News of cyberattacks seems constant these days. Recently, Equifax, a US-based consumer credit reporting agency, announced that a private customer data breach impacted 143 million people. Earlier this year, 1.5 million connected cameras around the world were hijacked in an unprecedented DDoS attack.

As cyber-attacks become more rampant, it’s hardly surprising that governments are stepping in to hold organisations more accountable. One of the most recent examples of this is the European Union’s General Data Protection Regulation (GDPR) which is set to come into effect on May 25, 2018.

New GDPR legislation mandates

Essentially, the GDPR mandates that businesses adhere to specific governance and accountability standards in the processing and protection of data. A big focus of this new legislation is that individuals have greater control over their personal data. Contrary to legislations in the United States, the personal data captured by organisations will remain the property of each EU citizen, entitling them to access their own data and have greater decision power over how it is used or distributed.

Should a breach occur, companies are mandated to report it to the supervisory authority within 72 hours. Failure to comply with these new regulations could result in up to $20 million euros in penalties, or 4% of the company’s global annual turnover.

Territorial scope of GDPR

So why should North American companies and security directors be concerned? The territorial scope of the GDPR is global. Any business that is collecting or storing personally identifiable information (PII) of EU citizens will be held accountable, regardless of where the organisation is based or operating from. This includes any business collecting information from EU residents, or organisations with offices, stores, warehouses or employees in the EU.

With the deadline nearing, these North American organisations are seeking strategies that will keep them compliant across all their data collection processes. With a focus on physical security sensors and solutions, below are five steps that North American companies can start taking to become GDPR-compliant.

Step 1: Conduct a data risk assessment

To better understand the implications of the GDPR, an organisation must fully assess the level of risk that its data processing operations pose to the rights of EU citizens. A business should map out how data is collected, where it is stored, how long it is kept, and who has access to it. Identifying and categorising the various types of data is also critical to this evaluation. That’s because according to the GDPR, there is a clear distinction between the high, medium and low-risk data.

Companies should add varied lines of defence such as encryption, multi-layer authentication and authorisation
Through authorisation, organisations can define how specific users or groups can use the security system

For instance, data derived from a video surveillance system that shows who a person is and where they are is considered high-risk. This could be a retailer that is monitoring video of people coming into its stores or an EU subsidiary office that is recording publicly-facing video footage.

Step 2: Hire a Data Protection Officer

In cases of high-risk data processing, organisations may need to appoint a data protection officer (DPO). This person must be independent of any IT, risk or VP-level functions and will be responsible for monitoring the organisation’s compliance with respect to their GDPR obligations. The DPO will act as the main point of contact for all communications with the GDPR supervisory body. This means that at any point in time, the DPO should also be able to show the steps taken by the organisation to protect any collected information.

Step 3: Implement privacy by design

The GDPR mandates that businesses with ‘high-risk data operations’ implement systems that protect privacy and secure data by default. It is therefore critical for these organisations to start talking to system integrators and suppliers about what they can do to harden their systems. After all, cyber security should be a shared responsibility. Organisations should work with partners and vendors to better understand cyber security risks and streamline internal processes such as outlining who has access to the data and identifying why and how long it should be kept.

With this understanding, companies can justify adding varied lines of defence such as encryption, multi-layer authentication and authorisation. For instance, through authentication, organisations can determine if an entity—user, server, or client app—is who it claims to be, and then verify if and how that entity is allowed to access a system. Through authorisation, organisations can define how specific users or groups can use the security system.

Finally, encryption protects an organisation’s information and data by using an algorithm to make text indecipherable. From device to client application, these security measures help organisations safeguard against cyber threats and unauthorised access.

Step 4: Address data transparency

At any point in time, an EU citizen has the right to request a copy of information pertaining to them from an organisation. Upon receiving this request, the company would be required to securely and remotely share video and data files with the individual. A problem could surface if other individuals are visible in this footage. Security solutions that not only facilitate information sharing but also protect privacy can help companies quickly adapt to these new laws.

