IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
With GDPR (General Data Protection Regulation) set to go into effect in May, security professionals must have a plan for all data stored on physical access systems.
“Most IT departments are forgetting about the access control database because it is owned by security,” said Andrew Bull, Director of Sales for UK&I, Quantum Secure at IFSEC.
But this could be an expensive mistake as GDPR promises severe penalties for non-compliance. “GDPR has put teeth in the data protection act and, for once, a regulation could hurt if a company doesn’t pay attention,” said Bull.
Bull outlines some considerations to prepare for the regulation.
Consent: An organisation should have a specific statement in which an employee gives their consent about the data being held in the physical access system database. “This should not be presumed consent,” said Bull.
Policy: An organisation needs to define the purpose of keeping data. If an employee leaves a company, when do you delete their information? Is there a legitimate reason to keep the data?
Process assurance: An organisation needs to define who has access to the database and also be able to track where the data is stored. Article 33 of GDPR says a company needs to report a personal data breach within 72 hours of the breach and report who is affected.
Contractors and visitors: There needs to be a policy and consent form for contractors and visitors. “We rarely ask for consent for visitors but organisations should add a check-in box so a visitor understands their data is being stored on the database and a clear statement about what is being done with the data,” Bull said.
Once a policy is set, processes need to be put in place to ensure the policy is executed. Typically, there are gaps between policy and process, said Bull.
“My policy says that I store data for two years after an employee leaves the organisation. But how do I track when the two years has expired and delete the personal data the database?” said Bull. “Does this apply to everyone? Are your policy and procedures role-based?”
Last, talk to your legal team. The legislation is not written with access control in mind and reading the documents can be tedious, said Bull. Get your legal team involved to help plan for the regulation.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
How Physical Access Systems will be affected by GDPRWith GDPR (General Data Protection Regulation) set to go into effect in May, security professionals must have a plan for […]
Kelley Damore
IFSEC Insider | Security and Fire News and Resources
Related Topics
43% of UK retailers fined for video privacy breaches, according to survey
ICO publishes new guidance on domestic CCTV following multiple cases of misuse
Position Paper on EC proposal for Regulation of AI released