GDPR and Security Systems – How Does GDPR Impact CCTV, Access Control and Other Physical Security Systems?
GDPR, the General Data Protection Regulation, came into effect on 25th May 2018. It helps to ensure that personal data of EU citizens is handled safety and securely by organisations and businesses.
GDPR effects all elements of an organisation that handles or processes personal data, including security systems.
If your organisation currently uses CCTV, access control systems, and other security measures, it is certainly worth evaluating how you are currently collecting, storing and processing data and whether or not this meets the new GDPR standards.
This article is by no means legal advice, rather an opportunity to highlight how GDPR relates to security. To learn more, we suggest you get started by visiting the ICO website on security and seek professional advice.
How does GDPR relate to Security Systems?
GDPR relates to any sort of “data” that can be used to identify an individual. This includes details such as names, email address and other common pieces of personal data businesses usually store, but also areas of business that might be forgotten about, such as key fobs, CCTV and access control verification.
If a key fob can identify an individual, businesses need to appreciate that how it handles and manages such data is important and can’t be ignored.
If not, businesses may not be complying with GDPR.
It doesn’t matter if you’re a small family business, or a large multinational corporation, any security systems used need to meet these new standards.
Particularly for businesses with IT systems, CCTV, and other technology that is quite dated, they may not have the functionality to meet new standards. This is why it is important to evaluate and understand how every part of your business is handling data and whether it needs changing.
According to several sources, if a business uses CCTV, they need to register with the ICO. This is due to the fact you’ll be processing personal data, just not collecting it. Your business can take this quiz to see if you need to register or not.
How to Ensure your Security System is GDPR Compliant
This guide from the ICO offers some advice on things to consider and is worth printing off and having as a reference point. Unfortunately, there is no definitive checklist for GDPR. A lot of the recommendations need context within your own business and are therefore up for interpretation somewhat.
Nevertheless, there are some initial steps you can take to get started, such as:
- Privacy Impact Assessment – The ICO recommends taking a Privacy Impact Assessment. This helps ensure any personal data that is being collected, is firstly, within reason and fit for purpose, and secondly, being stored and processed securely. This assessment should help uncover any areas of an organisation that need addressing.
- Data Processing and Storage – It is recommended that data is removed after an appropriate length of time and not stored unless necessary. This prevents businesses collecting unnecessary personal data and storing it for a long time. By doing this, it helps prevent organisations keeping high volumes of personal data when they don’t need to. By keeping large amounts of data, any breeches become more severe as more data is involved. So, think carefully about how long you really need to keep customer information.
- Encryption – “Privacy by Design” is a phrase commonly used in association with GDPR. Simply put, it refers to having systems and processes that have privacy fundamentally built into them. Encryption and anonymised data is much safer to store. Particularly with CCTV footage, thinking about how this is stored should become a top priority for businesses.
- Transparency – A key element of GDPR that will impact surveillance and security is that of transparency and lawful intent. You can’t simply invade people’s privacy and say its done for security reasons. Instead, it must be very clear in how and why you are processing data. As a business, you can monitor and track employees via CCTV and other security systems but there must be a lawful basis for doing so and it must be communicated clearly with all employees beforehand.
- New Technology – As new technology such as the Internet of Things and Big Data promise to change the way we live, it is important for businesses to walk before they can run. Organisations should focus on privacy by design first and ensure they can create processes and systems that are GDPR compliant, before thinking about how they can leverage new technology that requires even more security measures. If not, businesses could find themselves in uncharted waters, by trying to do too much, too quickly.
- Access and Accountability – Understanding who has access to what is an important part of GDPR. If unauthorised people can access CCTV footage, then that could become a huge data breech.
- Consent – In many cases, it is important to get explicit consent from an individual before you collect and process their data. This applies to both employees, customers and the general public. It must be clear from the start, what data is being collected and whether they provide consent for this.
- Frequent Evaluation – GDPR isn’t just supposed to be a manic period where people discuss privacy and then everything goes quiet until the next law change. Instead, businesses should allocate time frequently throughout the year to reassess their GDPR compliance and ensure any new business operations or processes don’t create vulnerabilities in how they handle data.
Get Started with A.P.E Fire and Security
If all this GDPR talk has made you realise you need some new security systems put in place, please don’t hesitate to get in touch with us here at A.P.E. Fire and Security. A trusted organisation since 1977, we offer reliable service and maintenance contracts and our team are available 24 hours a day to help you.
We can supply, install, maintain and monitor quality systems as well as simply offer you advice and insights based on our experience.