Until recently, data laws have differed from one country to the next. This meant that for those organisations conducting business or protecting assets abroad, they needed to localise both their infrastructure and policies dependant on the country they were operating in. However, with the impending arrival of the EU GDPR (General Data Protection Regulation), which comes in to force on the 25th May this year, all of that will need to change.
Data management in CCTV surveillance
Surprisingly, despite the fact that much has been written about the impending EU GDPR, very little attention has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data.
As this includes such a large scope of data, any public or even private organisation using CCTV to monitor publicly-accessible areas must pay attention, as monitoring the public on a large scale is by default considered a high-risk activity. This includes information that shows who a person is, where they are and any other specifics about them.We have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies
According to numerous market research studies, many organisations are yet to take the necessary steps in order to review the new regulations and ensure the necessary changes are made to meet these obligations. To date, we have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies.
With the implementation deadline of the new regulations fast approaching, these should be in a better state of readiness, with standardised processes, common organisational approach and technology.
Enhancing industry awareness of compliance
What’s more, a lot of legacy systems or disparate systems are still out there, and these may still have been entirely commissioned and operated by location-specific security teams. Regardless as to where your organisation stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency.
The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data
Tony Porter, the UK’s Surveillance Camera Commissioner, has been incredibly vocal in recent months with regards to making security system operators aware that their activities will be subject to the GDPR and to signpost them to relevant guidance from the ICO. For those actively seeking to ensure their businesses are compliant, his organisation’s independent third-party certification is a great place to start.
However, with just a few months until the regulation comes into force, it is unfortunate that his organisation is not yet in a position to confirm this will be sufficient to demonstrate compliance with the EU GDPR.
Ensuring regulatory preparedness
With this being said, there are still a number of steps organisations can take to ensure they are well-prepared when the law comes into play:
- Get involved in the GDPR discussion
If you haven’t already, proactively initiate a GDPR discussion with your legal team and ask for their guidance. Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions. In the vast majority of cases, it should be possible to upgrade the existing system rather than ‘rip out and replace’.The appropriate use of encryption and automated privacy tools is a logical step
- Adopt privacy by design
Under the terms of the EU GDPR, data that is anonymised or pseudonymised is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces. Seek out certified and sanctioned organisations, such as the European Privacy Seal group ‘EuroPriSe’, a professional organisation whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards.
- Consider cloud-based services
Owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities.
For example, we partner with Microsoft Azure to offer these systems ‘as a service’. This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost-effective. Yet it is important to realise it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.
With data laws changing around the world, businesses need to seriously consider how their security technology investments will help them manage risks in order to keep pace. With the GDPR deadline approaching, it is the ideal time to re-evaluate practices, partner with forward-thinking vendors and adopt technologies that will help meet privacy and data protection laws. This way, businesses can minimise risk, avoid costly penalties and be ready for anything.