Until recently, data laws have differed from one country to the next. This meant that for those organisations conducting business or protecting assets abroad, they needed to localise both their infrastructure and policies dependant on the country they were operating in. However, with the impending arrival of the EU GDPR (General Data Protection Regulation), which comes in to force on the 25th May this year, all of that will need to change.

Data management in CCTV surveillance

Surprisingly, despite the fact that much has been written about the impending EU GDPR, very little attention has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data.

As this includes such a large scope of data, any public or even private organisation using CCTV to monitor publicly-accessible areas must pay attention, as monitoring the public on a large scale is by default considered a high-risk activity. This includes information that shows who a person is, where they are and any other specifics about them.We have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies

According to numerous market research studies, many organisations are yet to take the necessary steps in order to review the new regulations and ensure the necessary changes are made to meet these obligations. To date, we have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies.

With the implementation deadline of the new regulations fast approaching, these should be in a better state of readiness, with standardised processes, common organisational approach and technology.

Enhancing industry awareness of compliance 

What’s more, a lot of legacy systems or disparate systems are still out there, and these may still have been entirely commissioned and operated by location-specific security teams. Regardless as to where your organisation stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency. 

EU GDPR considers anonymised or pseudonymised data as low risk
The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data

Tony Porter, the UK’s Surveillance Camera Commissioner, has been incredibly vocal in recent months with regards to making security system operators aware that their activities will be subject to the GDPR and to signpost them to relevant guidance from the ICO. For those actively seeking to ensure their businesses are compliant, his organisation’s independent third-party certification is a great place to start.

However, with just a few months until the regulation comes into force, it is unfortunate that his organisation is not yet in a position to confirm this will be sufficient to demonstrate compliance with the EU GDPR.

Ensuring regulatory preparedness

With this being said, there are still a number of steps organisations can take to ensure they are well-prepared when the law comes into play:

  • Get involved in the GDPR discussion

If you haven’t already, proactively initiate a GDPR discussion with your legal team and ask for their guidance. Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions. In the vast majority of cases, it should be possible to upgrade the existing system rather than ‘rip out and replace’.The appropriate use of encryption and automated privacy tools is a logical step

  • Adopt privacy by design

Under the terms of the EU GDPR, data that is anonymised or pseudonymised is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces. Seek out certified and sanctioned organisations, such as the European Privacy Seal group ‘EuroPriSe’, a professional organisation whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards.

  • Consider cloud-based services

Owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities.

For example, we partner with Microsoft Azure to offer these systems ‘as a service’. This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost-effective. Yet it is important to realise it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices. 

With data laws changing around the world, businesses need to seriously consider how their security technology investments will help them manage risks in order to keep pace. With the GDPR deadline approaching, it is the ideal time to re-evaluate practices, partner with forward-thinking vendors and adopt technologies that will help meet privacy and data protection laws. This way, businesses can minimise risk, avoid costly penalties and be ready for anything.

Download PDF version

Author profile

Paul Dodds Country Manager, UK and Ireland, Genetec, Inc.

In case you missed it

What are the obstacles to adoption of mobile credentials for access control?
What are the obstacles to adoption of mobile credentials for access control?

Using a smart phone as an access control credential is an idea whose time has come – or has it? The flexible uses of smart phones are transforming our lives in multiple ways, and the devices are replacing everything from our alarm clocks to our wallets to our televisions. However, the transformation from using a card to using a mobile credential for access control is far from a no-brainer for many organisations, which obstacles to a fast or easy transition. We asked this week’s Expert Panel Roundtable: When will mobile credentials dominate access control, and what are the obstacles to greater adoption?