Video redaction capabilities can blur out people's faces in video
Blurring out faces transfers high-risk data to the low-risk category, allowing organisations to monitor or share video while still protecting privacy

One example is having video redaction capabilities to blur out people’s faces in video. This feature transfers high-risk data to the low-risk category, allowing organisations to monitor or share video while still protecting privacy. Companies will also need to provide greater transparency by making points of contact accessible and clearly outlining data management policies.

Step 5: Engage data processors

According to the GDPR, any company that collects and controls private information is a Data Controller. To properly manage the collected data, companies may choose to outsource some of the responsibility to service providers, known as Data Processors.

For instance, a retailer could decide to implement a Video-Surveillance-as-a-Service (VSaaS) solution. Some advanced VSaaS providers offer numerous logs and, more importantly, strong reporting platforms that can help Data Controllers and DPOs monitor the state of their video surveillance systems. In some capacity, Data Processors are equally responsible for adhering to laws.

Considering the failure to report a breach in 72 hours could result in massive penalties, implementing a VSaaS is a great way to stay on top of potential breaches and decrease compliance upgrade costs. However, it is not a full transfer of risk. The retailer would still be responsible for issuing and managing system access privileges, ensuring password choices are robust, and essentially, limiting data to those who can view or extract it.

Counteracting emerging threats through GDPR compliance

With heavy fines looming, it is imperative that North American businesses collecting or processing any EU citizen data begin working on GDPR compliance immediately. Those filming in high-trafficked public spaces are at an even greater risk of penalty if compliance has been ignored.

Starting with a comprehensive risk assessment, hiring a qualified DPO, upgrading technology with built-in privacy and security mechanisms, and in some cases, working with data processors can help North American businesses get on track to full GDPR compliance. Regardless of these new laws, these practices will ultimately benefit the organisation as a whole, as new threats emerge globally.

Download PDF version

Author profile

In case you missed it

Questioning the wisdom of the U.S. ban on Hikvision & Dahua
Questioning the wisdom of the U.S. ban on Hikvision & Dahua

