June 21, 2017

Sign up to free email newsletters

Download

Integrated thinking: Connected security for smart infrastructure

IFSEC 2017

How Physical Access Systems will be affected by GDPR

With GDPR (General Data Protection Regulation) set to go into effect in May, security professionals must have a plan for all data stored on physical access systems.

“Most IT departments are forgetting about the access control database because it is owned by security,” said Andrew Bull, Director of Sales for UK&I, Quantum Secure at IFSEC.

But this could be an expensive mistake as GDPR promises severe penalties for non-compliance. “GDPR has put teeth in the data protection act and, for once, a regulation could hurt if a company doesn’t pay attention,” said Bull.

Bull outlines some considerations to prepare for the regulation.

Consent:  An organisation should have a specific statement in which an employee gives their consent about the data being held in the physical access system database. “This should not be presumed consent,” said Bull.

Policy: An organisation needs to define the purpose of keeping data. If an employee leaves a company, when do you delete their information? Is there a legitimate reason to keep the data?

Process assurance: An organisation needs to define who has access to the database and also be able to track where the data is stored. Article 33 of GDPR says a company needs to report a personal data breach within 72 hours of the breach and report who is affected.

Contractors and visitors: There needs to be a policy and consent form for contractors and visitors. “We rarely ask for consent for visitors but organisations should add a check-in box so a visitor understands their data is being stored on the database and a clear statement about what is being done with the data,” Bull said.

Once a policy is set, processes need to be put in place to ensure the policy is executed.  Typically, there are gaps between policy and process, said Bull.

“My policy says that I store data for two years after an employee leaves the organisation. But how do I track when the two years has expired and delete the personal data the database?” said Bull.  “Does this apply to everyone?  Are your policy and procedures role-based?”

Last, talk to your legal team. The legislation is not written with access control in mind and reading the documents can be tedious, said Bull. Get your legal team involved to help plan for the regulation.

IFSEC International 2018

Join IFSEC Global live at Europe's only dedicated integrated security event. Register for free.

Meet over 600 exhibitors, test more than 10,000 of the latest security products, and discover best practice and future trends in an unrivaled seminar programme.

Highlights include;

  • Frank Gardner to chair the Keynote Arena
  • Former US Secretary of Homeland Security to take Keynote stage
  • Live attack testing in the LPCB/BRE Global Attack Zone
  • Your chance to get hands on with the latest security innovations thanks to the brand new Show Me How feature

Related Topics

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of