How to choose the right security entrance for effective customer security
How to choose the right security entrance for effective customer security

Security and systems integrators across the nation are recommending and providing long-term security solutions to their customers. But when it comes to physical security entrances, integrators can easily fall into the trap of simply fulfilling an end user’s exact request without much pushback. Why? We believe the complexity and variety of entrances available makes it difficult to consult on the best solution, but also because there are a lot of assumptions at play. 1) Ask questions to determine the correct security entrance solution There is confusion in the security industry on the meaning of the word, “turnstile.” End users, when requesting a solution, tend to use the word “turnstile” to describe anything from an old fashioned, 3-arm turnstile to a high-tech optical turnstile to a security revolving door. We encourage security integrators to ask questions to discover how their clients want to mitigate the risk of unauthorised entry or “tailgating.” This can help determine the correct security entrance solution to meet the end user’s goal and budget. By asking the right questions and offering true solutions, you can enhance a relationship built on trust and consultation leading to potential repeat business. Below are four physical security goals—crowd, deterrence, detection, and prevention—accompanied by the type of “turnstile” and its capabilities. This breakdown can help the integrator to confidently address an end user’s request for a “turnstile,” and then recommend a solution that truly fulfills their security goals. 2) Explore options for crowd control Typically seen in stadiums, amusement parks, universities, and fitness centres, tripod turnstiles are considered a low security solution for crowd management. Designed for counting employees or slowing down high traffic volume to collect tickets or payments, tripod turnstiles are built to withstand the most abusive of conditions. Here’s what security integrators should know about tripod turnstiles: Low capital cost, but high annual operating cost due to needed 24/7 guard supervision Lack of sensors can lead to defeat – turnstiles can be crawled under or jumped over without alarm/notification to guard staff Little to no metrics capabilities available – no sensors or alarms if defeated High throughput, handling 30 persons per minute in one direction Full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages 3) Choose an effective deterrent A physical deterrent to infiltration, full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages. While full height turnstiles do physically stop tailgating (an unauthorised person following someone in the next compartment), they have no means to prevent piggybacking. Two people in collusion can gain access through the full height turnstile by badging once and then squeezing into the same compartment. Here are some other things to note about full height turnstiles: Low capital cost, low annual operating cost Guard supervision is up to the user Little to no metrics capabilities available – no sensors or alarms if defeated Moderate throughput, handling 18 persons per minute in one direction 4) Ensure your chosen turnstile can detect tailgating A staple in lobby security to accommodate visitors, optical turnstiles utilise complex sensors to detect a tailgating attempt. Most models available today offer sliding or swinging barriers. A very common assumption in the security industry is that optical turnstiles prevent unauthorised entry, which isn’t true. In fact, once the barriers are open, a second user can slip through. Or, in the case of a wide lane for disabled use, two people can walk through side by side. In either case, an alarm is generated and supervision is therefore essential in order to respond swiftly. The cost of 24/7 supervision must be factored into the security budget. Here are some other points to make note of: Moderate capital cost, but high annual operating cost due to need for 24/7 guard supervision Sensors detect tailgating and sound an alarm for post-tailgating reaction, but turnstiles can still be defeated Moderate metrics capabilities available (for example, # times tailgating occurred, passback rejection) High throughput, handling up to 30 persons per minute in one direction 5) Determine prevention tactics for staff and visitor safety The entry solution of choice for Fortune 1000 companies, security revolving doors and mantrap portals completely prevent tailgating due to their working principle, ensuring the safety and security of staff and visitors. Commonly used at employee-only entrances, security doors are an unmanned entrance solution that cannot be defeated; sensors in the ceiling prevent tailgating (following in a trailing compartment). Optional piggybacking detection systems are also available (preventing two people in the same compartment from entering). The benefits of utilising a truly unmanned door are unparalleled: guard staff can be reduced or reallocated, and this entrance offers an ROI of just 1-2 years. Here’s more information security integrators should know about security revolving doors and portals: High capital cost, low annual operating cost due to no required guard supervision Sophisticated metrics capabilities available, allowing the end user to prove the value of their security investment Security revolving doors = 20 persons per minute, simultaneously in two directions; Security portals = 6 persons per minute in one direction Biometric devices and bullet-resistant glass can be incorporated for an even higher level of security As we’ve demonstrated here, “turnstile,” in the eyes of an end user, is a complex term that can range from a low security, crowd control solution to a high security, tailgating prevention entrance. Security integrators need to first accurately determine the security goals of their customers and then break down the “turnstile” barrier of confusion to recommend the best solution for fulfilling those goals.