I have been thinking a lot about the U.S. government’s ban on video surveillance technologies by Hikvision and Dahua. In general, I question the wisdom and logic of the ban and am frankly puzzled as to how it came to be. Allow me to elaborate. Chinese camera manufacturers Reality check: the government ban is based on concerns about the potential misuse of cameras, not actual misuse. Before the government ban, you occasionally heard about some government entities deciding not to use cameras manufactured by Chinese companies, although the reasons were mostly “in an abundance of caution.”  Even so, I find the targeting of two Chinese companies – three if you count Hytera Communications, a mobile radio manufacturer – in a huge government military spending bill to be a little puzzling. I can’t quite picture how these specific companies got on Congress’s radar. The government ban is based on concerns about the potential misuse of cameras, not actual misuse What level of lobbying or backroom dealing was involved in getting the ban introduced (by a Missouri congresswoman) into the House version of the bill? And after the ban was left out of the Senate version, was there a new wave of discussions to ensure it was included in the joint House-Senate version (with some minor changes, and who negotiated those?). It all seems a little random. Concerns for the U.S. Furthermore, the U.S. ban solves neither of the two main concerns that are generally used as its justification: Concern: Cybersecurity. The U.S. ban “solves” the issue of cybersecurity only if both of the following statements are true. No security system that uses a Hikvision or Dahua camera or other component is cybersecure. Any system that does not use a Hikvision or Dahua camera or other component is cybersecure. What level of lobbying or backroom dealing was involved in getting the ban introduced into the House version of the bill? The ban ignores the breadth and complexity of cybersecurity and instead offers up two companies as scapegoats. Our industry has sought to address cybersecurity, and the one principle that has guided that effort is that cybersecurity is an issue that must be addressed by manufacturers, consultants, integrators and end users – in effect, everyone in the industry. Cybersecurity does not begin and end with the manufacturer and banning any manufacturers from the market does not ensure better cybersecurity.  Concern: “Untrustworthy” Chinese companies. Hikvision and Dahua are only two Chinese companies. Any response to concerns about whether Chinese companies are trustworthy would need to cover many more companies that manufacture their products in China. Australian TV recently claimed that “all Chinese companies pose a risk. Because of Chinese laws, there is a requirement for companies to be engaged in espionage on behalf of the state.” Even if one embraces that extreme view, the logic fails when only two companies are targeted. One source told me that 60 to 65 percent of the global supply of commercial video cameras are manufactured in China, so it’s a much bigger issue than two companies.The Chinese government has much more effective ways of conducting espionage than exploiting security cameras And is U.S. security at risk unless or until it is cut off from more than half of the world’s supply of video cameras? Even Western camera companies manufacture some of their cameras and/or components in China. Why name only two (or three) companies, only one of which has ties to the Chinese government? If the goal of the U.S. ban was to address the possibility of cybersecurity and/or espionage by the Chinese government, shouldn’t there be other companies and product categories included? Clearly, video surveillance is not the only category that has the potential for abuse. The Chinese government has much more effective ways of conducting espionage than exploiting security cameras. Global response to U.S. ban And now that the U.S. ban has been passed, how is the ban being misused to justify a new level of alarm about Chinese companies? Australian television effortlessly made the leap from “software backdoors” to a concerted and organised effort by the Chinese government to use cameras to be the “number one country for espionage.” And it’s not just about government facilities: “Even on the street, [cameras] have the potential to inadvertently contribute toward Chinese espionage activity by providing real-time information about the situation on the ground,” says the Australian TV report. If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies? If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies, or at least those with electronics or computer products that could be used for espionage? What about the espionage potential of the 70% of mobile phones that are made in China? What about other consumer electronics such as PCs or smart TVs? How many government facilities that are eliminating Dahua and Hikvision cameras have employees who use iPhones or use other electronic equipment from China? Artificial intelligence & IP-over-coax Also, consider the impact of the ban on business. Hikvision and Dahua have had many successes in the video surveillance market, including in the U.S. market. They have added value to many integrators and end user customers. They have been on the forefront of important trends such as artificial intelligence and IP-over-coax. And, yes, they have made technologies available at lower prices.Cybersecurity issues have plagued several companies in the industry, not just Hikvision and Dahua Cybersecurity issues have plagued several companies in the industry, not just these two, and both Hikvision and Dahua have worked to fix past problems, and to raise awareness of cybersecurity concerns in general. Is a U.S. ban on two companies an appropriate response to a series of geo-political concerns that are much bigger than those two companies (and bigger than our entire market)? Should two companies take the brunt of the anti-Chinese backlash? Video surveillance cameras Is the video surveillance market as a whole better or worse for the presence of Hikvision and Dahua? Is it up to the U.S. government to make that call? In some ways, thoughts of Chinese espionage are a sign of these uncertain political times. Fear of video surveillance is perfectly congruent with long-standing anxieties about “Big Brother;” suspicion about China taking over our video cameras just rings true at a time when Russia is (supposedly) controlling our elections. But should two companies be targeted while broader concerns are shrugged off?

8 tips for visiting a large security trade show
8 tips for visiting a large security trade show

