How security system providers react to the GDPR

In the face of the GDPR, system providers need to incorporate the principles of both privacy by design and privacy by default into their product development to meet regulatory requirements. Privacy by design demands that data protection be considered throughout the lifecycle of any project. On the other hand, privacy by default means that systems are designed and configured to be inherently secure. This is done by applying the strictest privacy settings at all times and allowing the least necessary access and functionality for each process and user.

Security companies taking action

Edwin Roobol, Regional Director for Middle Europe at Axis Communications, said that even though it is the end customer that is primarily responsible for ensuring any use of equipment to process personal data is GDPR compliant, Axis will seek to facilitate, in the best possible way, the customer’s compliance. Axis will do so “by providing information to its customers that explains important GDPR implications in relation to the specific Axis application, e.g., who is responsible for what under the GDPR when using the application and what measures customers may need to take to ensure compliance. Still, it is important to note that the purpose of this information is merely to point the customer in the right direction, not to provide legal advice. Ultimately, the customer will have to be satisfied that they have the necessary measures to achieve actual GDPR compliance but we believe that the information we provide to a great extent will facilitate this process for the customer.”

“For the services Axis provides,” Roobol continued, “GDPR compliance is affected by how the service is delivered. For a customer using Axis hosted services, the GDPR imposes obligations on both Axis and the customer, as well as on the customer’s customers. For example, where Axis acts as a personal data processor on behalf of a partner or a customer, Axis and the partner or customer must execute a so-called data processor agreement (DPA) to clearly define the role, respectively, of personal data controller and personal data processor as between Axis and the partner/customer.” Roobol also added that Axis is working on a broad GDPR implementation project so as to put in place a robust model for GDPR compliance.

Jean-Philippe Deby, Business Development Director for Europe at Genetec, said that there was not enough attention being devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. “This is a concern as there are a lot of legacy security systems still out there that may have been entirely commissioned and operated by location-specific teams, with little involvement or oversight from the IT department,” Deby said, adding that compliance with the GDPR is just as much about people and process as it is about technology.

“A key challenge we’re addressing is therefore to engage and educate our technology partners, consultants, integrators and end users to conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation,” Deby said. “Because of our open platform approach, in most cases we can help customers to upgrade their existing system rather than ‘rip out and replace.’”

Commenting on the impact of the GDPR, Ulrich Dörr, Data Protection Officer at Mobotix, said that one of the biggest advantages brought by the new laws is for companies to develop products based on a single standard applied to the entire EU, rather than deal with confusing and sometimes even conflicting regulations spread across different countries.

“Because Mobotix uses a two-tier distribution model, it is our distributors and installers that are directly working with our end customers. Our efforts have been in ensuring that the processes, software and hardware products have the relevant tools, options and settings in place to assist them in creating secure security solutions that are compliant with the new laws and regulations,” he said.

Dörr continued, “We have the algorithms and the calculating power directly in every camera system to ensure a secure handling of data close to the point of origin for image data. The possibility of event-oriented recording of video data directly in the cameras reduces the volume of recorded and transferred personal data, which is also compliant to the data-minimization principle of the GDPR.”

Dörr also mentioned other data sources that need to be protected, such as ATMs or point of sales terminals connected to enterprise video surveillance systems. “GDPR underlines this need at the correlation between a transaction receipt and the image of the associated customer and how that data is passed between different systems. In this example, configuring one camera as a time server and synchronizing this timing element with all the other elements of the IT network offers many advantages in terms of simplicity, reliability and accuracy,” he said.

Moving forward

Video surveillance is increasingly regarded as not only a detection tool but also a crucial means to gain valuable insight into employee, customer and operational activities across industries. The digital economy is built on the collection and exchange of personal data, which is particularly vulnerable to cyberattacks and data breaches. In other words, with actionable intelligence inevitably comes a concern for data security issues the GDPR aims to address.

Causing a paradigm shift in data management, the GDPR is arguably the most stringent data privacy legal framework ever imposed on organizations, and it may represent the future of regulations across the world. To comply with the GDPR, data controllers must demonstrate accountability and transparency in all decisions regarding personal data processing activities. In the meantime, the GDPR is driving strong growth in the cloud market, since delegation to data storage experts can help organizations meet compliance obligation.