GDPR, the General Data Protection Regulation, came into effect on 25th May 2018. It helps to ensure that the personal data of EU citizens is handled safety and securely by organisations and businesses. GDPR effects all elements of an organisation that handles or processes personal data, including security systems.
If the organisation currently uses CCTV, access control systems, and other security measures, it is certainly worth evaluating how they are currently collecting, storing, and processing data and whether or not this meets the new GDPR standards.
Personal data businesses
This article is by no means legal advice, rather an opportunity to highlight how GDPR relates to security. GDPR relates to any sort of ‘data’ that can be used to identify an individual.
GDPR relates to any sort of ‘data’ that can be used to identify an individual
This includes details such as names, email address and other common pieces of personal data businesses usually store, but also areas of business that might be forgotten about, such as key fobs, CCTV, and access control verification.
If a key fob can identify an individual, businesses need to appreciate that how it handles and manages such data is important and can’t be ignored. If not, businesses may not be complying with GDPR. It doesn’t matter if they’re a small family business, or a large multinational corporation, any security systems used need to meet these new standards.
Processing personal data
Particularly for businesses with IT systems, CCTV, and other technology that is quite dated, they may not have the functionality to meet new standards. This is why it is important to evaluate and understand how every part of the business is handling data and whether it needs changing. According to several sources, if a business uses CCTV, they need to register with the ICO. This is due to the fact they’ll be processing personal data, just not collecting it.
This guide from the ICO offers some advice on things to consider and is worth printing off and having as a reference point. Unfortunately, there is no definitive checklist for GDPR. A lot of the recommendations need context within their own business and are therefore up for interpretation somewhat.
Unnecessary personal data
Nevertheless, there are some initial steps you can take to get started, such as:
Privacy Impact Assessment – The ICO recommends taking a Privacy Impact Assessment. This helps ensure any personal data that is being collected, is firstly, within reason and fit for purpose, and secondly, being stored and processed securely. This assessment should help uncover any areas of an organisation that need addressing.
Data Processing and Storage – It is recommended that data is removed after an appropriate length of time and not stored unless necessary. This prevents businesses collecting unnecessary personal data and storing it for a long time. By doing this, it helps prevent organisations keeping high volumes of personal data when they don’t need to. By keeping large amounts of data, any breeches become more severe as more data is involved. So, think carefully about how long you really need to keep customer information.
Top priority for businesses
‘Privacy by Design’ is a phrase commonly used in association with GDPR
Encryption – ‘Privacy by Design’ is a phrase commonly used in association with GDPR. Simply put, it refers to having systems and processes that have privacy fundamentally built into them. Encryption and anonymised data is much safer to store. Particularly with CCTV footage, thinking about how this is stored should become a top priority for businesses.
Transparency – A key element of GDPR that will impact surveillance and security is that of transparency and lawful intent. They can’t simply invade people’s privacy and say its done for security reasons. Instead, it must be very clear in how and why users are processing data. As a business, users can monitor and track employees via CCTV and other security systems but there must be a lawful basis for doing so and it must be communicated clearly with all employees beforehand.
Access CCTV footage
New Technology – As new technology such as the Internet of Things and Big Data promise to change the way we live, it is important for businesses to walk before they can run.
Organisations should focus on privacy by design first and ensure they can create processes and systems that are GDPR compliant, before thinking about how they can leverage new technology that requires even more security measures. If not, businesses could find themselves in uncharted waters, by trying to do too much, too quickly.
Understanding who has access to what is an important part of GDPR
Access and Accountability – Understanding who has access to what is an important part of GDPR. If unauthorised people can access CCTV footage, then that could become a huge data breech.
Reassess GDPR compliance
Consent – In many cases, it is important to get explicit consent from an individual before users collect and process their data. This applies to employees, customers, and the general public. It must be clear from the start, what data is being collected and whether they provide consent for this.
Frequent Evaluation – GDPR isn’t just supposed to be a manic period where people discuss privacy and then everything goes quiet until the next law change. Instead, businesses should allocate time frequently throughout the year to reassess their GDPR compliance and ensure any new business operations or processes don’t create vulnerabilities in how they handle data.