The EU General Data Protection Regulation (GDPR), which goes into effect on May 25 of this year, introduces a series of requirements that all organizations that control or process personal data related to EU citizens must comply with, regardless of where the organization is headquartered.
The EU General Data Protection Regulation (GDPR), which goes into effect on May 25 of this year, introduces a series of requirements that all organizations that control or process personal data related to EU citizens must comply with, regardless of where the organization is headquartered. The regulation, intended to improve personal data security and increase accountability for data breaches, brings with it fines for non-compliance of up to four percent of annual turnover or 20 million euros (US$24.5 million), whichever is greater.
As defined by the GDPR, “personal data” means any information relating to an identifiable natural person (“data subject”), including name, location, photo, biometric data, financial as well as medical details and online identifiers such as IP address or device ID, etc. Under the regulation, “data controllers” — organizations that collect personal data for their own use and “data processors” — organizations that process data on behalf of data controllers, such as cloud service providers, bear the responsibility to handle personal data in a secure manner, especially in the areas of management, encryption and pseudonymization.
To this end, the GDPR increases liabilities of data processors while making data controllers responsible for the protection of individuals’ rights and the actions of the processors they engage. Processors and controllers need to know not only what personal information exists within their organizations, but also where and how it is being accessed and used. The GDPR also requires data controllers to report breaches within 72 hours of their discovery, keep records of data processing activities, appoint data protection officers (DPOs), and conform to individuals’ rights to be forgotten.
End users not ready
Even though the rights of individuals with regard to their personal data are fundamental to the GDPR, consumers do not necessarily take adequate steps to secure themselves. Instead, 62 percent believe businesses holding their data are responsible for its security, according to a
Gemalto survey. Especially with the implementation of the GDPR, organizations are now forced to comply with data security protocols, otherwise they will face not only financial consequences but also legal action from consumers.
However, research firm
Gartner estimates over 50 percent of companies affected by the GDPR will fail to be in full compliance with its requirements by the end of 2018. An Imperva survey of cybersecurity professionals shows similar results, in which half of the respondents said that no one was pushing GDPR preparations within their organizations.
According to a
Gemalto and Ponemon Institute study on cloud security, vast majority of global companies (95 percent) have adopted cloud services for data storage. While 53 percent of respondents said their organizations use multi-factor authentication to secure data access, only 36 percent said their organization encrypts or tokenizes sensitive data in the cloud. Half of global respondents believe that payment information and customer data are at risk when stored in the cloud. Furthermore, 57 percent think using cloud services run the risk of violating privacy laws.
Implications for video surveillance
Of all the types of personal data covered by the GDPR, data gathered by video surveillance applications might be among the most sensitive, given its intrusive nature. According to a white paper released by
Genetec, privacy, under the GDPR, must be by design, instead of an in addition. “The privacy by design obligation in the GDPR requires an approach to systems engineering in which data protection principles, such as encryption and the anonymization of video footage, for example, are included from the outset in any system design,” the report stated.
It continued: “In addition, data controllers will also be responsible for ensuring that, by default, the minimum amount of data is collected. Video surveillance systems that record constantly and store images indefinitely will be in breach of this provision; as a result, data controllers will need to adopt video surveillance systems with a feature-rich interface that offers flexibility in video recording operations that would enable them to control how long images are retained.”
Stanley Convergent Security Solutions, from the perspective of a systems integrator, suggested in its white paper that data controllers remain educated and aware of the ever-changing cyberthreats to their video data and implement a prevention and response program. Data controllers, according to the paper, should ask their security integrators to conduct regular vulnerability tests for all video surveillance components and test all associated protocol, hardware and firmware to ensure all manufacturermandated updates are deployed. The paper also stressed the importance of password uniqueness and of asking integrators to configure network cameras on ports different from the manufacturer factory settings. “Ports — the logical infrastructure pathways by which video data and other information is transmitted — offer targeted gateways for hackers looking to gain access,” it said.
With the GDPR looming, privacy and data protection have become even more of a hot topic in the physical security sector. While system providers and integrators are working to make their products and solutions GDPR-compliant, end users also need to raise their awareness of and take action to ensure data security, since they are the ones who shoulder the majority of the burden of protecting individual privacy.