The European Union has spelled out specific requirements and safeguards for handling and protecting personal data. In the General Data Protection Regulation (GDPR), the EU makes clear exactly what is expected of those who control and process data. (The United Kingdom has committed to follow the regulation despite the Brexit vote.) Everyone is facing a deadline on May 25th 2018 to comply with the GDPR. What are the exact implications for the physical security market? What do customers need to do to ensure they are compliant? These are urgent questions, given that the clock is already ticking.

The GDPR’s implications are especially timely considering the physical security industry’s current emphasis on the value and importance of data. The growing value of data was a big topic at the recent IFSEC show in London. The industry is looking for new ways to leverage data for benefits in a company beyond the security department.

New cybersecurity responsibilities

One example is access control data: Who is granted access to which door and more generally, how do employees move throughout an enterprise? This is information that can be useful to managers, whether to analyse facility usage trends or promote more efficient operations. Access control data is especially valuable when combined with other data in an organisation, such as human resource (HR) and accounting records. It provides more data points that a company can use in overall metrics to guide business operations.

But as the GDPR emphasises, the value of data and the ability to leverage data come with new responsibilities, specifically a need to protect privacy. This includes a need for additional cybersecurity of networked systems, another current “hot topic” in the market and historically a weak, or at least under-addressed, point for the industry.

The GDPR applies to “personal data,” but its detailed definition includes digital information such as IP addresses and a range of personal identifiers. Sensitive personal data, such as biometric data used to uniquely identify an individual, is in a “special category.” Physical security systems collect plenty of personal data, some of it critical and sensitive, including an employee’s PIN code, fingerprints, or even video footage.

GDPR impact on physical security

Other areas that might impact the physical security industry include requirements to provide information about any transfers of data to other countries outside the EU and the retention period of data and criteria used to determine the retention period. There is also a “right to erasure” that provides an individual a right to have personal data erased if it is “no longer necessary in relation to the purpose for which it was originally collected/processed.”

The value of data and the ability to leverage data come with new responsibilities, specifically a need to protect privacy
Physical security systems collect plenty of personal data, some of it critical and sensitive, including an employee’s PIN code, fingerprints, or even video footage

In the accountability section of the regulation, companies are required to implement “appropriate technical and organisational measures” to ensure and demonstrate compliance. In the category of “data protection by design”, there is a general obligation to “implement technical and organisational measures to show that [a company] has considered and integrated data protection into processing activities.” It is even more reinforcement to the need for more cybersecurity.

Data protection by design

The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate compliance, including codes created by trade associations or representative bodies. There may be an opportunity for organisations in the physical security market to step in and create such guidelines and to clarify best practices as they relate to our market’s technologies. 

In the category of “data protection by design,” physical security system manufacturers should include data protection and security from the ground floor as they are designing new products.

Based on several recent conversations, I can say with confidence that these concerns are definitely on the minds of many in our industry. But concerns aren’t necessarily answers, and time is short to fully comply with GDPR by the deadline.

And the issue isn’t limited to Europe; multi-national companies that do business in Europe, or even cloud systems that store data there, are also impacted. And even beyond GDPR, data protection is an urgent concern around the world. It’s time to step up.