June 21, 2017

Sign up to free email newsletters

Download

Mobile access case study: University of Hull students impressed with HID Global upgrade

IFSEC 2017

How Physical Access Systems will be affected by GDPR

With GDPR (General Data Protection Regulation) set to go into effect in May, security professionals must have a plan for all data stored on physical access systems.

“Most IT departments are forgetting about the access control database because it is owned by security,” said Andrew Bull, Director of Sales for UK&I, Quantum Secure at IFSEC.

But this could be an expensive mistake as GDPR promises severe penalties for non-compliance. “GDPR has put teeth in the data protection act and, for once, a regulation could hurt if a company doesn’t pay attention,” said Bull.

Bull outlines some considerations to prepare for the regulation.

Consent:  An organisation should have a specific statement in which an employee gives their consent about the data being held in the physical access system database. “This should not be presumed consent,” said Bull.

Policy: An organisation needs to define the purpose of keeping data. If an employee leaves a company, when do you delete their information? Is there a legitimate reason to keep the data?

Process assurance: An organisation needs to define who has access to the database and also be able to track where the data is stored. Article 33 of GDPR says a company needs to report a personal data breach within 72 hours of the breach and report who is affected.

Contractors and visitors: There needs to be a policy and consent form for contractors and visitors. “We rarely ask for consent for visitors but organisations should add a check-in box so a visitor understands their data is being stored on the database and a clear statement about what is being done with the data,” Bull said.

Once a policy is set, processes need to be put in place to ensure the policy is executed.  Typically, there are gaps between policy and process, said Bull.

“My policy says that I store data for two years after an employee leaves the organisation. But how do I track when the two years has expired and delete the personal data the database?” said Bull.  “Does this apply to everyone?  Are your policy and procedures role-based?”

Last, talk to your legal team. The legislation is not written with access control in mind and reading the documents can be tedious, said Bull. Get your legal team involved to help plan for the regulation.

Free Download: The State of Surveillance Storage

From the growing quantity of data to new innovations like Artificial Intelligence (AI) and machine learning, the surveillance and security landscape is changing. The Seagate Surveillance Storage Survey 2018 is a look at what the industry challenges really are—and what businesses, security industry professionals, installers and integrators need from their storage moving forwards. Discover the challenges now by clicking here.

Related Topics

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of