How will the GDPR affect physical security systems?

Much has been written about the EU GDPR which was adopted on 27th of April 2016 and becomes enforceable on 25th May 2018.  Yet, given the unique challenges involved, surprisingly little has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems.

Any public or private organisations using CCTV to monitor public accessible areas, for example, should be concerned.  Under the terms of the GDPR, monitoring the public on a large scale is by default considered a high-risk activity. Per several market research studies, many organisations have not yet taken the steps of reviewing the new regulations and making the changes required to meet the obligations.  Over the years, we have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies.  These should be in a better state of readiness as the regulations calls for standardised processes, common organisational approach and technology.

However, a lot of legacy systems or disparate systems are still out there that may still have been entirely commissioned and operated by location specific security teams.  Regardless as to where your organisation stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency.

The UK’s Surveillance Camera Commissioner, Tony Porter, should be commended in recent months for his vocal efforts to make security system operators aware that their activities will be subject to the GDPR and to signpost them to relevant guidance from the ICO.  For those who don’t wish to be caught out, his organisation’s independent third party certification is a good place to start. However, with a little over six months until the regulation comes into force, it is somewhat unfortunate that his organisation is not yet in a position to confirm this will be sufficient to demonstrate compliance with the EU GDPR.

So, what more can operators do in the interim to ensure they are well prepared?

  1. Get Involved and start evaluating your current systems

If you have not been invited into a GDPR discussion, proactively initiate it with your legal team and ask for guidance.  Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions. In the vast majority of cases it should be possible to upgrade the existing system rather than “rip out and replace”.

  1. Adopt Privacy by Design

Under the terms of the EU GDPR data that is anonymised or pseudonymised is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces. Seek out certified and sanctioned organisations, such as the European Privacy Seal group ‘EuroPriSe’, a professional organisation whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards — fostering certified trust and reliability.

  1. Consider cloud-based services as a short cut to compliance

Owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities. For example, we ourselves partner with Microsoft Azure to offer these systems ‘as a service’. This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost effective. Yet it is important to realise it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.

 

By Jean-Philippe Deby, Business Development Director, Europe, Genetec Inc.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/