June 21, 2017

Sign up to free email newsletters


“Second to none”: Inner Range improves security and access control for a large college in Stockport

IFSEC 2017

How Physical Access Systems will be affected by GDPR

With GDPR (General Data Protection Regulation) set to go into effect in May, security professionals must have a plan for all data stored on physical access systems.

“Most IT departments are forgetting about the access control database because it is owned by security,” said Andrew Bull, Director of Sales for UK&I, Quantum Secure at IFSEC.

But this could be an expensive mistake as GDPR promises severe penalties for non-compliance. “GDPR has put teeth in the data protection act and, for once, a regulation could hurt if a company doesn’t pay attention,” said Bull.

Bull outlines some considerations to prepare for the regulation.

Consent:  An organisation should have a specific statement in which an employee gives their consent about the data being held in the physical access system database. “This should not be presumed consent,” said Bull.

Policy: An organisation needs to define the purpose of keeping data. If an employee leaves a company, when do you delete their information? Is there a legitimate reason to keep the data?

Process assurance: An organisation needs to define who has access to the database and also be able to track where the data is stored. Article 33 of GDPR says a company needs to report a personal data breach within 72 hours of the breach and report who is affected.

Contractors and visitors: There needs to be a policy and consent form for contractors and visitors. “We rarely ask for consent for visitors but organisations should add a check-in box so a visitor understands their data is being stored on the database and a clear statement about what is being done with the data,” Bull said.

Once a policy is set, processes need to be put in place to ensure the policy is executed.  Typically, there are gaps between policy and process, said Bull.

“My policy says that I store data for two years after an employee leaves the organisation. But how do I track when the two years has expired and delete the personal data the database?” said Bull.  “Does this apply to everyone?  Are your policy and procedures role-based?”

Last, talk to your legal team. The legislation is not written with access control in mind and reading the documents can be tedious, said Bull. Get your legal team involved to help plan for the regulation.

Free Download: Access control in the connected workplace 2017

Sponsored by HID Global this report will help you to integrate smart building technologies with one another in a range of building types, from offices to industrial premises, it will also help ascertain whether integration is associated with a heightened cybersecurity risk.

Click here to download now

Related Topics

Leave a Reply

Be the First to Comment!

Notify of