations in the UK are facing challenges as the law changes and we’re here to help,” an ICO spokeswoman added.