Security trade fairs can be daunting for attendees. At big shows like IFSEC International and Security Essen, there can be hundreds of physical security manufacturers and dealers vying for your attention. Stands are sometimes spread out across multiple halls, often accompanied by a baffling floor plan. As the scope of physical security expands from video surveillance and access control to include smart building integrations, cyber security and the Internet of Things (IoT), there is an increasing amount of information to take in from education sessions and panels. Here, SourceSecurity.com presents eight hints and tips for visitors to make the most out of trade shows: 1. Outline your objectives. As the famous saying goes, “Failing to plan is planning to fail!” Before you plan anything else, ensure you know what you need to achieve at the show. By clearly noting your objectives, you will be able to divide your time at the show appropriately, and carefully choose who you speak to. If there is a particular project your organisation is working on, search out the products and solutions that address your security challenges. If you are a security professional aiming to keep up with the latest trends and technologies, then networking sessions and seminars may be more appropriate. 2. Bring a standard list of questions Prepare a list of specific questions that will tell you if a product, solution or potential partner will help you meet your objectives. By asking the same questions to each exhibitor you speak to, you will be able to take notes and compare their offerings side by side at the end of the day. This also means you won’t get bogged down in details that are irrelevant to your goals. Most trade fair websites provide the option to filter exhibitors by their product category  3. Do your homework Once you know your objectives, you can start to research who is exhibiting and decide who you want to talk to. Lists of exhibitors can be daunting, and don’t always show you which manufacturers meet your needs. Luckily, most trade fair websites provide the option to filter exhibitors by their product category. Many exhibitions also offer a downloadable floor plan, grouping exhibitors by product category or by relevant vertical market.  It may be easier to download the floor plan to your phone/tablet or even print it out, if you don’t want to carry around a weighty map or show-guide. 4. Make a schedule Once you have shortlisted the companies you need to see, you can make a schedule that reflects your priorities. Even if you are not booking fixed meetings, a schedule will allow you to effectively manage your time, ensuring you make time for the exhibitors you can’t afford to miss. If the trade show spans several days, aim to have your most important conversations early on day one. By the time the last afternoon of the show comes around, many companies are already packing up their stand and preparing to head home. When scheduling fixed meetings, keep the floor plan at hand to avoid booking consecutive meetings at opposite ends of the venue. This will ensure you can walk calmly between stands and don’t arrive at an important meeting feeling flustered! Look for panels and seminars which address the specific needs of your project, or which will contribute to your professional growth 5. Make time for learning If you’re on a mission to expand your knowledge in a given area, check the event guide beforehand to note any education sessions you may want to attend. Look for panels and seminars which address the specific needs of your project, or which will contribute to your professional growth. This is one of the best opportunities you will have to learn from industry leaders in the field. Be sure to plan your attendance in advance so you can schedule the rest of your day accordingly. 6. Keep a record Armed with your objectives and list of questions, you will want to make a note of exhibitors’ responses to help you come to an informed decision. If you’re relying on an electronic device such as a smartphone or tablet to take notes, you may like to consider bringing a back-up notepad and pen, so you can continue to take notes if your battery fails. Your record does not have to be confined to written bullet points. Photos and videos are great tools remind you what you saw at the show, and they may pick up details that you weren’t able to describe in your notes. Most mobile devices can take photos – and images don’t need to be high quality if they’re just to refresh your memory. 7. Network – but don’t let small talk rule the day It may be tempting to take advantage of this time away from the office to talk about anything but business! While small talk can be helpful for building strong professional relationships, remember to keep your list of questions at hand so you can always bring conversations back to your key objectives. Keeping these goals in mind will also help you avoid being swayed by any unhelpful marketing-speak. It may seem obvious, but don’t forget to exchange business cards with everyone you speak to, or even take the opportunity to connect via LinkedIn. Even if something doesn’t seem relevant now, these contacts may be useful in future. Have a dedicated section in your bag or briefcase for business cards to avoid rummaging around. With your most important conversations planned carefully, there should be time left to explore the show more freely 8. Schedule time for wandering With your most important conversations planned carefully, there should be time left to explore the show more freely. Allowing dedicated time to wander will give you a welcome break from more pressing conversations, and may throw up a welcome surprise in the form of a smaller company or new technology you weren’t aware of.  Security trade fair checklist: Photo identification: As well as your event pass, some events require photo identification for entry. Notebook and pen: By writing as you go, you will be able to compare notes at the end of the day. Mobile device: Photos and videos are great tools to remind you what you saw at the show, and may pick up details you missed in your notes. Paper schedule & floor plan: In case batteries or network service fail. Business cards: Have a dedicated pouch or pocket for these to avoid rummaging at the bottom of a bag. Comfortable shoes: If you’re spending a whole day at an event, and plan on visiting multiple booths, comfortable shoes are a must!

