How Do Privacy Issues And GDPR Impact Physical Security Systems?

GDPR will have a profound impact on how security systems are designed and managed. Significant investments have been made in developing sophisticated analytics capable of capturing an individual’s activity, identifying them, and linking them to different forms of data and transactions. GDPR specifically restricts the capture and use of EU residents’ personal data and is in direct conflict with the adoption of artificial intelligence (AI) platforms to track individual activities. The challenge for manufacturers will be to design solutions capable of capturing valuable information for security or business intelligence purposes while simultaneously anonymizing retained data. The use of intelligent masking, customizable retention, and data encryption and protection will become the standards moving forward. Failing to comply with these standards can lead to significant fines for the companies collecting the data, and we fully expect to see more end users putting the burden on manufacturers to prove that their systems comply.

Legislation such as the European Union's General Data Protection Regulation (GDPR) plays a bigger role in the operation and management of physical security systems than one may immediately recognize. These regulations exist to protect the personal data and privacy of citizens and customers, which becomes relevant in the physical security industry for organisations that store footage from the use of video surveillance or event management systems for private or public monitoring. The GDPR focuses heavily on enforcing proper reporting and mitigation techniques in the event of a cyber-attack or breach, emphasizing the importance of manufacturer responsibility and convergence between physical and IT security teams to cohesively ensure regulation compliance. While it will be primarily global companies affected by the GDPR, U.S. companies must also pay attention to how it impacts their business and can learn from and apply best practices to increase overall security.

This is a potentially complex situation. With an Access Control system there could be a request to supply data held on an individual, but to ensure the privacy of others it may be necessary to anonymize any data on connected third parties. For example, under GDPR regulations, any person whose image is recorded on CCTV has a right to seek and be supplied with a copy of their own personal data from the footage. However, the identity of any other individuals in that footage needs to be protected when it is shared. Investing in technologies that can automate privacy protection (such as using video redaction capabilities to blur out other people’s faces) could help companies to comply with the new GDPR regulations, painlessly and efficiently. This ability would transform data to a lower risk category, allowing operators to see what is happening in video footage without violating anyone’s privacy.

As the May 25 deadline for GDPR compliance quickly approaches, operators must be proactive in addressing how to improve visibility and control over the large pools of data that are collected with video surveillance, access control and other physical security systems. Owners of on-premise systems will be responsible for GDPR compliance and required to have transparent measures in place that hold them accountable for how data is accessed, used and maintained. Evaluating current systems and engaging with integrators is crucial to better understand what updates are required and how collected data must be reported per the new guidelines. Physical security can help prevent unauthorized access to data, but it’s essential that organizations have the appropriate technical and organizational measures in place to comply fully.

Physical security systems, such as video surveillance systems, gather video data in order to protect people and assets. Many organizations today hold onto that data for a set amount of time to use as forensic evidence or to comply with rules that govern a specific industry, like in casinos and gaming. “Data Controllers,” as they are called in GDPR regulations, are users of security systems who would be ultimately responsible for meeting the strict privacy and regulatory requirements such as the use of that video without consent, the location where the video is stored and the measures in place to protect the video. If “Data Subjects” (people in the video) are clearly identifiable, then the requirements for maintaining their privacy are very stringent. While the protection of data is mainly the responsibility of end users, manufacturers, especially cloud service providers, will also be on the hook for complying with regulations.

While GDPR is being implemented in the EU, U.S.-based companies can also learn a lot from the regulations being enforced in the realm of data privacy. Additionally, it is critically important for U.S. companies to be able to adhere to the rules guiding how data is collected and shared about EU citizens. When a company implements a physical security system such as access control, a lot of personal information is collected and analyzed for various purposes. While the majority of the data being shared is controlled by the company using the system, there are some elements that can come back to the integrator or even the manufacturer, like in the case of the organization implementing a managed cloud-based solution. Therefore, manufacturers need to be mindful of their product's capabilities and make it easy and streamlined for end-user companies to adhere to the data sharing and privacy regulations in place.

Privacy regulations (such as GDPR) are examples of how physical security systems and the data residing in them are subject to a growing number of business-critical compliance and audit standards. For both video surveillance and access control, a major aspect of GDPR is being able to continuously document system operation and be able to secure it from cyber-breaches. To achieve this requires consistent management processes, and automation to support and document those processes. Whether it’s GDPR or any other standard, the day is fast approaching where operators of physical security systems must be able to demonstrate system-wide control over their operations while utilizing automated service assurance solutions to ensure failures are quickly detected and their fixes are documented. Taking a system-level instead of a device-level approach to managing physical security is one of the positive directives GDPR is sending the industry.

The physical security market has undergone a lot of changes in recent years, driven by changes in IT technology, and cybersecurity is a commonly used term. In many cases, the CCTV system is installed and then promptly forgotten about – passwords are rarely changed, and overall security of the system is often taken for granted (how many times is the NVR kept in a broom cupboard?) Legislation such as the GDPR shines an uncomfortable light on these systems. Questions asked in IT circles such as “What type of encryption do you use?” and “What is your password policy?” often fall on deaf ears with end users when it comes to physical security. This means manufacturers must bear the responsibility of providing appropriately secure products - that includes encryption! Integrators, installers and manufacturers must educate end users what to look for in an updated data protection world.

No element of security can stand alone. Security, even “just” physical security systems, have many dimensions that must be considered in the modern-day business climate. Products, their implementation and ongoing management need to not only help secure facilities and personnel but also be secure themselves. Regulations such as GDPR have added a new world of consequences to this evolving topic. While the GDPR requirements are new, they only build on already existing issues such as data integrity, continuity of service and business reputational risks. Taken together, the considerations for successful installations and ongoing administration have become more comprehensive and necessary. System dependency management has never been more important and the opportunities for skilled system integrators never better.