Preparation tips for physical security users ahead of GDPR

With the EU General Data Protection Regulation (GDPR) taking effect next year, many end user organizations in Europe are taking steps to prepare. In a similar vein, entities using video surveillance, access control and other physical security systems should also be aware of the impact that GDPR will have on them.
 
That was the argument made by Jean-Philippe Deby, Business Development Director for Europe at Genetec, in a recent posting to the web portal GDPR Report.
 
The GDPR website states that the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens and reshape the way organizations across the region approach data privacy. Fines will be incurred for entities that fail to comply.
 
According to Deby, much has been written about GDPR, but little has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems.
 
“Any public or private organizations using CCTV to monitor public accessible areas, for example, should be concerned. Under the terms of GDPR, monitoring the public on a large scale is by default considered a high-risk activity. Per several market research studies, many organizations have not yet taken the steps of reviewing the new regulations and making the changes required to meet the obligations,” Deby said.
 
He also mentioned that a lot of legacy systems or disparate systems out there may still have been entirely commissioned and operated by location-specific security teams. “Regardless where your organization stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency,” he said.
 

Preparation tips

 
According to Deby, operators could do the following to get themselves prepared in the lead-up to GDPR’s enforcement.

1. Get involved and start evaluating your current systems: According to Deby, users who have not been invited into a GDPR discussion should proactively initiate one with their legal team and ask for guidance. “Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions,” he said.

2. Adopt privacy by design: Citing the terms of GDPR, Deby mentioned data that is anonymized or pseudonymized is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step; for example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimize the dangers of having security cameras deployed in public spaces, Deby said. “Seek out certified and sanctioned organizations, such as the European Privacy Seal group ‘EuroPriSe,’ a professional organization whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards — fostering certified trust and reliability.”
 
3. Consider cloud-based services as a short cut to compliance: According to him, owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of GDPR compliance, including securing access to the systems and servers storing the information. “By working with an approved cloud provider it is possible to offload some of these responsibilities. For example, we ourselves partner with Microsoft Azure to offer these systems ‘as a service.’ This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost effective,” Deby said. “Yet it is important to realize it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.”