How artificial intelligence (AI) is changing video surveillance today
How artificial intelligence (AI) is changing video surveillance today

There’s a lot of excitement around artificial intelligence (AI) today – and rightly so. AI is shifting the modern landscape of security and surveillance and dramatically changing the way users interact with their security systems. But with all the talk of AI’s potential, you might be wondering: what problems does AI help solve today? The need for AI The fact is, today there are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyse more video data than humans ever possibly could.AI is a technology that doesn’t get bored and can analyse more video data than humans ever possibly could It is designed to bring the most important events and insight to users’ attention, freeing them to do what they do best: make critical decisions. There are two areas where AI can have a significant impact on video surveillance today: search and focus of attention. Faster search Imagine using the internet today without a search engine. You would have to search through one webpage at a time, combing through all its contents, line-by-line, to hopefully find what you’re looking for. That is what most video surveillance search is like today: security operators scan hours of video from one camera at a time in the hope that they’ll find the critical event they need to investigate further. That’s where artificial intelligence comes in. The ability of AI to reduce hours of work to mere minutes is especially significant when we think about the gradual decline in human attention spans With AI, companies such as Avigilon are developing technologies that are designed to make video search as easy as searching the internet. Tools like Avigilon Appearance Search™ technology – a sophisticated deep learning AI video search engine – help operators quickly locate a specific person or vehicle of interest across all cameras within a site. When a security operator is provided with physical descriptions of a person involved in an event, this technology allows them to initiate a search by simply selecting certain descriptors, such as gender or clothing colour. During critical investigations, such as in the case of a missing or suspicious person, this technology is particularly helpful as it can use those descriptions to search for a person and, within seconds, find them across an entire site. Focused attention           The ability of AI to reduce hours of work to mere minutes is especially significant when we think about the gradual decline in human attention spans. Consider all the information a person is presented with on a given day. They don’t necessarily pay attention to everything because most of that information is irrelevant. Instead, they prioritise what is and is not important, often focusing only on information or events that are surprising or unusual. Security operators scan hours of video from one camera at a time in the hope that they’ll find the critical event they need to investigate further Now, consider how much information a security operator who watches tens, if not hundreds or thousands of surveillance cameras, is presented with daily. After just twenty minutes, their attention span significantly decreases, meaning most of that video is never watched and critical information may go undetected. By taking over the task of "watching" security video, AI technology can help focus operators’ attention on events that may need further investigation. As AI technology evolves, the rich metadata captured in surveillance video will add even more relevance to what operators are seeing For instance, technology like Avigilon™ Unusual Motion (UMD) uses AI to continuously learn what typical activity in a scene looks like and then detect and flag unusual events, adding a new level of automation to surveillance. This helps save time during an investigation by allowing operators to quickly search through large amounts of recorded video faster, automatically focusing their attention on the atypical events that may need further investigation, enabling them to more effectively answer the critical questions of who, what, where and when. As AI technology evolves, the rich metadata captured in surveillance video – like clothing colour, age or gender – will add even more relevance to what operators are seeing. This means that in addition to detecting unusual activities based on motion, this technology has the potential to guide operators’ attention to other “unusual” data that will help them more accurately verify and respond to a security event. The key to advanced security When integrated throughout a security system, AI technology has the potential to dramatically change security operations There’s no denying it, the role of AI in security today is transformative. AI-powered video management software is helping to reduce the amount of time spent on surveillance, making security operators more efficient and effective at their jobs. By removing the need to constantly watch video screens and automating the “detection” function of surveillance, AI technology allows operators to focus on what they do best: verifying and acting on critical events. This not only expedites forensic investigations but enables real-time event response, as well. When integrated throughout a security system, AI technology has the potential to dramatically change security operations. Just as high-definition imaging has become a quintessential feature of today’s surveillance cameras, the tremendous value of AI technology has positioned it as a core component of security systems today, and in the future.