The European Union has spelled out specific requirements and safeguards for handling and protecting personal data. In the General Data Protection Regulation (GDPR), the EU makes clear exactly what is expected of those who control and process data. (The United Kingdom has committed to follow the regulation despite the Brexit vote.) Everyone is facing a deadline on May 25th 2018 to comply with the GDPR. What are the exact implications for the physical security market? What do customers need to do to ensure they are compliant? These are urgent questions, given that the clock is already ticking.

The GDPR’s implications are especially timely considering the physical security industry’s current emphasis on the value and importance of data. The growing value of data was a big topic at the recent IFSEC show in London. The industry is looking for new ways to leverage data for benefits in a company beyond the security department.

New cybersecurity responsibilities

One example is access control data: Who is granted access to which door and more generally, how do employees move throughout an enterprise? This is information that can be useful to managers, whether to analyse facility usage trends or promote more efficient operations. Access control data is especially valuable when combined with other data in an organisation, such as human resource (HR) and accounting records. It provides more data points that a company can use in overall metrics to guide business operations.

But as the GDPR emphasises, the value of data and the ability to leverage data come with new responsibilities, specifically a need to protect privacy. This includes a need for additional cybersecurity of networked systems, another current “hot topic” in the market and historically a weak, or at least under-addressed, point for the industry.

The GDPR applies to “personal data,” but its detailed definition includes digital information such as IP addresses and a range of personal identifiers. Sensitive personal data, such as biometric data used to uniquely identify an individual, is in a “special category.” Physical security systems collect plenty of personal data, some of it critical and sensitive, including an employee’s PIN code, fingerprints, or even video footage.

GDPR impact on physical security

Other areas that might impact the physical security industry include requirements to provide information about any transfers of data to other countries outside the EU and the retention period of data and criteria used to determine the retention period. There is also a “right to erasure” that provides an individual a right to have personal data erased if it is “no longer necessary in relation to the purpose for which it was originally collected/processed.”

The value of data and the ability to leverage data come with new responsibilities, specifically a need to protect privacy
Physical security systems collect plenty of personal data, some of it critical and sensitive, including an employee’s PIN code, fingerprints, or even video footage

In the accountability section of the regulation, companies are required to implement “appropriate technical and organisational measures” to ensure and demonstrate compliance. In the category of “data protection by design”, there is a general obligation to “implement technical and organisational measures to show that [a company] has considered and integrated data protection into processing activities.” It is even more reinforcement to the need for more cybersecurity.

Data protection by design

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance, including codes created by trade associations or representative bodies. There may be an opportunity for organisations in the physical security market to step in and create such guidelines and to clarify best practices as they relate to our market’s technologies. 

In the category of “data protection by design,” physical security system manufacturers should include data protection and security from the ground floor as they are designing new products.

Based on several recent conversations, I can say with confidence that these concerns are definitely on the minds of many in our industry. But concerns aren’t necessarily answers, and time is short to fully comply with GDPR by the deadline.

And the issue isn’t limited to Europe; multi-national companies that do business in Europe, or even cloud systems that store data there, are also impacted. And even beyond GDPR, data protection is an urgent concern around the world. It’s time to step up.

Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Anviz Global expands palm vein tech for security
Anviz Global expands palm vein tech for security

The pattern of veins in the hand contains unique information that can be used for identity. Blood flowing through veins in the human body can absorb light waves of specific wavelen...

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Quick poll
What is the most significant challenge facing smart building security today?