Why security customers should buy products and services from SMBs
Why security customers should buy products and services from SMBs

In 1973, a brilliant economist named E.F. Schumacher wrote a seminal book titled ‘Small Is Beautiful:’ taking an opposing stance to the emergence of globalisation and “bigger is better” industrialism. He described the advantages of smaller companies and smaller scales of production, highlighting the benefits of building our economies around the needs of communities, not corporations. In almost every industry or market that exists in the world today, you're likely to find a difference in size between companies. Whether it’s a global retail chain versus a small family-owned store, a corporate restaurant chain versus a mom-and-pop diner or a small bed and breakfast versus a large hotel chain — each side of the coin presents unique characteristics and advantages in a number of areas. Disparity in physical security industry Customers are drawn to products and services from large enterprises as the big names typically imply stability This disparity very clearly exists in the physical security industry, and differences in the sizes of product manufacturers and service providers could have important implications for the quality and type of the products and services offered. All too often, customers are drawn to products and services from large enterprises, as the big names typically imply stability, extensive product offerings and global reach. And that's not to say that these considerations are unwarranted; one could argue that larger companies have more resources for product development and likely possess the combined expertise and experience to provide a wide range of products and services. But the value that a company’s products and services can bring isn’t necessarily directly related to or dependent on its size. In an age where the common wisdom is to scale up to be more efficient and profitable, it’s interesting to pause and think about some of the possible advantages of small- and medium-sized businesses (SMBs). Typically, “small” companies are defined as those with less than 100 employees and “medium” with less than 500. Providing social mobility  Schumacher argued that smaller companies are important engines of economic growth. Indeed, according to the Organisation for Economic Cooperation and Development (OECD), a group of 36 member countries that promotes policies for economic and social well-being, SMBs account for 60 to 70 percent of jobs in most OECD countries. Importantly, SMBs provide resilience in that there are often large economic and social impacts when big companies fail. Smaller companies are better for regional economies in general, as earnings stay more local compared to big businesses, which in turn generates additional economic activity. SMBs are also better at providing social mobility for disadvantaged groups by giving them opportunities and enabling them to realise their potential. Smaller companies are often more innovative, bringing to the market novel technologies and solutions such as Cloud, analytics, AI, and IoT New companies introduce new technologies There's no denying the role of start-ups when it comes to innovation. In the security industry, many new technologies (e.g. Cloud, analytics, AI, IoT) are first brought to the market by newer companies. In general, smaller companies’ products and services often have to be as good or better than others to be competitive in the marketplace. They are therefore often more innovative, bringing to the market novel technologies and solutions. And these companies are also more willing to try out other new B2B solutions, while larger companies tend to be more risk-averse. Customer service Aside from the quality of products and services, arguably one of the most important components of a security company’s success is its ability to interact with and provide customers the support that they deserve. Smaller companies are able to excel and stand out to their customers in a number of ways: Customer service. Customers’ perceptions of a product’s quality are influenced by the quality of support, and smaller manufacturers often possess a strong, motivated customer service team that can be relatively more responsive to customers of all sizes, not just the large ones. A superior level of support generally translates into high marks on customer satisfaction, since customers’ issues with products can be resolved promptly. Flexibility. SMBs have a greater capacity to detect and satisfy small market niches. While large companies generally create products and services for large markets, smaller companies deal more directly with their customers, enabling them to meet their needs and offer customised products and services. And this translates to adaptability, as SMBs become responsive to new market trends. By having a pulse on the market, smaller companies have much more flexibility in their supply chain and can adjust much faster in response to changing demand. Decision-making. Smaller companies are much more agile in decision-making, while larger enterprises often suffer from complex, tedious and lengthy decision-making processes. Communication is easier throughout SMBs, as smaller teams enable new ideas to flow and can solve problems faster. Job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction. SMBs are also generally more connected to local communities and participation in community activities leads to a greater sense of purpose. Additionally, SMBs have a much smaller impact on the environment, which is increasingly becoming an important consideration for today’s employees and customers. Though Schumacher's book takes a much deeper dive into the large global effects of scale on people and profitability, the general impact of a company’s size on its products and services is clear. It’s important for all players in the security industry to remember that the commitment and dedication to product quality can be found in businesses of all sizes. Ensuring safety of people, property and assets Large manufacturers may catch your eye, but small business shouldn’t be forgotten, as they can offer end users a robust set of attributes and benefits. While all security companies are aiming to achieve a common goal of providing safety for people, property and assets, smaller businesses can provide extensive value when it comes to driving the economy, innovating in the industry, providing quality employment and offering superior customer service.