What is the impact of privacy concerns on physical security?

Every time a cyber-attack or data breach is announced, people lose a little more faith in the IT industry’s ability to protect their privacy and assets. With constant ransomware attacks in the news, it’s no longer ‘if’, but ‘when’ the next attack will occur. For the professional security market, this is a key topic between vendors and corporate customers who cannot risk damage to their brand. In an IoT, IP-based world, every single device that is put on the network must be properly protected. Customers have become increasingly cyber-aware and they want assurances regarding a product’s cyber worthiness. Features like auto-masking to protect privacy are increasingly requested. The most successful security solutions are those designed with privacy in mind. Enterprises need to wisely choose solution providers who design with a ‘security first’ mindset and properly address privacy rights.

Personal data, no matter its form, has historically played a part in privacy concerns. But in the past three years, since the inception of the GDPR legislation, organisations have changed, enduring in their efforts to protect sensitive data as privacy concerns have become more prevalent than ever. With that, organisational policies have changed. Data handlers now realise that confidential personal and commercial information presents a huge risk to organisations – whether in cyber or physical form. Shredding devices have become the first line of defence for physical data forms. For one, sensitive data is instantly recognisable on paper. It is also portable, easy to copy or scan and therefore just as dangerous as electronic data in the wrong hands. And now, with hybrid working scenarios in the mix, we may see an accelerated impact on the physical security market – with home offices providing further risks to the security of physical data.

There are measures in place to protect the privacy of individuals, such as GDPR, but the problem we face is that criminals and hostile actors can and do act anonymously or dishonestly online, to connect with people who have access to sensitive data. Often the human factor is the weak link in security, if we fail to prepare the whole team for potential dangers of attackers looking to win their confidence. There is a significant need to create awareness across personnel in our businesses, and in the general public, to be more careful and circumspect, when we are approached seemingly innocently via social media and the like. Physical security systems are well placed to protect people’s privacy, the encryption used to secure credentials equally protects personal information. However, these solutions are only as secure as the weakest link in the chain, human beings that are also custodians of this information.

Privacy has always been a primary concern for our industry, especially as the deployment of video security technologies has increased at pace over recent decades. Privacy is a critical element in gaining the trust of people and for broader acceptance of CCTV systems across society as a force for good, rather than the negative perception of ‘Big Brother’ that can sometimes prevail. Video storage has often been the area of most concern, in terms of privacy. In this regard, video security technologies and procedures must provide clear standards for storage retention and access, as well as the conditions under which video footage can be retrieved and used. The importance of this has been further highlighted with the introduction of GDPR. Above all else, transparency is the key.

As privacy concerns remain present in organisation's minds, the demand for physical security systems, such as access control, is only increasing. However, it is vital that organisations understand the rules and data surrounding these systems, before implementing them to keep their infrastructure and employees safe. One of the biggest security concerns for access control systems is network breaches by unauthorised users. When a company chooses a physical security system to protect its infrastructure, personal data such as name, age, and sometimes, even biometrics are collected and analysed by the system. Because of the amount of information that is collected, physical security manufacturers must create products that make it easy to adhere to the proper rules and regulations set in place (such as GDPR) and offer extensive training to their end-user customers, in order to foster a successful usage of their security solution.

Security dealers and end user customers are reaching out to us, to address the needs of security, while not infringing on privacy. Today, security is needed everywhere. However, facial recognition pushback and highly publicised invasion of privacy events have renewed the concerns over the use of cameras, video and audio recordings. Our shift to sensor technology as an add-on to camera and VMS solutions provides data-driven event-based alerting that maintains privacy, while keeping people safe. This security strategy is becoming widely accepted for use in bathrooms, locker rooms, patient rooms, residential complexes, classrooms, private offices, etc. and quickly addresses those original customer privacy concerns. 

Privacy protection regulations are becoming more effective on a global scale. Various regions have adopted different methods, but the common denominator is the protection of individual privacy. This requires a lot of guidelines on how security and safety systems are handling privacy and personal data. These rules seek to regulate what data can be processed by security systems, and how that data is handled, stored and maintain. The way that systems handle personal data is becoming a higher criterion for operations in the security industry. Most major vendors are adapting the methodology for handing personal data to comply with major laws such as GDPR, although privacy law differs from country to country and even city to city. This seems to indicate that the long-term impacts from privacy regulations have yet to be realised, particularly in the areas of video surveillance and analytics technologies such as facial recognition.

Privacy is becoming a catalyst for innovation across all sectors of the physical industry because it is a fundamental human need. At Genetec, we believe that organisations should never have to choose between protecting the privacy of individuals and their physical security. Privacy should always be the default option, rather than the other way round. Responsible vendors should provide the necessary tools for security professionals to gather and manage data responsibly, particularly video, while supporting compliance with privacy laws around the world. To that effect, forward-thinking and ethical developers are embracing Privacy by Design methodologies. This involves proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices from the first line of code to the third-party vendors selected for partnership and integration. 

Since GDPR has been implemented in the European Union, U.S.-based companies are learning a lot from the regulations being enforced in the realm of data privacy. Additionally, it is critically important for U.S. companies to be able to adhere to the rules guiding how data is collected and shared about EU citizens. When a company implements a physical security system, such as access control, a lot of personal information is collected and analysed for various purposes. While the majority of the data being shared is controlled by the company using the system, there are some elements that can come back to the integrator or even the manufacturer, like in the case of the organisation implementing a managed cloud-based solution. Therefore, manufacturers need to be mindful of their product's capabilities and make it easy and streamlined for end-user companies to adhere to the data sharing and privacy regulations in place.

Cyber security and privacy go hand-in-hand. When hackers are successful, often it is private data that is exploited and sold. And while Europe made significant strides with GDPR, other countries, such as the United States, still have more to do in implementing regulations that adequately protect the privacy rights of individuals. It is imperative that product development address privacy concerns from the outset in any video security design and implementation. Beyond masking areas that should not be seen, best practices should include an audit trail detailing of what operators have been viewing. Everyone must be accountable for their actions, when using these powerful tools. Privacy rights and cyber security are increasingly driving decision-making for security customers, as the big tech companies continually grapple with the topic in the headlines. There should be no reason for a customer to compromise privacy for security.