GDPR & ICO-Compliant CCTV for UK Councils, Police & Transport Authorities

Yes. VMukti supports a UK-resident deployment topology: AWS London (eu-west-2) or Azure UK South / UK West as the primary control-plane and archive regions, with no cross-border replication enabled by default. The deployment runbook records the data-flow map UK GDPR Article 30 expects, and the DPIA template ships with the UK-only flow pre-populated. Multi-region failover, if requested, stays inside UK borders; any EU/EEA replication is opt-in with a written instruction from the controller.

Yes. VMukti runs on-device or edge-side privacy masking (face, licence plate, body, and configurable polygonal zones) before frames leave the camera or recorder, so the cloud VMS never stores raw PII unless an authorised investigator unmasks under a logged break-glass workflow. The masking model is non-biometric by default — it detects regions to obscure rather than identifying individuals — which is the posture an ICO DPIA usually expects for general-purpose council, transport, and retail CCTV under UK GDPR.

Yes. The VMukti SAR workflow tracks every request against a one-month statutory timer (with the extension trigger flagged when justified under UK GDPR Article 12(3)). Operators can scope a SAR by date range, camera, and PII attributes; the system exports masked footage of third parties, an audit log of every operator action on the request, and a signed disclosure pack. SAR handling is templated to align with the ICO's right-of-access guidance and integrates with most council case-management systems via webhook.

The default VMukti deployment is configured as a non-biometric, non-real-time identification system: object detection, ANPR, crowd-density estimation, intrusion zones, and forensic search. Under the EU AI Act this places it outside the prohibited "real-time remote biometric identification in public spaces" category and outside the "high-risk biometric categorisation / emotion recognition" buckets. Biometric features (face recognition, watchlists) are opt-in, gated on a separate DPIA, and shipped with the EU AI Act Article 26 deployer obligations checklist.

Yes — and we won't enable it without one. Under UK GDPR Article 35 a DPIA is mandatory for systematic monitoring of a publicly accessible area on a large scale, and the ICO has been explicit that live facial recognition (LFR) is high-risk. VMukti ships a pre-populated DPIA template for LFR covering necessity, proportionality, retention, watchlist governance, false-match rate, and human review. The platform refuses to activate facial recognition on a tenant until the customer uploads the signed DPIA and names a Data Protection Officer of record.

The 12 guiding principles of the Surveillance Camera Code of Practice (operated under the Protection of Freedoms Act 2012) map cleanly to VMukti's defaults: a defined purpose for every camera, transparency signage, restricted access by role, defined retention, security of stored images, regular review, and an audit trail. The compliance pack ships with the SCC self-assessment template pre-populated for the most common UK deployment patterns (councils, transport authorities, stadiums, retail) so operators can publish a Code-aligned policy on day one rather than retrofitting after deployment.