With GDPR (General Data Protection Regulation) set to go into effect in May 2018, security professionals must have a plan for all data stored on physical access systems.
Most businesses are not thinking about their access control database because they view it to be associated with their security systems provider. However, this is an expensive misconception as GDPR promises severe penalties for non-compliance and all data gathered from security systems such as CCTV’s and Access Control Systems do not belong to the installer.
Consent is a major element to consider in preparation for GDPR, organisations should prepare a statement which they provide to employees and all site visitors giving details about how their data Is being held in the access control database. This statement being read does not presume consent, individuals must provide consent in a method that can be documented such as a signature.
Organisations need to define the purpose of the data they are keeping. When an employee leaves the organisation, when do you delete all the information you hold on them, and if you don’t want to do away with the data, is there a legitimate reason for holding onto the data. A selected few should be allocated the responsibility of being able to access the database as well as track where data is being stored. Personal data breaches need to be reported within 72 hours of the breach taking place according to Article 33 of GDPR.
All employees and visitors need to understand that their data is being stored in a database and be provided with a clear statement on what is being done with their data. This needs to be documented in a policy and consent process.
Once all policies have been set, processes need to be put into place to ensure they are executed. Often a gap exists between policy and process, its easy to decide on what needs to be done, how it will be done is a different matter altogether.
A typical scenario could be:
You create a policy that says you store employee data for 4 years after they leave the company but how will you track when the 4 years has expired and delete the personal data from the database. Will this procedure apply to all employees? Will my policies and procedures be role-based? – there is a lot to consider.
If you have a legal team, enlist their help, the GDPR documentation is long and complicated and reading through them can be tedious and may confuse you further. The GDPR was not written with security systems in mind so legal assistance will be beneficial in ensuring compliance. Also get in tough with your security provider to see if they can offer assistance in your preparation for GDPR.
Antron Security are a leading provider of Security Systems and we are ready to assist our clients in ensuring GDPR compliance where their security systems are concerned. For more information call us on +44 (0)1923 855 006 or email firstname.lastname@example.org.